Did you know that the website of Mossack Fonseca, the company of the Panama Papers, was a WordPress website?
And did you know that the site was probably hacked because of an outdated version of Revolution Slider?
Wordfence announced this in its blog. Wordfence is one of the best plugins of the moment to secure your website against unwanted intruders.
The hacking of your WordPress website is one of the biggest nightmares for website owners. So it is important to secure this website properly.
From one moment to the next, your website will no longer be accessible and you will no longer be able to access the CMS. All the energy, time and money you have put into it is in danger of being lost.
It happens all too often. According to Forbes magazine, 30,000 websites are hacked every day around the world.
In this article we will show you why hackers want to have access to your website. Then we will discuss how you can protect your website against these brutal attacks.
Why would someone want to hack your website?
Owners of smaller websites often think that they are not a target for hackers. A blog with a few hundred or a few thousand visitors per month; that’s not interesting for a hacker, isn’t it?
But it is….
Hackers use your website to send spam emails via your server. And that’s tricky, because when Google notices that SPAM is being sent from your server, you have a chance they’ll blacklist your website.
Or they may use your website to redirect your visitors to other websites through which they make money via affiliate programs. Then they will get a commission if you click on certain links.
Consequence: the regular mails and newsletters are also put into the spam box of others. Or worse, you’ll be completely taken out of the search results by Google.
Sometimes hackers just do it for fun. They like to hack a site. Just for the sport. Most of the attacks by hackers are automated. A hacker is really not going to type in an address and then see if the site has any vulnerabilities.
No, just like search engines, hackers use bots to search for weak spots on the Internet. This allows them to check thousands of websites at the same time. And often there are always a few websites among them where they can break into.
Where is it most likely that they will hack into your website? A few figures:
• 41% of the websites are hacked by vulnerabilities in the hosting platform.
• 29% occurs through the template you have purchased.
• 22% occurs via a vulnerable plugin.
• 8% due to a weak password.
More than half of all hacks come because of WordPress themes and plugins. Or because of inadequate hosting parties that do not have their security in order.
What can you do about this?
How can you ensure that your website remains secure? We can’t give a 100 percent guarantee, but you can make it very difficult for intruders. And then they will give up at some point.
In this ultimate manual we will give you tips; this is how you need to secure your WordPress website:
1. Choose a good hosting provider
From the figures above, it is clear that the quality of a hosting provider is important. Nowadays most providers are reasonably reliable, but often cheap, ends up being expensive. If you pay only ten bucks for your hosting per year, you can expect that less is invested in the security of your website.
But then, what do you have to pay attention to?
Take a good look at what your provider offers. In addition to supporting the latest versions of PHP and MySQL, they must perform regular malware scans and daily backups. My hosting provider uses Patchman, a program that keeps hackers and malware out and also automatically repairs vulnerabilities in websites.
You could also choose a provider that focuses specifically on WordPress (there are some, such as Savvii – although slightly more expensive than average), because they do even more to secure WordPress websites and often have a lot of expertise on the matter.
2. Make sure you have good backups
You can never guarantee for 100 percent that your website will be hacked. It is therefore advisable to make regular – and in different ways – backups of your website.
Always install a backup plugin for your website. Make sure you choose a good plugin, there are also backup plugins that only back up the database and not the files.
I regularly use the plugins UpdraftPlus and BackupWordPress myself. You can download them for free from the plugin directory and install them easily. Then you can set the number of times you want to back up in the settings.
There are also paid backup plugins, such as VaultPress, that offer more features. For example, if you want to download a backup to Google drive or Dropbox on a regular basis (in the cloud), you will sooner come across a paid plugin.
Nevertheless, you can often get along with a free plugin, which I use as well.
3. Make sure that you have strong login data
In addition to the hosting environment, hackers can also find out your login details from your website. That also happens automatically.
That is done by so-called brute-force attacks, where hackers run a script that tries out hundreds – if not thousands – of passwords and usernames on your website in a short time.
It is therefore important to create long, difficult passwords. WordPress automatically creates difficult passwords with more than twenty (!) characters, numbers and letters, case sensitive.
And it has a strength indicator that indicates whether your password is safe or not.
That is necessary.
Only your last name and then three digits behind it is asking for trouble.
Change your password with some regularity (every six months). It is not wise to keep the same password for years.
Avoid using the ‘admin’ username. Hackers are aware that many people still log in with the username ‘admin’. That’s because this is the default setting when you create a new website.
Hackers try to intrude into almost all WordPress websites on a regular basis. Just take a look at the message below from Wordfence, the security plugin.
You can see that an outsider logged in 17 times with the username ‘admin’. It’s a bit of a job, but it’s best to change your default ‘admin’ username. In the following video you can see how to do that:
If you have trouble remembering all of those passwords, you could make use of Password Managers, such as LastPass. With a single ‘mother password’ you have access to all your websites.
4. Install a security plugin
You should do this by default for each website. They take a lot of hassle out of your hands and make sure that your site is well secured. There are two plugins that I use, Wordfence (my favorite) and iThemes Security. Both plugins have a range of security measures to protect your site. You can, for example, configure to automatically exclude someone after 3 or 5 login attempts. You can exclude IP addresses. Or you can ban sites on blacklists.
You should really make a brief study out of this. There are plenty of articles on the internet that address this very specifically, such as Securing Your WordPress site: Wordfence Security Review.
