A must-read that teaches you how to successfully keep your site and users safe!
Did you know that WordPress powers over 30% of the world’s websites? It is the most popular content management system (CMS) with a share of 62% of websites. This makes it a prime target for hackers. (source: Kinsta)
If you run a WordPress website – and the chances are that you do – then you must be aware of the potential issues that you might encounter.
Basically, if you don’t take precautions, you could get hacked.
We’re going to tell you why hackers attack websites, what they do, and what you can do to protect yourself.
If you’re in the unfortunate position where it’s already happened to you, then read on. We’ve got some great advice on how to recover your website and protect yourself from future incidents.
Why hackers attack websites
There are many reasons why hackers do what they do. Some of the reasons why hackers attack websites are:
- To disrupt
- Steal money
- To steal valuable information, identity theft,
- Control your server – to mine bitcoins, to send spam emails
- For fun or to gain attention
- Because they can – due to lack of adequate security
Primarily it is all for financial gain. By accessing your site, they will often download the data of all user accounts, including your own.
This data is especially valuable, usernames and passwords can often be used on other websites. The personal information can also be used for fraud, including identity theft.
Your website might even be an e-commerce store. If so, hackers can place fake orders and delete data preventing you from seeing that fraud has occurred.
They can also quietly modify your website so that they can steal credit card details of any future sales that are made through your website.
Or they can simply change information that is displayed on your website. This will have a negative impact on your readers and can even result in a drop in visitors. Or worse, you might receive a penalization from Google.
Often hackers install malicious software on your website, which is invisible to detect. This will be used to steal data, such as the credit card details from your customers. Or it can be used to infect your visitor’s computers, which is then used to steal their data.
There are many reasons why hackers want to attack your website, but regardless of what their reasons are, you need to make sure that you take reasonable steps to protect your site and your users from these malicious groups.
Spammers, on the other hand, are more obvious.
Spammers quite simply leave comments on your website to divert your readers to their websites. Often this is obvious, but sometimes this can be sneaky. Watch out for well-written comments that include a link to an inappropriate site hidden in amongst the comment.
What damage do hackers cause?
In addition to the obvious damage that hackers do to websites such as defacing or crippling sites, there can also be immediate data and financial loss.
A hack attack can also damage your company’s reputation, damage your consumer trust, and significantly affect your sales going forward.
A recent study shows that, on average, businesses that suffer a form of hack attack lose about $188,000! Furthermore, 60% of these businesses are unable to recover and close down.
Many businesses would still be operating today if they had adequate security.
Hackers can also install malware on websites that can affect your visitors.
The malware can infect your visitor’s computers, hijacking these computers so that they can be remotely controlled. This can lead to your visitors being susceptible to financial loss or identity theft.
What you can do to protect your website
So with all of this in mind, what can you do to protect your website from hackers? Do you want to take the necessary steps to protect your website and data? If so, here are the best tips for securing your website.
Choose a good hosting company
One of the top things you can do to keep your site secure is to choose a good hosting company.
You might be tempted to go with a cheap host, but they are generally cheap for a reason.
Cheaper hosting companies tend to skip on some things to provide you with the most basic low-cost service. By trying to compete on features, they do tend to be generally slow or lacking in good security.
There are many good and bad hosting companies. We recommend Bluehost as they are a great host that provides many features, including:
- Free SSL certificate
- Site backups
- 24/7 network monitoring
- 24/7 support
- Great speeds
- and more.
Keep WordPress, plugins & themes up to date
WordPress is constantly being developed by a community of developers. New features and functionality are regularly added as well as plugging security holes as they are found.
It is always important to make sure that you are running an up to date version of WordPress. This way, you can be sure that you’re not so susceptible to WordPress core vulnerabilities.
Often WordPress automatically carries out minor updates itself, but it is important to watch out for available updates. These often include security enhancements as well as new functionality.
You can check for updates from within your WordPress administrator dashboard. If any WordPress updates are available, they will be displayed here.
You can simply click on the update button within the dashboard, and it will automatically download and apply the updates for you.
Plugin and theme updates
It is widely known that plugins can also develop vulnerabilities over time. Plug authors do tend to provide updates to their plugins from time to time. As well as adding new features, you’ll find bug fixes or improvements to security vulnerabilities.
You can also check to see what plugins have updates available by visiting your site administrator dashboard. This is where you will see notifications for any available updates. You can update them all at the click of a button in just a few seconds.
