WordPress is the most popular Content Management System on the internet, with 33.7% of websites making use of WordPress. With that popularity comes the price of being an easy target for hackers who can exploit vulnerabilities for their own ends. Often victims of hacking will ask “Why my site? I’ve got a small personal blog? What do they gain from it?” Today we’re looking at why sites are targeted and why your security is important.

Why hack at all?

Broadly, people who maliciously hack websites have one of two motivations: reputation or exploitation.

Those who hack for reputation will hack a website just to see if they can. The intention can be just as a joke, by adding code or text that changes the website so that they can show off to their hacker friends. They can also have political intentions, by hacking a site to spread awareness of a specific cause or to deface a website that they’re opposed to.

These types of hacks are usually more annoying than damaging, with little after effects. They are also easily resolved by restoring a backup and then making sure the site is secure.

Those who hack for exploitation are far more damaging, as their aims are usually to make money using your resources. They can add scripts that send thousands of spam mails per minute from your website, or modify your website to look identical to a bank’s online portal to trick people into entering their details (also known as “phishing“). They can install scripts that use the server resources to mine cryptocurrency for them, or to use the server to attack other websites and make them inaccessible. Or if you have an online store, they can try to access your clients’ details to steal money directly from them.

Even when you have detected and removed these hacks, the consequences for you and all the other websites on the same server can have knock-on effects for months afterwards. Not only is your site’s reputation tarnished, you can also be placed on a blacklist. These blacklists can vary, from a warning in search engine results that states your site is malicious to the worst case scenario of your site traffic not being accessible at all due to Internet Service Providers blocking your server’s IP address. Getting removed from these blacklists is a time-consuming procedure that requires documentation and proof that the site has been secured.

The best offence is a good defence.

To prevent your site from being hacked requires that you are diligent with how you design your site and how you maintain it. Here are a few steps you can take that will prevent 99% of all hacking attempts.

Always make sure that your site infrastructure is up to date.

Make sure the your WordPress installation is making use of the newest version available, as well as making sure your themes and plugins are updated regularly. Diligent plugin and theme authors will make sure to patch any vulnerabilities in their product as soon as they are made aware of them. Part of that procedure is to document the vulnerabilities, so if the information on how to exploit the software is out there, a hacker can use it to gain access to your site. If a plugin or theme you are using has not been updated in years, it has likely been abandoned by its author. It’s in your best interests that you find a newer option that fulfils the same function.

We cannot stress enough how important it is that your WordPress core, themes and plugins are updated regularly, as outdated plugins are how most hacks are accomplished.

Make use of Two-Factor Authentication whenever you deal with sensitive information.

Making use of a Two-Factor Authentication program like Google Authenticator will make it impossible to log into your WordPress dashboard without having access to your phone as well. This means that it will be difficult for hackers to log into your site even if your password has been compromised.

Change up your Administrator Username

Many WordPress users make use of “Admin” as their username for the purposes of logging in. Hackers know this, which means that they have half of your username/password combination. Making the username anything else automatically makes it 50% harder to automate attacks against your site.

Change your passwords

If you use the same password for every service, it’s very likely that it’s been compromised somewhere. Always use unique passwords for any login that you want to keep secure. If you have given your password to anyone else, make sure that it’s been changed once they no longer need access to it. And if you even have a slight doubt your password has been compromised, change it. If you can’t think of a password, make use of a generator and store the password with a password manager.

Long passwords are better than short ones

Using a short password with numbers and letters is very easy for computers to guess. Let’s just look at the math. Using only numbers and letters, you have 36 characters to choose from. A password with six characters of numbers and letters has a total of 2,176,782,336 (just over two billion) potential combinations. Adding another character increases to 78,364,164,096 (a little over seventy-eight billion) possible combinations. Now, if you use a good standard of sixteen characters, a computer would need to guess up to 7,958,661,109,946,400,884,391,936 combinations! That’s over seven septillion!

Make use of SSL

SSL certificates encrypt the data between your computer and the website you’re browsing, making it near-impossible for anyone to intercept your data. This provides your clients with the peace of mind that your site has not been tampered with and that sensitive information is not leaked to those with malicious intent. We urge you to take advantage of your free SSL certificate, doing so will ensure that all data transmissions between your web browser and your site on the Mshini server will be encrypted and hidden from prying eyes.

Make use of CAPTCHA

Making use of CAPTCHA will ensure that automated systems cannot brute-force their way into your site. While this will not stop a human from actively hacking your site, it will deflect bots who are able to guess thousands of passwords in minutes.

Never log into your site from an unsecured device

You can do all of the above and still have your site hacked should you log into it via a public computer. Hackers will often have key-loggers installed on public devices that will report any input you type, or have back-doors installed that they can use to access the device remotely. Treat any device like you would a kitchen utensil, if you don’t know where it’s been, don’t risk using it for anything you want uncontaminated.

Make use of Malware and Vulnerability scans

No one can be reasonably expected to recognise vulnerabilities in their code just by looking at it. That’s why there are many services online specifically to probe your site and report any weaknesses so that you are able to address them. Websites such as Hacker Target or Sucuri offer free versions of their main product that will give you an idea of obviously vulnerable areas. If you are using your website for any sensitive information, going with a paid option will be much more important.

Use a trusted security plugin

A trusted security plugin, like WordFence, will check that your site applies most of the points mentioned in this article. These plugins will also usually include a checklist of various areas you can improve on your site, as well as mechanisms to assist in fixing any problems it detects.

Security is important for any website

No matter the size of your website, no matter its function, you need to make sure that you protect your site from hackers. Not only will you be saving yourself the grief of having to redo your work, you will also be helping make the internet a safer place. The same way you wouldn’t leave your front door open when you leave the house, don’t leave your website unprotected when you log off.

If you have any questions or concerns, please reach out to us. We’re always happy to talk WordPress with you!