Are you scared after reading the title? 😱
If not, you must be scared because literally, someone can hack your website anytime from now, even tomorrow, if you don’t deal with several fundamental security concerns of your WordPress website.
Don’t get me wrong, WordPress is a pretty secure piece of software. The problem comes from several harmful practices that users do regarding security.
The only reason I am writing this article is to alert you to the rising online crime hacking and to save your online assets from getting into the wrong hands.
Here is the screen of what’s going on through one of my friend’s blogs yesterday.
Yeah, these are Lockout notifications of my blog, which indicate failed hacking attempts. A site can be hacked in various ways, such as SQL injection, Cross-site scripting, Clickjacking, DNS cache poisoning, Remote code execution, or even DDoS attacks that make your website inaccessible.
The good news is WordPress reduces the chances of getting hacked via the above methods because of its frequent updates.
Still, hackers can attack your site if you don’t take the initial steps to save it from unauthorized persons.
Signs Your WordPress Site Is at Risk
Your WordPress site isn’t behaving as it should do.
But how do you know that problem is due to a hack?
Let’s take a look at some of the signs that your site has been hacked or that someone is trying to get unauthorized access:
- You receive notifications that someone logged in to your admin account, hosting account, domain registrar, etc.
- You can’t log in to your admin panel.
- Your site looks significantly changed without you having done anything.
- Your site is redirecting to another website. Some tricky hacks redirect only the traffic from search engines while direct traffic is sent to your site.
- When you or other users try to access your site, you get a warning in your browser.
- When you search for your site, Google gives a warning that it may have been hacked.
- Your hosting provider has warned you about unusual activity on your account (unusual email sending rate, heavy resource usage, etc.).
- Website visitors complain to you that their desktop AVs are flagging your site.
If you see any suspicious activity, I recommend contacting a WordPress maintenance provider ASAP. They can help you get your website back up and running.
9 steps to protect your WordPress website
Here are nine simple but essential steps to make your site highly secured and avoid getting hacked.
Keep in mind that hackers are intelligent persons. Even big tech giants like Yahoo, Sony, Facebook, etc., got hacked in history.
1. Choose a Reliable Hosting Provider
If your hosting provider is not taking security very seriously, you are in danger. No matter how many precautions you have taken for your WordPress website, if your hosting provider’s security is weak, even an average hacker can get access.
According to stats, the security weaknesses on the hosting platform account for about 40% of website hacks.
So, if you think your hosting provider is not reliable, I suggest you start securing your site by changing your hosting server. If you do not feel safe with your current hosting provider, you can move to one of the recommended hosting providers listed here.
2. Keep your WordPress Core, Theme, and Plugins Updated
Not staying updated is one of the biggest reasons for getting hacked. WordPress core and the creators of themes and plugins constantly release new updates to address security issues and add new features.
You must keep all your plugins and themes updated along with WordPress CMS to stay safe.
The old version of CMS, plugins, and themes may contain security holes that can be the doorway for hackers to access your WordPress blog. Therefore make sure you always keep your website updated.
3. Pay attention to what themes and plugins you install
One great thing about WordPress is that it is open-source. This means that everyone can view its source code and create addons for it. According to an article on WPBeginner, around 540000 developed WordPress plugins.
But on the other hand, unfortunately, not all of them are updated or designed with the best security practices in mind. This means that with any new plugin or theme installed on your website, you open a potential attack vector for an attacker.
I can’t stress enough to install only updated plugins from reputable vendors and avoid pirated copies of these plugins. Pirated themes and plugins are the most common source of malware infections on WordPress.
4. Selection of Username
Know the most used user name of a WordPress blog? Yes, it is admin. Perhaps you are also using this as your login username. If you are on the list of 70% WordPress blog owners at risk of getting hacked, I strongly recommend you avoid using admin as your default username.
Did you already use it on your blog, and the username cannot be changed by default? Here is the simple solution: install the Username Changer plugin and change your username.
Isn’t it straightforward? If you are unwilling to slow down your site by installing so many plugins, remove this plugin after changing your blog’s username.
5. Password Protection
Password is a buzzword in the cybersecurity world.
Here are some quick tips to make your password stronger than ever:
- Make your password 12+ characters
- Use both lower case and upper case letters
- Mix up with numeric values
- Include special sign such as (, %, &, #, @ etc.
- Avoid using any name or date
- It’s better to avoid dictionary words as well
- Here is an example of a strong password: G0me&ui@%F7$o
If you want a strong password that is easy to remember, you can go for a sentence-based password with complex characters. Such as YouGot50%of$2000
6. Login URL
The default login URL of the WordPress blog is yoursite.com/wp-admin or yoursite.com/wp-login.php, which is pretty easy to find out. It’s better to change your default login URL, which means an extra layer of safety.
To do this, install a plugin like Rename WP Login URL to change your default login path to whatever you want from the Permalink section of Dashboard.
7. BruteForce Protection
This step is very effective and essential to keep your WordPress blog safe from average and advanced hackers.
Fortunately, you can use many free and paid security plugins for this job: Limit Login Attempts Reloaded, WordFence, or the All in One WP Security plugin.
These plugins will block any IP address after using the wrong username and password several times based on your setting. It will also notify you via Email when someone tries to log in with the incorrect username and password, just like the above screenshot of my email inbox.
8. Captcha Protection
Although captcha protection seems very common to some people, it plays a vital role in saving your WordPress from automated dictionary attacks and brute force attacks.
It’s a good practice to use captcha on your login page. You can use any captcha plugin from the WordPress store, such as Captcha by BestWebSoft, to set an extra security layer on your WordPress blog.
9. XML-RPC disabling
Most probably, you haven’t heard of XML-RPC before. According to Wikipedia, XML-RPC is a remote procedure call that uses XML to encode its calls and HTTP as a transport mechanism. In short, it is a system that allows you to post on your WordPress blog using popular apps.
However, this is about to change with the advancement of WordPress API, so XML-RPC is no longer used by many essential apps. The only one I can think of that still needs it is Jetpack. So if you are not using Jetpack, you should better disable XML-RPC immediately because it’s an attack vector.
Attackers can use automatic software that can misuse several functions of XML-RPC like the pingback function to conduct malicious activities for instance, DDOS attacks. In these kinds of attacks, hackers bring down websites by sending pingbacks from thousands of sites.
If you want to disable XML-RPC, you can install a plugin like Disable XML-RPC. All you have to do is activate it.
Consider Hiring A WordPress Maintenance Service
You might want to consider a security service or a WordPress maintenance service that takes care of the security as well, which will monitor your site and fix it if you’re hacked again.
If your website is essential to your business income, it can pay many times for itself. Different plans offer varying turnaround times for security fixes.
By reading this article now, you know the following:
- What are the signs that your website may be hacked or at risk of getting hacked: notifications about people logging into admin account or trying to, users complaining that your website is spotted by their antivirus, warnings from your hosting company that your account is compromised or is heavily using the resources, messages from Google that your website may distribute malware, etc.
- What are the nine steps you should take to prevent getting your website hacked: choosing a reliable hosting provider, keeping your software stack updated, paying attention to what modules you install, choosing strong passwords, considering changing your login URL and default username, adding brute force and captcha protection, and finally disabling XML-RPC interface if you are not using it (most probably)
- Why and How to choose a WordPress security service for your website.
Now it’s time to take action because knowledge without action is quite useless. If you are still confused with any of the above security steps, please contact us.