Often the free versions of these plugins are sufficient. If you want more security, you will have to pay for it. There is, for example, the possibility to deny some countries access to the website (such as spam-sensitive countries like Russia or China).
5. Set up two-step security
Nowadays, the two-step verification is becoming increasingly popular. It’s a bit more cumbersome, but it almost certainly prevents intruders from logging in. With the two-step verification, a second layer of security is added, in addition to the standard login method. A code is then sent to your mobile phone which you then have to fill in to gain access.
I have written an extensive article about this, Adding Two Factor Authentication in WordPress.
6. Hide your WordPress login screen
A simple and yet effective way to prevent people from logging in unauthorized is to hide your WordPress login screen. By default, you can often log in via www.mijnwebsite.nl/wpadmin/.
There is a plugin that can easily change the default address to any address you want, the WPS Hide Login.
7. Secure your WP-config file
In your WP-config file in the root (root directory) of your website you can also modify a number of things to get better security. With automatic WordPress installations with your provider, a so-called Secret Key will often be created automatically. But if you download and install WordPress from WordPress.org, you will still need to add this Secret Key.
Here you can see the empty Secret Key in your WP-config file:
The Secret Key generator provides a unique code.
You can find them at: https://api.wordpress.org/secret-key/1.1/salt
Then you paste it on the spot of the empty key:
There is also a video on how to do that:
Now that you are in your WP-config file you can also modify another setting: the prefix.
By default this one is set to WP_, which is common knowledge. Hackers also know that.
In order to further increase the security of your website, it is a good idea to change it into, for example: 4ldgklw;g#_.
Modifying these kinds of things, such as the prefix, can also be done with a security plugin such as iThemes Security. That is easier if you are a little reluctant to work with the codes.
Because you have to be careful. If one character or dash is wrong your website is no longer visible or accessible.
8. Secure a WordPress website? Keep it up-to-date
It is obvious, but we mention this tip again.
Did you know that more than 70% of WordPress websites don’t have the latest version of WordPress or work with outdated plugins?
It can have far-reaching consequences. Like with the Panama Papers, which was hacked because an outdated Revolution Slider plugin was running.
More than half of successful hacking attempts take place through vulnerable WordPress plugins and themes.
I make sure all my websites are well updated. You need to be disciplined for that, because there are regular updates of WordPress, plugins or the themes you bought.
The major WordPress updates, such as from 4.7 to 4.8, often require manual updating. But since WordPress 3.7, smaller updates are done automatically.
With providers, you can often also configure updates to be performed automatically. My provider, for example, works with Installatron, which can arrange this for you.
But also be careful with it. I manually do large updates myself because a large update has a slightly higher chance of something going wrong. I also often wait a few days after the update has been announced.
Often you see that the owners of the plugins and themes also follow with an update. And so it is important to update everything at once and at the same time.
9. Use trustworthy themes and plugins
I only use plugins that are trustworthy with my customers. How can you recognize them? The popular plugins in the Plugin Catalogue are often safe. They are not used frequently by accident and are first checked by the owner of the plugin directory, Automattic.
I’m a member of WPMU DEV, a company that also offers many themes and plugins that are updated regularly and are safe.
10. Stay informed
From a party like Wordfence or choose a website builder that keeps an eye on the latest developments.
It happens regularly that a vulnerability is found in a plugin and then it is important to update the plugin as soon as possible.
How do you find out? For example, by subscribing to the Wordfence newsletter. They let you know immediately if there is a plugin or WordPress threat.
11. Configure the correct File Permissions
If the file permissions on the server are not configured properly, third parties may have easier access to the website. The permissions should be configured as follows:
- Folders and directories: 755 or 750
- Files: 644 or 640
- WP-config.php: 600
The WordPress Codex has a good article about Changing File Permissions.
12. Scan your website regularly
Without you knowing it yourself, it can happen that your website got hacked. Although your website is accessible and there seems to be nothing wrong, sometimes a hacker wants to keep your website intact so that he can send all kinds of spam via your site.
It is therefore worthwhile to have your website scanned regularly. On the internet there are several tools available which you can use to scan your website for malware.
13. Use a Secure Socket Layer (SSL) Certificate
You have probably seen it before, instead of http in your address line it will show https. Many companies nowadays use SSL certificates.
If people have to fill in information about themselves, it is advisable to work with an SSL certificate. It provides a higher level of security and makes it less easy for hackers to gain access to this information.
14. Use Secure FTP (SFTP)
If you upload your website via FTP, it is best to use a secure FTP connection. SFTP is more secure and provides encrypted passwords.
15. Secure the .htaccessfile
With the .htaccess file (how do you find the .htaccess file?) you can also better secure your WordPress website.
With the following code you can, for example, ensure that your WP-config file is properly protected:
You can read more about it in Hardening WordPress.
In general, I can say: be proactive. If you do not do that and neglect your website, you are asking for trouble.
Security is part of running a website and it’s better to be safe than sorry. If your site still gets hacked, you can secure WordPress by a professional company.
You don’t only have to see objections. WordPress is very safe in general and the developers work on it every day to make it even safer.
Most attention you need to pay to the hosting environment (use difficult passwords for ftp for example), vulnerable plugins/themes and easy login data.
To conclude, I can say: just use your common sense!
You should not log into an unsecured WiFi network and never give your password to anyone you don’t know.
And do not send your password by email, but by SMS.
These are obvious but important matters.