More than 100,000 websites are hacked every day according to Internet Live stats. That’s why WordPress security should be your top priority.
It’s not clear exactly how many of those sites are WordPress websites, but after reading the latest hacked website trends report by Sucuri Security, I suspect WordPress accounts for the vast majority of them because …
According to the report, 94% of all hacked sites that Sucuri investigated and fixed in 2019 were WordPress websites – up from 90% in 2018.
WordPress is clearly an EASY target for hackers.
Not because WordPress is less secure than other content management systems (CRM) like Joomla, Squarespace, and Wix.
But because WordPress is the most popular CRM used by over 38% of website owners worldwide, which is hundreds of millions of websites btw.
It’s a numbers game.
There’s simply a lot more websites powered by WordPress than any other CRM, giving hackers more opportunities to exploit it.
But that’s not WHY WordPress sites get hacked!
After starting a WordPress blog, due to a lack of knowledge, or time, maybe even both, many people don’t take the necessary action steps to secure their website.
Whatever the reason is, I’m guessing that you’ve invested a lot of time and worked damn hard on your WordPress blog, right?
So don’t let some dirty little hacker destroy all your hard work! Follow the steps in this WordPress security guide to keep hackers out of YOUR WordPress website.
In This Guide
- Why WordPress security is important
- Why your WordPress website is no exception
- How WordPress sites get hacked
- How to secure your WordPress website
- What to do if your site is hacked
Ready? Let’s get started.
Here at The Blog Mechanic, I help non-techie bloggers secure their WordPress website, and more. I can help you too. See my website care plans.
Why WordPress Security is Important
How would you feel if you woke up tomorrow, went to your website, and saw something like this …
At first you’d likely want to cry, right? All your content gone forever.
Then you’d feel angry and frustrated, of course you would. That’s to be expected.
But how would you feel if the hacker:
- Stole your credit card information
- Infected all your website visitors
- Redirected all your traffic to porn and scam websites
- Hijacked your domain name
- Sold your information to unethical marketers
Being hacked can cause serious damage to your business reputation and revenue if you don’t take the time to secure your website.
Why Your WordPress Website is No Exception
My website is new. I’m not getting much traffic or making money online yet. Hackers won’t be interested in my site.
Don’t make the mistake of thinking that there’s no motive for a hacker to target your WordPress website.
Not all hackers hack websites for monetary gain. Some do it just because they can. They do it because they’re bored and think it’s fun.
Even if your WordPress website is just a few months or even weeks old with zero traffic and zero income, given the opportunity, hackers will target you.
I’ve had this same conversation with many people over the years. Unfortunately, some take it with a pinch of salt until it’s too late – they’ve already been hacked.
How WordPress Sites Get Hacked
Hackers don’t review every site they target manually.
They write scripts that scan the web and analyze hundreds of thousands of websites automatically looking for open doors they can exploit.
Including but not limited to:
- Insecure web hosting
- Weak login credentials
- Plugin and theme vulnerabilities
- WordPress vulnerabilities
Sucuri Security report that the lead cause of infection stems from outdated component vulnerabilities.
In other words, each year, roughly 60% of WordPress websites are hacked because site owners fail to keep WordPress, Plugins, and themes updated.
How to Secure Your WordPress Website
Now that you know why and how WordPress websites are hacked. And that your site is no exception, even if it’s a new site with little or no traffic and income …
Here are 10 things you can (and should!) do today, and continue doing on a regular basis, to secure your WordPress website.
1. Backup Your Website
Although backups don’t play a direct role in protecting a site from hackers, in the event of a hack, restoring a backup is often the quickest and easiest way to fix infected files.
You should backup your site daily and store it safely in the cloud. Somewhere like Dropbox or Amazon s3 – not on your website server.
If you store backups on your website server and the server is hacked, the backup files are useless to you. The hacker will likely infect those too.
You can use a WordPress plugin to schedule automated daily off-site backups. I recommend Updraft Plus.
2. Update WordPress, Plugins, and Themes
As I explained a few moments ago, roughly 60% of hacked websites are hacked because site owners fail to update WordPress, plugins, and themes.
So. By keeping your website updated you are 60% less likely to be hacked.
But don’t just login to WordPress and start randomly clicking update buttons. If you do that, there’s a possibility your site will break.
You should always test updates first on a staging area which is an exact copy of your WordPress website, on a subdomain name, on your web hosting account.
You can use a plugin to create the staging site with one-click and push successful updates from staging to production. The plugin I recommend is WP Staging.
Or, if you want a more hands-on approach, you can create the staging site manually. Test the updates. Then manually apply them to your production site.
Note: you should create a new staging area everytime you test updates, or website changes, to make sure the staging site is still an exact copy of the procution site.
3. Install a Security Plugin
After backing up your site and updating everything, you should install a security plugin. I recommend Wordfence.
Wordfence is the best security plugin and it’s free and easy to use. There is a free and paid version, but in my experience, the free version is all you need.