Install security plugins
One of the best and easiest things that you can do to protect your WordPress website is to install a good security plugin.
It can be time-consuming to regularly check your site for malware, brute force attacks, or vulnerabilities. However, a good security plugin can make your job easy by taking care of your site security.
Typical features of a good security plugin include:
- Scans for malware – any malicious files found will be removed or restored to their original version
- A solid firewall – prevents attacks from known blacklisted IP addresses
- Stops brute force logins – a common way for hackers to gain access to your website
Securi WordPress security plugin offers all of these features and much more, including help restoring your site to full health in the event of an attack or infection.
We love this plugin, and so do many other top WordPress websites, and can’t recommend it enough.
Use a strong password
This one is a no brainer.
People often use basic passwords for their online accounts, and they also use the same password for multiple accounts. But if one of your accounts is compromised (which happens often), then it’s not too difficult to gain access to your other accounts. That is what hackers do.
Using a strong password, ideally, a long one that is a combination of letters, numbers, and symbols will help as this makes it impossible to guess and certainly harder to crack.
When using tools like LastPass, you can not only generate very secure passwords for any site you use, but it will also securely store all of your online account logins.
This way, you only need to remember one master password to safely get access to your online accounts.
Install an SSL certificate
An SSL certificate ensures that the information that is transferred from the browser to your website is encrypted, otherwise without an SSL certificate, the information will be sent in plain text, and if intercepted by a hacker, it can be easily read and stolen.
These days people will only buy from a website that is secure and shows the lock symbol next to the address. Google ranks websites that have an SSL certificate higher than those that do not.
An SSL certificate ranges in price from around $75 to $199, although BlueHost provides a free SSL certificate as part of their package.
Installing an SSL certificate can be done via your web host, normally within your hosting control panel.
If you have a good web host such as Bluehost, then this can be installed and activated easily with minimal effort within the addons tab.
Change your WordPress login URL
It’s common knowledge that the WordPress administrator login page can be accessed on any WordPress website by visiting the address yourwebsite.com/wp-admin.
This simply means that an intruder knows the doorway into your site, all they need is the keys (your username and password). Often your WordPress username is Administrator, in which case all they need to guess is the password.
But with brute force attempts, they can run software that can guess your password over a period of time by trying many different passwords a second.
By changing the address of your WordPress administrator login page, you make this increasingly harder for intruders to attempts login attacks.
Change the address of the administrator login page by installing a plugin designed to do just that.
WP Hide Login is an example of one of the plugins which can help you hide your login page.
Limit login attempts
As discussed earlier, hackers often use brute force login attempts to gain access to WordPress sites, simply because by default, there are no limits to the number of times a login can be attempted.
You can limit the number of login attempts by installing a plugin such as Limit Login Attempts Reloaded. This gives you the option to set the number of retries before their IP address is blocked.
This means that the hacker will be locked out and unable to continue with their brute force attack.
Add 2-factor authentication
An additional layer of security on the login page can be added by way of 2-factor authentication.
This means that in addition to your username and password, you also have to provide a code to log in to the site. This code is not predefined but instead is generated at the time of login.
When you install a WordPress plugin such as Two Factor Authentication it will send you a code to your email, SMS, or Google Authenticator app depending on your choice when you configure the settings.
Without this code, you cannot log in to your site even if you know the username and password.
Bonus tip: UpdraftPlus
Ok, this isn’t a specific security plugin as such but is certainly a form of website security.
If you do suffer a hack attack on your website, having a solid backup can help recover your website quickly.
We’ll explain how to recover your site later in this article, but let us tell you a little about UpdraftPlus first.
UpdraftPlus is a WordPress backup plugin that helps you to take manual or automatic backups of your website.
You can backup individual parts of your website, such as the files or database, or you can backup the whole website.
In the event of an issue, the website can be quickly and easily restored in just a few clicks.
This makes it an important tool for the safety and security of your site. We highly recommend that you install a backup plugin on your website for complete peace of mind.
Multiple Layers of Security
Some of these security enhancements that we’ve discussed are easier to set up than others.
Many people opt for the quickest and easiest options and leave it at that, whereas some don’t even add additional security at all.
However, for the best security, you shouldn’t focus on employing just one of these methods but rather multiple.
Multi-layer security means exactly that. You have employed multiple layers of security to protect your website. This makes it especially difficult for anyone with malicious intent to gain access or cause damage.
The easiest way to add multi-layer security is to simply start by adding a level of security one at a time.
For example, if you’ve already got a good hosting provider, then you’re likely to have at least some form of security already.
