At Complete Developer we understands how frustrating it can be for the average blogger to deal with WordPress hackers. After all, they’re everywhere, and they don’t give up easily. We recently reached out to health and wellness blogger, Jaime A. Heidel, about her experiences and asked if she had a few tips to share with us. Turns out, she has an interesting story to tell and quite a bit of good advice. Most don’t realize the value of website security until a story like this occurs and it is too late. Website security is not expensive but is incredibly important. For website security options go to https://completedeveloper.com/web-security-basic-website-plan/
Without further adieu, I give you Jaime’s piece on how to stop WordPress hackers from targeting your site.
How to Stop WordPress Hackers From Targeting Your Site
–Jamie Heidel (http://itoldyouiwassick.info/)
When you start a new WordPress blog, there is so much to focus on. There’s finding the right niche, branding, writing, posting, social media, affiliate marketing, you name it. And, if you’re like most first-time bloggers, you have to figure all this out by yourself.
WordPress hackers and all the trouble that comes with them is often the furthest thing from your mind.
I started my blog, I Told You I Was Sick (http://itoldyouiwassick.info/), in 2010, as a way to connect with others struggling with mystery symptoms and chronic illness. For the first year or two, everything was going pretty well. I got decent traffic and people were starting to take a real interest in my posts.
About the third year in, I made a big mistake. I wanted to save money on hosting, so I switched to a no-name company run by a guy barely out of his teens.
Once it was on the new server, the site loaded faster, and I thought that the blog would really take off. That is, until a group of website hackers called the Bangladesh Cyber Army decided to target the site. I know it sounds like a joke, but it’s not. These WordPress hackers infiltrated my website and did all sorts of weird things to it before I ever even noticed they were there.
It took me over a year to finally break ties with the person hosting my site, clean up the files, and move them to another host. After a year without incident, I decided to let those who wanted to contribute guest posts register for accounts.
I might as well have posted a neon sign saying, “WordPress hackers welcome!”
I cringe when I think about how completely clueless I was about all this stuff when I started. But hey, you live and learn, right?
So here’s what I’ve learned in my six years of blogging. I hope this information can help you.
- Host With a Company That Prioritizes Security
Research has shown that 41 percent of hacking attempts are caused by a vulnerability within the hosting company. So, don’t do what I did. Don’t switch to an independent hosting company run by a kid fresh out of a college. You need a reputable hosting company that places strong emphasis on security.
For best results, said company should:
- Be optimized for running WordPress
- Support the latest versions of MySQL and PHP
- Include malware scanning and intrusive file detection
- Have a staff trained in common WordPress security issues
- Offer firewall protection designed for WordPress
There’s no need to spend an arm and a leg to get this kind of service, either. Many well-known companies will host a small website for as little as $5 a month.
- Update Your Themes
I’m embarrassed to admit this, but I used to completely ignore WordPress updates. When I was just getting started, the whole “back up your site before you do this” thing threw me for a loop. I also thought they were just trying to get me to buy something.
Not exactly. While there are WordPress themes you can pay for if you want extra functionality, most of the best themes available are completely free. Not only do they ensure your site keeps up with the times, they keep your site secure.
Each update addresses security holes identified in the previous version so you’ll stay one step ahead of the hackers just by clicking that little ‘update now’ button when prompted.
Important Note: If you don’t know how to back up your site before upgrading your theme, get someone to do this for you. Honestly, if you’re a creative type like me, trying to figure out all the technical stuff on top of everything else will just burn you out.
- Delete Plugins You No Longer Use
According to statistics released by WordPress Security News (http://www.wpwhitesecurity.com/wordpress-security-news-updates/statistics-70-percent-wordpress-installations-vulnerable/), 51 percent of hacking attempts are made through a WordPress plugin or theme.
Chances are, you’ve downloaded a few plugins you don’t use. Get rid of them. Also, beware any plugins that have not been updated within the last two years. This could mean they’ve been hacked or abandoned by their creator. Either way, they are a security risk.
- Use a Strong Username and Password
Sometimes hackers get in the easiest way possible, right through the front door. They use brute force attacks (multiple login attempts in the span of seconds) to ‘guess’ your username and password combination.
If you use ‘admin’ as your username, consider changing it. It’s the most common username hackers try to gain access to your site. Also, your password should be a nonsensical word that cannot be found in a dictionary in any language. Throw in a few characters and numbers, and you’ve got a very strong password.
- Protect Your Site
It’s important to secure your website with anti-virus and anti-malware just like you do your home computer.
I use Wordfence. Wordfence limits login attempts, allows you to ban people by IP address, and will immediately alert you when you need to update something. It also regularly scans your website for malware, backdoors, and phishing attempts, and will monitor your disk space usage to help detect DDoS attacks.
- Back Up Your Site Weekly
Whether you or someone else does it, your site should be backed up at least once a week. This way, if anyone does manage to hack in, your corrupted files can be replaced by the backup. Without a backup, years of hard work can disappear forever with the stroke of a key.
- Do a Weekly Virus Scan on Your Computer
If the computer you use to log in to your WordPress account is infected with viruses or malware, your website is just as vulnerable to attack as your hard drive. Commit to doing a weekly virus scan on your main computer and any removable drives you use.
- Be Careful Who You Allow to Access Your Site
Having guest posts from multiple bloggers is a great way to draw new traffic to your site. However, there’s always a risk. Allowing someone to sign up and use your website as an author, editor, or contributor will give them deeper access to the site than the average reader.
Before you allow anyone access to your site, look up their email address on Google. Do they have an existing blogger/social media presence? If not, be wary.
Also, email them and ask how they found the site and why they’d like to contribute. Anyone who is on the up and up will have no problem answering these questions. If they do, something is wrong. Do not approve them and delete their account.
- Delete Inactive User Accounts
If you allow registered users to post on your blog, give them no more than a month to make their first contribution. If you receive no posts within this time frame, delete their account.
If they’ve already submitted a few guest posts, and you don’t want to delete the user (which will force you to attribute their content to someone else), bump them down from ‘contributor’ to ‘subscriber’ to limit their access on the site. If they want to contribute again, they’ll let you know.
Another great way to stop WordPress hackers from targeting your site is to be aware of the signs. If your website loads slowly, there is an unusual amount of memory usage, or the site crashes often, your blog could be under a brute force attack.
If hackers are already in there and messing around, you might find a post that barely got any views becomes extremely popular out of nowhere, all of your traffic comes from one foreign country, or your posts are being redirected to another website.
It’s true what Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” If you take the right steps to secure your website now, you can focus the rest of your time and energy on building the perfect platform for your business.
- WordPress managers just starting out are, of course, inexperienced and can quickly become overwhelmed.
- The last element WordPress newbies generally consider is security which is a fatal mistake because this is the first type of site cyber-criminals target.
- Simple implementations such as strong passwords, routine updating, and deleting anything which is inactive provide increased protection against hack attacks.
- The most common reason WordPress sites are attacked is vulnerabilities in security which reputable hosting services roots out and reinforces on a daily basis.
- Website managers must be vigilant implementing as many security features as possible such as malware scanners, firewall and protection plug-ins.