WordPress security is an extensive topic and just like with any good CMS platform, there is a lot to cover. Now, you would think that a platform this popular would definitely have thousands of exploits with over 24,000 individual plugins that could allow openings for hackers, making the platform highly unsafe, but the truth would be contrary. Due to its high popularity and the amount of work developers put into making WordPress better and better with each version, WordPress turns out to be a safe platform at the end of the day. So, as hackers work hard on finding exploits they can use, developers and security experts stay one step ahead with better understanding the risks and immediately coming up with solutions for them.
A lot of things can be done to keep your WordPress site safe and we have already wrote an article about the multitude of steps you can take to harden your security, but there are still more methods you should know about. To better understand why you should protect your site, its best to know what your security would be up against and why. We will give a bit of background on a few tips we have wrote about in our previous article, uncovering exactly what kind of attacks and harmful activity they prevent and what kind of vulnerabilities they provide solutions for. It’s good to know what a hacker might get from hacking your WordPress site and how to fend him off, right? We will also be giving some tips and guides on how you can harden your WordPress security even more.
Why Do Hackers Want to Hack WordPress Websites?
Why would a guy spend his time with hacking your website? What would he get from it? As it might already be obvious, contact information, credit card numbers and various other information that has anything to do with money is of great value, but why would anyone hack a simple blog? The reasons can vary:
Information Theft – Like I said, personal information is of value and if a hacker finds the right kind of information, he has hit the jackpot. Information such as passwords, banking information, credit card information, key codes, pin numbers or even your visitors’ information could all be accessed through having access to your WordPress site. Guarding your visitors and yourself is probably the most urgent thing to keep in check.
Installing Malware – Malware is software that can be planted on a website, on a computer on an entire network and it pretty much does the work for hackers. It can download viruses or cause frequent crashes, steal information and much more. A malware can accomplish a lot of tasks for hackers without showing them off as the source.
Spamming – Your site could also be used to send spam email to your users or almost anyone for that matter, with having you taking the blame. If you have lost a lot of your traffic in a short amount of time, then it’s good to look into whether you have been hacked or not. Hackers can throw out a lot of trash to your audience and do a lot of bad things just by spamming, so it’s good to have your sites safety beefed up at all times.
SEO Backlinking – If someone has full access to your website he can use it to insert backlinks to other pages and make another site’s SEO better. They can obviously put in a lot of stuff once they are there, like links that lead to products, viruses and links you are probably better off not clicking. If your site has a good reputation and quality traffic then they can give it a serious punch by wreaking havoc on your site.
These are a few basic reasons for hacking that can provide the values we mentioned. Sometimes hackers just aim to make a site unavailable, or destroy it or there could be a great amount of personal reasons for doing so.
What might be more surprising is that they can actually use your site to access other websites. Let’s say you have a good website hosting company, storing your website for which a hacker finds access to. If they go undetected, they can use that access to jump to websites on the same server. Thankfully, hosting companies put a lot of effort into keeping their users’ content safe, but it all depends on the hacker’s skills. There are two types of hacks:
Targeted and Non-Targeted Attacks
These two are the primary types of attacks that hackers launch against WordPress websites.
Non-Targeted attacks are basically automated programs that work for a hacker. Programs like this have certain parameters given to them and they scan IP addresses for various exploits. With scanning, they collect as much information as they can, like which version of WordPress you are using. Some versions have known vulnerabilities that they are seeking to exploit. There are some specific steps you can take to prevent this from happening, like removing the version number from your site. We’ll cover the best things you can do to block attacks like this.
Targeted attacks are personal in nature, because it is a hacker’s conscious decision to hack your website with a specific purpose in mind. If it happens, you’ll probably have little idea why it is happening. The only thing you have to concern yourself with is to minimize the damage and prevent it from ever happening again. As a site gets more popular the more reason any hacker would have to target it. It’s like a law of nature. There is not much you can do to prevent a storm like this from happening, what you can do is harden up your security.