Adding an SSL certificate to your account will give you another level.
You would then build on this by installing a security plugin to give you yet another level. Ideally, you would continue with this until you’ve reached a satisfying amount of security measures.
Signs your website has been hacked
There are some telltale signs that your website has been hacked. From the gut feeling that something is not quite right to the obvious in your face alerts.
Here are some signs that your website has been hacked:
- Your browser warns you that the site contains malware. Modern browsers such as Google Chrome can detect some malware when you browse the site and will stop you from progressing by alerting you with a big red warning screen.
- Your site has gone – a blank screen where your web pages should be. Another clear sign that your site has either been hacked or is broken.
- Your site is unusually very slow to load. Often, this is because hackers are using your site to send mass spam emails or use it for mining bitcoins.
- Your site displays a different website – hackers have either rewritten your site or redirected it to another website.
- Some of the content on your site has changed to show words or phrases related to pharmaceutical products. Yes, you know those products.
- You start to learn that the emails you send don’t get received by people you send them to. This is quite often because your website is being used to send spam. This will result in your email domain being blacklisted.
- Your hosting provider has alerted you. If you have a good web host that monitors your website, they are likely to alert you in the case of a hack or malware infection. They may also lock your website until you have taken action to resolve the issue.
What you can do if you’ve been attacked
So you’ve discovered that your website has been hacked. Besides panicking, what do you do?
Every day, hundreds, if not thousands of websites, sustain a hack. But things can be recovered and returned to normal quite quickly, providing you have taken some necessary steps.
Contact your hosting provider
If you’ve chosen a good hosting provider, they may already be aware. However, it is important to get in touch and discuss your options with them. They may be able to run scans and clean any malware. They may also be able to restore your files or database to a previous date.
Change your administrator password
This is important and can prevent hackers from getting immediate access so quickly. If you can access the WordPress dashboard of your website, you should update your password. Also, look for any other administrator accounts and disable these.
Disable your site
That’s right. The next step you need to take is to shut your website down. This is to avoid any further damage being caused. Your site will not be able to serve usable content if it has been hacked. You may even get penalized by Google if they detect malware. This protects both you and your users from any further damage.
If you have a maintenance mode plugin installed or a theme that supports maintenance mode, then activate this immediately. Otherwise, try to download and install a maintenance mode plugin from the WordPress plugin repository.
Immediately protect and clean your website
If you haven’t installed a good security plugin for WordPress, then chances are this is one of the reasons why you were so easily hacked.
You now need to install a plugin and, once activated, run a malware scan to check for any malware which can be cleaned.
A good security plugin such as Securi will scan, identify, and help clean any malware files. Your host may help with this, but you can certainly do your part here too.
In addition to this, the security plugin can help stop further attacks.
Restore your website
If you are unable to have the malware cleaned by your host or a security plugin you’ve installed, then you will likely need to restore your website to a previous time when it was in good working order.
You may wish to do this anyhow for peace of mind as you’ll never be completely sure if all malicious files have been cleaned otherwise.
To do this, you will need to restore a backup from a previous date when the site was known to be working.
Additionally, you may wish to ask your hosting provider to completely clear all files and the database before restoring a backup. Learn more about backups and how to restore them here.
Secure your site
If you do restore your website to previous working order or you manage to clean the malware, you now need to rectify the security vulnerabilities. Do this by installing good security plugins and having multi-layer security.
You shouldn’t skimp out on this part as this is what would have caused the issue in the first place. If you avoid improving your site’s security, then the hackers will simply use the same vulnerability to strike again.
Call in the experts
If you are in the very unfortunate scenario where your site has been hacked and damaged, and you’ve tried to recover your site using these methods, or if this all sounds too technical for you, then all is not lost.
This is where you can simply call in the experts who will help you clean your site and restore it to good working order.
They can even help rectify the vulnerabilities and recommend and implement good security measures going forward.
We recommend fixed.net for this as they are WordPress experts and can offer a one-off fix or put you on a care plan to provide you with monitoring, backups, updates, and fixes.
In this day and age, being conscious of your data, privacy, and finances is common knowledge and something that we all take security precautions with.
But it is also just as important to protect your website, especially if it is used for business.
If you’ve invested your time and money into building something important, your readers will expect that you’ve taken reasonable forms of security to protect them while they use your website.
Using some of the methods here will help you take the necessary steps at not only protecting your website but also helping to prevent hackers from being successful from their endeavors.