WordPress hacking attacks – keeping your site safe

Double padlock denoting extra security

Photo by Paolo Gadler

There have been a lot of comments surrounding the recent spate of attacks against WordPress websites. Whilst part of me thinks ‘enough said already’ another part of me wants to add my own two-penneth to the discussions by saying how I see it, and adding my own golden rules for keeping your WordPress websites safe.

Why WordPress?

WordPress has always been a popular target for hackers and spammers. Whilst a properly maintained WordPress site is no more vulnerable to attack than any other sort of website, the fact is that around 20% of all websites are now built with WordPress, making it a more lucrative platform for hackers to focus on.

Although WordPress work hard and fast to close any vulnerabilities that are found, there are many, many website owners that just don’t keep their WordPress version (and plugins) up-to-date. This leaves many websites vulnerable to attack. So, my number one golden rule for keeping your WordPress site safe is…

1. Ensure you keep your WordPress version up-to-date

Followed swiftly by the number 2 rule…

2. Keep your WordPress plugins up-to-date

Brute Force WordPress Attacks

The current threat to WordPress websites is from hackers who are attempting to log in to WordPress sites by trying thousands of combinations of usernames and passwords until they manage to log in.

These login attempts are automated, and a hacker is able to generate many thousands of attempts in a very short space of time, typically from a range of different ip addresses and locations. Even if they don’t succeed in breaking in to your site, their attempts to log in greatly add to the server load, slowing down websites.

We experienced such a problem on our own server recently, and it’s likely that this issue (or a variation) will occur more frequently in the future. This isn’t something specifically targeted at us – most website hosts are experiencing the same.

3. Don’t use an easy-to-guess username (or password)… and don’t share it around

It’s possible that these hackers don’t even want to hack your site. Their ideas may be much more ambitious – for example, to use the power of you website to launch an attack on an even bigger target!

Protecting your WordPress site against brute force attacks

Your own website hosts may well have implemented measures to help protect your site against WordPress hacking attacks, such as adding an extra login screen in front of your actual WordPress login page. This is ok if it’s just you that logs in to your site, but if you have a number of users who need to log in this might prove confusing for them. You might want to look at a plugin such as Limit Login Attempts, that prevents an IP address from getting access to your website for 15 minutes if someone attempts an incorrect username / password combination 4 times, and a further lockout period of 24 hours if more unsuccessful attempts are made. This will seriously inconvenience hackers, who rely on making thousands of attempts every few minutes in order to ‘crack’ your password. However, it might not be effective if the login attempts are coming from a large range of different IP addresses.

4. Add extra login protection to your website with a security plugin (or two)

Can you do more?

No website (WordPress or otherwise) can be rendered 100% safe from hacking attacks. However, the more work you do to protect your website, the harder you will make it for hackers to break in, persuading them to go for the many easier targets elsewhere.

Here are a few more quick tips…

5. Install your WordPress database with table name prefixes that don’t begin with wp_. This is the default table name prefix, so this is a good start point for hackers that are trying to get in to your database by sql injection. If you give it another prefix it will be harder to hack!
6. Make sure you use WordPress security (secret) keys effectively. These improve the encryption of your user cookies, and shouldn’t be left as the default values. Update these in your wp-config.php file when you install your site with a service like this. Useful tip : If you want to force your all of your users to log in again, change these values in your wp-config.php file.
7. Take a look at a service like CloudFlare – they will screen a lot of malicious traffic before it even reaches your website
8. Back your site up regularly, and keep a reasonable number of backups in case you have to restore from an older version. Useful Tip : make sure you back up both your site files AND your WordPress database, AND make sure you have tested your recovery process!
9. If you think the worst has happened, and your site has been hacked, run it through Sucuri to check it
10. If you don’t have the knowledge or the time to look after your website yourself… Get a professional to do it for you

We offer a premium support service that can look after your website by keeping all of the vital components up-to-date, as well as pro-actively suggesting issues that you might have and helping you to resolve them. This service costs just £225+vat per year, and provides up to 1 hour of our support time every month. We also offer an even more comprehensive Gold Service (for those website owners who want even more).

If you are not on one of our website support schemes, and would like us to take action to protect your website, please get in touch.

Get a solution to your WordPress issues

Whatever your WordPress requirements, let us know how we can help. We will listen to you and offer you an honest appraisal of the options available to you.
  • Give us your telephone number if you want us to call you back
  • Here's how we will use the information you provide.
  • This field is for validation purposes and should be left unchanged.

 

Categories: Wordpress

2 Responses to “WordPress hacking attacks – keeping your site safe”

  1. Janet Fuller says:

    To keep your WordPress site safe from hackers, you can use JetPack or BulletProofSecurity plugin. They have good reviews in plugin directory.

    • Yes, good advice – but these security plugins have to be a) activated, b) up-to-date, and c) configured correctly. At least one of the sites that we have cleaned up in the past few weeks had a security plugin active on the site. Unfortunately, it wasn’t configured correctly and so nobody was alerted. The plugin was also way out of date.

      So earlier advice stands – keep everything up-to-date. You could look at a Web Application Firewall (WAF) – both CLoudflare and Sucuri offer these – which should protect you from getting infected in the first place, but they are costly for smaller businesses.

Leave a Reply

Share This

Please share if you've liked reading this

Share this post with your friends! It really helps us, and lets us know which content visitors like best - so we can write more like that!