Wordfence is a powerful plugin that includes:
- A firewall to identity and block malicious traffic
- A scanner to monitor your site for malware and vulnerabilities
- Protection from brute force attacks by limiting login attempts
- Two-factor authentication, login CAPTCHA, and more
If Wordfence detects any issues, it will alert you via email immediately. That way you can deal with the issue promptly to keep your site keep.
4. Install an SSL Certificate
If you haven’t done so already, you should install an SSL certificate on your web hosting server. Once activated, your domain name will start with HTTPS instead of HTTP.
Then, the data that’s transferred between your website and the users browser is protected behind an encrypted connection so hackers cannot steal it.
There will also be a padlock sign before your website URL in the browser letting website visitors know that your site is secure and safe to use.
Most web hosting companies now offer a free SSL certificate to all their customers. If yours doesn’t, contact support to purchase one.
5. Use the Latest Version of PHP
Just like WordPress core, plugins, and themes, outdated PHP versions have known security issues that hackers can find and exploit.
The latest version of PHP is currently 7.4 but versions 7.2 and 7.3 are still stable.
If your server is running on PHP 7.1 or below your website is at risk and PHP should be upgraded immediately – those versions are no longer secure.
Don’t know which PHP version you are using?
Login to your WordPress site and go to Tools >> Site Health >> Info. Then, scroll down to the Server section and click it.
6. Delete Inactive & Abandoned Plugins and Themes
Every plugin and every theme installed on your WordPress website is an opportunity for hackers to find a way in, even if they are deactivated.
And sometimes developers abandon free plugins and themes which means they stop updating them to fix known bugs and security vulnerabilities that hackers can exploit.
That’s why you should:
- Only install plugins that you absolutely need
- Delete all inactive plugins from your site
- Delete inactive themes (all except one default theme!)
- Replace abandoned plugins with alternatives
The Wordfence Security plugin will let you know when a plugin or theme has been abandoned. You should replace it as soon as you are notified.
And if you’re not in the habit of deleting plugins and themes immediately after deactivating them, make it a habit starting today.
7. Use Strong Usernames and Passwords
In an attempt to access your site during a brute force attack, hackers try to guess your WordPress username and password.
The first username they try is admin because that’s the default WordPress username and not everyone changes it. If your username is admin, use this plugin to change it.
For the password, I think you’ll be surprised to learn that there are lists of breached passwords available to hackers online like this one.
If your password is on one of those lists, you are guaranteed to get hacked, it’s just a matter of time. And if your username is weak, it’ll be sooner than you might think.
8. Enable Two Factor Authentication
Although using a secure username and password makes it significantly harder for hackers to guess your login credentials, that doesn’t mean it will never happen.
No website is 100% secure. There is always a risk.
But you can be prepared for that by adding two-factor authentication to your website.
So, even if some dirty little hacker does discover your username and password …
They will have to authenticate the login using a separate device, like your mobile phone, which they don’t have access to.
You can add two factor authentication using the Wordfence plugin.
9. Lockdown WordPress Admin
Anyone familiar with WordPress knows that the login URL is your domain name followed by forward slash ‘wp-admin’.
To make brute force attacks harder for hackers, you should change the login URL using a plugin like WPS Hide Login.
You should also limit login attempts. There are lots of plugins you can use for this, but Wordfence security does it for you, so I won’t list them here.
If someone attempts to login 20 times with the wrong username and password during a 5 minute period, they are automatically locked out from login.
10. Disable File Editing
If a hacker does somehow manage to gain access to your site, they can easily add malicious code to plugin and theme files right from your WordPress admin area.
To prevent this from happening, you should disable the file editing feature by adding the code below to your wp-config.php file.
// Disable file editor define( 'DISALLOW_FILE_EDIT', true );
Although I don’t recommend it unless you 100% know what you’re doing, you’ll still be able to edit files on your site using FTP software like FileZilla.
What to Do if Your Website is Hacked
Scanning your website for malware on a daily basis allows you to know exactly when your site was hacked.
So. If for example you are notified by Wordfence or any other security plugin that malware was found on your site on a Tuesay morning …
And you backup your site every day as recommended in this website security guide, in most cases, restoring Sunday or Mondays backup will fix infected files.
After restoring the site, scan it for malware immediately. If it’s clean, great. All that’s left to do is audit and tighten your website security so it doesn’t get hacked again.
After starting a blog, many people don’t realize just how important it is to backup and secure their website until they’ve already been hacked.
I think that’s mostly because they believe hackers have nothing to gain from targeting their website, but that’s not how it works.
Don’t make the same mistake! As you’ve learned in this guide, your site doesn’t have to get lots of traffic, store sensitive data, or generate an income to be hacked.
And your blog isn’t just a website. It’s your business and income, so you should take the time to secure and maintain it properly.
If a lack of time is what’s stopping you, or tech just frustrates and overwhelms you, join one of my website care plans.
I will keep your site secure, functional, and updated while you focus on growing your business. Click here to get started.