WordPress Security 101 – Protect Your Blog from Evil Hackers
I am going to be honest with you. It’s not hard to hack a WordPress site if the owner doesn’t do his/her due diligence. Once a WordPress Hack has been identified it’s only a matter of time before the script kiddies try to compromise your site.
I bring this up because of a discussion I had recently with a blog owner about why he is receiving A LOT of traffic from Russia.
After speaking with other blog owners and so-called experts he decided to just ignore it. I pointed out there is a chance that a vulnerability has been identified on his site and wannabe hackers are trying to exploit it.
I did not hear back from him. He must think I am crazy.
I Am Not Crazy
Statistics show that a large number of “hackers” come from the eastern part of the world. Russia, China, India, Korea…you get the idea.
I am not ignorant to the fact that the US has a large number of hackers as well. Generally speaking though if you are a US-based website you should expect to receive most of your traffic from the US.
When I first began using WordPress many years ago I launched a website that just reposted content from an RSS feed. Ironically the site was called HackersDelite. It just shared content from other resources around the internet. The content was exclusively about Information Security.
That site was the first time a website that I owned or managed was hacked. It was also the last time.
I really did not do anything to manage it. It was basically on autopilot with the sole purpose of making money off of ads. I seldomly updated WordPress, the plugins or the theme. This was the way in for a hacker.
Not All Hackers Are Equal
You probably noticed I placed quotations around Hacker a few times. I also referred to hackers as wannabes and script kiddies. That’s because most of the people who are hacking WordPress sites do not represent the hacking community.
The true definition of a hacker is someone who takes things apart to learn how they work and then puts them back together again. Somewhere along the way, the word Hacker developed a negative connotation.
There are 3 types of hackers generally speaking. I talk about this here.
Prevention and Education Are Your Best Defense
There are websites dedicated to listing vulnerabilities on nearly every platform that exists. If a “Hacker” were to learn about a WordPress vulnerability and then do a simple Google search they would find possibly hundreds or thousands of sites with said vulnerability. It will partially depend on how new the vulnerability is.
You can do the same thing. I do understand that this would require a lot of time, research, learning and more research on your part. I’ll just give you a few pointers on how to avoid having your WordPress site hacked.
6 Tips to Secure Your WordPress Blog/Website
1. Updates: I know updating your site can be scary. I mentioned above that I have only been hacked once in all my years of web work (over 20 years). In that same time span, I have had sites get destroyed by updates more times than I can remember.
Using a WordPress backup plugin and ensuring you have a new backup before doing updates will help alleviate some of that stress.
Whenever there is an update available to the WordPress core files, plugins or your theme install them. Many times updates are provided because of an identified vulnerability.
2. Get Rid Of It: If you have a plugin or a theme not being used, get rid of it. Remove it from your site. If you’re not using it then it probably is not being updated. If it’s not being updated then it is by definition vulnerable.
Uninstall any plugins that are not active. Also get rid of any plugins that have not been updated by the developer in a long time.
One note here. I always keep the default WordPress theme just in case the theme I am using breaks.
3. WordFence: WordFence helps protect your site. There is a free version and a paid version. Among other things, WordFence blocks known spam IP addresses and alerts you if your WordPress site has been logged into. They also have an email subscription. This newsletter is full of great tips for securing your site as well as the latest threats
4. TFA: TFA is short for Two Factor Authentication. Sometimes this is referred to as MFA or Multifactor Authentication. What that means is you need a second item to log in to your website.
For all of my sites, I use mini-orange and Google Authenticator. This works with a timecoded token that’s only good for 30 seconds. To log in to my site I use my username, password, and code that Google Authenticator gives me. You can set Google Authenticator up on your smartphone.
5. Complex Passwords: I used to use a password that was a combination of my wife’s nickname (that only close family and friends knew), a few random numbers and a special character. I recently discovered that this password is on a list of passwords somewhere on the internet.
All of my passwords are complex letters (upper and lower case), numbers and special characters now. They are generated by LastPass and stored in LastPass. I do not know any of my passwords. Sounds scary but it really isn’t that bad.
6. Spend $50: Everyone wants everything free. Spend $50 and purchase the theme you want. So many people use WordPress themes that have been modified by a hacker just to save a few dollars. In the long run, it will cost you a lot more.
Today lots of sites on the internet have been compromised and are being used to mine bitcoin. Most of those sites have been compromised by someone using a theme that was downloaded from a not so credible resource just to avoid spending $50.
If Google identifies that your site is compromised they will deindex it if it is not corrected immediately. No one will ever see your website.