Hackers attacking your WordPress site?

It’s one of the worst feelings in the world. You get a call from a customer to tell you your site has been hacked. Or maybe you think you’ve done your due diligence and installed a WordPress Security plugins to combat the hacking attempts and now you’re getting concerned over the hundreds of alerts that bots are attacking your site. Unfortunately, there are many factors that contribute to the security of your WordPress site. So much so, that even web designers and hosting providers sometimes get it wrong.

wordpress security vulnerability
Screenshot of hacked website

Reasons your site gets hacked

  • Using Admin as your username
  • Weak passwords
  • Outdated Themes
  • Outdated Plugins
  • Using “free” infected themes
  • FTP instead of SFTP
  • Accessible wp-config
  • Insecure hosting

WordPress Security: How to protect yourself

In order to keep your WordPress site secure, you must address the above-mentioned security vulnerabilities to ensure that a hacker cannot penetrate your site. One of the ways that a hacker can gain access to your site is through your login or password. Hackers will use a robot of sorts or script to attack your site (called Brute-Force attack) with thousands of attempts guessing your login and password to try and gain access. WordPress security plugins will often times address this but not always. One of the easiest ways to make it more difficult for a hacker to gain access is to ensure your administrator username is not “admin” and to ensure your password is complex. We have run into many websites where the username was “admin” and the password was a pet or spouse name.

Another major vulnerability in today’s WordPress world is using plugins and themes from a reputable source. Outdated plugins and themes can happen as a result from a plugin or theme developer not updating their code, or simply from the user (you) not updating their WordPress site when the theme or plugin update is available. We encourage everyone to update their plugins and themes as soon as they are available. A reputable developer will keep WordPress security at the forefront of their minds. Lastly, another big no-no that we’ve seen is the site using a counterfeit theme. Most themes cost money, but in the same way that there are illegally-obtained movies, pirated WordPress themes are also available. While it seems like a good idea to find a theme for free, it can cause many issues down the road including no updates from the developer or worse malicious code purposefully inserted into the code. Free ≠ good. And PS software piracy is illegal.

The last major area that needs addressing is your WordPress host. Many hosts simply don’t have their servers optimized for WordPress. A few months ago we actually ran into a web design firm that had their own site down due to security vulnerabilities with their host. How can you trust a web designer if their own site is down? Your hosting environment must force SFTP rather than allowing insecure FTP. Most reputable hosting companies will know this, but not all. If they allow you to decide, be sure to select SFTP. The next major issue is your hosting environment blocking access to WP-Config. This can be done on a site by site basis. But it is nice to know that your WordPress host knows enough that they do it automatically.

Another great way to ensure your site is protected is through two-factor authentication. What is two-factor authentication and why does it matter? Two-factor authentication is the security component that requires an additional step to logging in to your website. Where you would normally be asked for your username and password, two-factor authentication requires a unique code that is accessible via an app on your phone. The code is so unique that it is specific to your login and your device, and it actually changes every 60 seconds. Two-factor authentication is so secure that banks use it to protect their customer’s online account access.

If you’re considering options for your current or new site, had issues in the past, or trying to ensure you don’t have issues in the future, Elixir Creative is here for you. WordPress Security is one of our top concerns. Our web hosting provides numerous security protections by default with all hosting including increased server-level security, daily backups, forced SFTP/SSH, managed updating of plugins & themes, blocking access to wp-config and other security enhancements, and two-factor authentication.

We provide all of these security enhancements at no extra cost to our customers because we have a commitment to you and your business. In addition to the design itself, you must hire someone that is an expert on protecting your web presence, data, and reputation. We would love to earn your business. We are Elixir Creative.