Why is website security so Important on your WordPress website?

Website security should be an integral part of building a website especially on in WordPress. WordPress is one of the most popular site-building platforms out there. And for good reason – it’s user-friendly, versatile, and relatively affordable. But because it’s so popular, WordPress sites are also a prime target for hackers. That’s why website security is so important if you have a WordPress site. In this post, we’ll talk about some of the best ways to keep your WordPress site secure.

WordPress sites are popular targets for hackers because they’re popular and open-source.

WordPress sites are popular targets of hackers because there are so many people that use them.  If a hacker is able to get into a vulnerable not updated plugin they will also be able to get into other sites running that plugin.  Being that so many people use WordPress and these plugins they have more a shot of hacking more sites rather than trying to hack smaller platforms. WordPress sites are also made on php, that if not protected my be easier to hack than other platforms. Additionally, WordPress sites often host sensitive information such as user names, passwords, and credit card information. This makes them a valuable target for hackers who can sell this information on the black market.

Being that WordPress is open-source (which I believe is a good thing as it is free and people can make many things for it) means that anyone can view the source code and look for vulnerabilities to exploit. Hackers can exploit vulnerabilities in the WordPress code to take over your site or inject malicious code that can redirect your visitors to other websites.

How often do hackers try to breach sites?

Though it’s not really known how often sites are hacked it is extremely common to have many hack attempts per week even on a small site and this is why website security is so important.  Sucuri has some great information about the state of hacking. Though people may think it is like the movies and it is one guy trying passwords or doing certain things to get into a certain site this is rarely the case.  Most of the time there are hacker created bots that try and have the biggest footprint they can.  They often try to hack certain vulnerabilities of certain plugins by mass.  So a lot of times they may be setting and forgetting hoping to snag a successful login or a backdoor access.  To really understand this it actually makes more sense to look at some images that show just how rampant hacking is.

The first thing we have is an image showing the top 10 of how many IPs were blocked per country from August 29th to September 4th for this website.

Next we have the actual attack attempts that have been blocked by Wordfence for this website.

The last one we have is the total amount of hacking attempts blocked for the whole Wordfence plugin network for 24 hours.

Wordfence is just one security plugin for WordPress.  So if we think about how often it happens with that one plugin we can see how massive this is for all websites on the internet that are using different security plugins, not using a security plugin, or not even on the WordPress platform.

There are simple security measures that can be taken to deter hackers

There are a few simple security measures that can be taken to deter hackers. There are many different things that may not cost much to help keep your sites safe. Some ideas are great hosting, keeping plugins, themes and WordPress updated, using a good security plugin like Wordfence, having an SSL, using strong passwords, limiting user access, and also using a cdn with security like Cloudflare.  Though it doesn’t deter hackers having a somewhat recent backup is basically mandatory if you want to be able to get a hacked site back up quickly. By taking these measures, you can help to keep your website safe from potential attacks.

1. Having a good host is always a must.  I didn’t realize this until I really got into web design and started seeing slow sites due to hosting, but on top of speed good hosts will have security features like DDoS protection, firewalls, brute force protection, security monitoring, virus scanning and more.
2. One of the most important things and the only way I have had a site hacked was by having plugins, themes and WordPress that hadn’t been updated in a long time (it was a site I was no longer using and just let it sit for about 4 years and didn’t update at all).  Hackers are often looking for back doors through plugins that have security vulnerabilities.  Most of the time plugin developers will update their plugins or themes to fix the vulnerabilities, but if you don’t update them then you are at much more risk of hacking. If you would like to see what plugins and themes have vulnerabilities you should subscribe to IThemes security, they do a weekly report of all plugins, themes and WordPress versions that have vulnerabilities.  Check out these weekly vulnerabilities at IThemes.
3. Another super easy way to really bolster your security is to get a security plugin.  Though there are paid ones I use the free version of Wordfence and have used IThemes Security in the past.  There are some other options as well but these are the ones I would use.  Any site we build we add Wordfence to as it’s free and seems to work very well with lots of features.  For the most part it is set and forget but every now and then there is a little setup depending on your site and integrations.
4. Not only does having an SSL help with SEO and gives customers piece of mind by showing the lock it can help you keep your site safer. We have written a blog post previously on the importance of SSLs. In short an SSL encrypts all communication between the website and the user’s browser. Any decent host should provide free SSLs.
5. Strong passwords and limiting users access can go a long way to increasing security especially from those that may be acquaintances.  Make sure your password is not something like 1234 or password those will be guessed all day long.  Also only giving admin access to people you trust is very important to make sure they are not able to make trouble with your site.
6. Cloudflare helps with security on your website by providing a number of security features, including a web application firewall, DDoS protection, and SSL/TLS encryption.  The best thing about it is that they have a free plan that is almost all you ever need. Oh and another benefit is it will speed up your site as it is a CDN. A content delivery network (CDN) is a system of distributed servers (network) that deliver webpages and other Web content to a user based on the geographic locations of the user, the origin of the webpage and a content delivery server.
7. There are many free backup plugins to take one time backups.  We will often use All In One WP Migration.  Take a backup regularly and just keep it somewhere safe.  If someone does hack your site then you can easily go back to how it was previously.

What do I do if my website gets hacked?

Website security is paramount to not having a website get hacked, but even then it can happen. If your website gets hacked, you should take immediate action to secure your site and prevent further damage. You should also contact your hosting provider and let them know about the security breach. They may be able to help you recover your website and prevent future attacks.

It will all depend on what the hack is and how the individual got into the site.  The severity as well as the protocol may be different for each instance.

• If your site has an admin user that changed your password and didn’t tell you what it was there may be a few different ways to handle this.
  • If you have access to your hosting you may be able to login from something like Softaculous without a login.  That is the easiest way if you have this hosting feature.
  • You may also be able to go into your hosting and use PHP My Admin to change a user password.  This is a great tutorial on how to do that.
  • After you get access delete the user account of the offender.
• If your site is now showing strange things and you have access here are a couple options.
  • Go into the site try to restore a backup you have.
  • You may also have to have your hosting company restore a Cpanel or hosting backup.
  • Either way after the site is back then make sure to change password.
  • Update any plugins, themes and WordPress that needs it and check IThemes to see if there are vulnerabilities and then delete the plugin.
• If you have actual malware this can be tricky.
  • You may want to talk to your host to make sure it is not further in your hosting files and not just in WordPress.
  • You may need to totally wipe your hosting account or delete WordPress then reinstall WordPress and try to restore your backup
  • When you get it back again change the password.
  • Update any plugins, themes and WordPress that needs it and check IThemes to see if there are vulnerabilities and then delete the plugin.
  • You may also look at Sucuri’s Malware Removal and security if you need this.

There are probably a million different circumstances that need other fixes but these are a few to get you going.  If it isn’t a password breach it is often an old plugin breach so just update everything and make sure there aren’t security vulnerabilities.

WordPress website security is an ongoing process, and small businesses need to be vigilant in order to keep their sites safe. Depending on the size and complexity of your website, you may need to hire a WordPress security expert to help you keep your site secure. By taking the correct steps, small businesses can help protect their WordPress sites from attack. If you need any help with getting your site secure, have questions about security, or your site has been hacked lets us know and we may be able to help.