What to Do When Your WordPress Site Got Hacked
No matter what platform you are running your website on, it can be hacked! Any site can! If it does get hacked, you can lose your search engine ranking, contaminate your visitors with viruses and lose your website data and credibility. A hacked site can be used to redirect users to porn sites and various other crappy places that are just plain bad for business. A hack can basically smash your reputation pretty hard.
If you are running your business with the help of a website then your most prior investment should be good security. The first good investment is a WordPress hosting service with managed hosting that basically does most of the work for you. A good backup solution like BackupBuddy is also a must have and a firewall is also a great precaution. So what can you do if your site does get hacked?
Ask for Professional Help
Security is always a prominent matter and if you don’t know much about coding and servers, your best bet is to have a professional working on it. Hackers put their scripts in many locations so they can keep coming back when you got rid of them. A professional can put all those scripts to rest and he can make sure that you have a good night’s sleep.
Sucuri is a good option to take because they only charge $199 a year and they guarantee to fix and clean your site if need be. This might look like a promotion for Sucuri but it really is just a recommendation based on our positive experience.
How to Fix Your Website?
Let’s see how to go about fixing your site if it is hacked!
1. Identify What You Can Do About the Hack
Take a deep breath and try to stay as calm as you can. Grab a pen and paper and make notes about what you can identify.
You can use a checklist like this:
- Are you able to log into the WordPress admin area?
- Does your website contain new links?
- Did Google mark your site as insecure?
- Is your website redirecting to some other website?
A list like this can help you arrange things with your housing company or even yourself by enabling you to work with a more direct approach as you fix your website.
2. Contact Your WordPress Hosting Company
A good WordPress hosting company has many experts on their team that handle situations like this every day. They offer a great amount of support and they know their own hosting environment the most. So your first step should be contacting them and following their instructions.
A hack can be on a much larger scale and in that case they already know about it and can share the information with you. They will find a solution for you in a best case scenario.
3. Restore From Your Backup
If you took some basic precautions then you probably have your backup in place. In that case you can restore your site from a point where it wasn’t hacked and you’re home free. But in the case of a blog that provides daily content and takes in frequent comments, you have to think about the pros and cons.
4. Scan for Malware and Remove Them
Take a good look at your WordPress website and remove any inactive themes and plugins, because they provide the backdoor for hackers. A hacker can go around the normal authentication process and gain access to your site over and over again, thanks to the backdoor they uploaded previously, even after you removed the exploited plugin.
When this is done, do a scan of your site with the Sucuri WordPress Auditing plugin, which will scan the integrity of your WordPress files and can sniff out where a hack might be hiding. Scan your themes too with the Theme Authenticity Checker plugin. These are both free and you can download them as you go along.
Scan all of your files and plugins and when you come across a contaminated one, delete it and download an original version. Repeat this process until your site is hack free!
5. Change Passwords!
You have to update all of your passwords. Passwords for your FTP, cPanel, WordPress Admin Area, MySQL password and any other place that has a password and has something to do with your website, like your email for example.
Change all of your passwords to something much stronger. If you have a hard time remembering them, use a password manager to help you out with your task.
6. Watch Out For Users and Permissions
Double check to make sure that there are only those profiles on your list that you previously allowed and no one else has access to the site but you and your team.
When you are done with handling the crisis, it is time to beef up your security as much as you can. The task of providing good security for your WordPress site might sound terrifying at first glance, but trust me, you don’t have to be a coding whiz to do it. If you can click then you can follow the tips that we provide. We provide detailed tips for building good security in our article called Improve Your WordPress Sites Security With These Tips. You can make your WordPress website 99% safe!
This article gave a bit of insight into how hacks work and what dangers they pose to you, your website and its visitors. Hacking can be gruesome and everyone should do their best to protect themselves from it. We hope that this information helped you in grasping a better understanding about WordPress websites safety issues and that you have got some practical knowledge that you can put to use or already have put to good use. These tips can help you get your website back on its feet as quickly as possible and help you through a rainy day.
We have an article that covers how you can improve your security and prevent almost all of the problems we have mentioned above. So keep on reading and keep getting better at WordPress. It has been fun sharing this information with you and I hope to see you in our next article!