And Safe From Hackers
It’s vital to keep your WordPress website protected because while there are many great features, there are also vulnerabilities, and hackers know what they are. If you think your site is too small, new, or not an eCommerce site, so it’s safe, think again. There are over 90,000 security attacks every minute, and hackers target all WordPress websites.
To keep your site safe, you need to identify the weakest spots of your site, consider the different ways hackers might exploit them, and protect them.
So, Where Are The Weakest Spots Of Your WordPress Site?
Image by Darwin Laganzon on Pixabay
Most of the time, hackers aren’t explicitly searching online for your website (especially if it does happen to be brand new or on the smaller side). Many hackers automate the process of sniffing out vulnerabilities by using bots. These bots detect the entryway, and the hackers jump inside. So, really, any WordPress site can become the victim.
It’s essential to be aware of these common weak spots in WordPress to keep hackers and their bots at bay:
Passwords
Hackers know that users aren’t always inclined to create a unique and strong password for every account they have online (if you said, “That’s me,” it’s time to change your ways). This will be one of their first targets on your WordPress site.
Remember, there’s a tradeoff between convenience/ease of remembering and security. Please consider using a database like Dashlane for all your online passwords.
Any spot on your WordPress site’s backend or front end that requires a login and password is a prime area for targeting. This includes:
- the main WordPress login area
- Comment boards (if you require logins)
- e-Commerce accounts or payment gateways
A word about your username
The default username for the first user you set up with WordPress is “admin.” If you leave this username set as “admin,” you provide hackers with half the information they need to enter your website. Suppose you, or the company that built your site, left the administrator username set as admin. In that case, you’ll want to change it immediately.
Also, if you have a blog that displays the author, make sure that the nickname is what it shows. You don’t want your username to display.
Comments
Spam comments can also be problematic, so some people disable comments entirely in WordPress. People who comment will often include links. Sometimes the links are malicious and lead to a site with malware. Other times the link itself is harmless, although it has nothing to do with the post’s topic, and the commenter could have left it there to increase links to their website. See how to avoid WordPress blog spam.
WordPress Core
Over 70% of earlier versions of WordPress have known vulnerabilities. While it’s the responsibility of the WordPress security team to fix these vulnerabilities and keep WordPress updated, it’s your responsibility to ensure your WordPress website is updated promptly and running the latest version.
Plugins
Plugins are even more susceptible to security breaches than the WordPress core; WordPress plugins account for over 50% of all security attacks on WordPress websites. Updates to plugins are usually available soon after a new version of WordPress; you also want to update your plugins promptly.
Before adding new plugins to your site, you want to ensure it’s not a fake plugin and that the developer keeps it up to date. The WordPress repository is an excellent place to start, as those plugins have been reviewed for security and good coding practices. Although you will still want to check to ensure it’s being kept up to date and be wary of plugins with few installations.
Why Do Hackers Want To Get Into Your WordPress Website?
Are you thinking, “My website’s not an e-Commerce site, and I don’t have anything on my website that needs to be protected”? Or “I’m a small local business, hackers wouldn’t bother with my website”?
The thing is, hackers aren’t just looking to break in and steal from big companies. What they’re looking for is any vulnerability they can exploit.
Here are nine of the things hackers will do when they can get into a site:
1. Inject Malicious Content
In some cases, hacking is simply about getting malicious content or code onto the front end of your WordPress site with the hopes that your visitors then click on the errant links. This may happen through comment spam, hijacking your site’s email and sending spam messages to your followers, or actual content submissions.
2. Spread Viruses
Sometimes hackers want to use your WordPress site to spread viruses and malware. They can do this using malicious code they’ve written into the backend or with files uploaded for download on the front end. When visitors interact with them, hackers steal the visitors’ information or use their computers to spread viruses to other websites.
3. Steal Visitors’ Personal Information
While any security breach is bad for business, this could also mean compensating your visitors and customers for the money and privacy compromised in the attack, in addition to their loss of trust in your business. Sometimes hackers do this for their own personal monetary gain, or sometimes they’re trying to make some statement.
4. Steal Business’s Private Information
You keep details about your company – especially regarding financials and customer account details – private. Which is why it’s crucial not to sync that information to your website.
5. Host Phishing Pages from Your Server
Phishing on websites is when hackers create a fake page to collect information from visitors willing to give it. They can do this by embedding a contact form on the page and directly collecting information or redirecting visitors to another website where that information will be lifted.
6. Host Legitimate Pages from Your Server
Some hackers may take the time to build out legitimate pages on WordPress sites to improve their SEO. These pages talk up their business and link back to their website to give their site more clout in search. Or they may skip the landing page and instead use a system of backlinks from your site to theirs.
7. Overload Your Web Server
When hackers overload your web server with an influx of hits, this is what’s known as a DDoS (distributed denial of service) attack. Once they hit the threshold, your site goes down. What’s the point of doing this? It could be for bragging rights. The site may be one of many victims of a significant widespread attack. Or maybe they did it to demand a ransom.
8. Steal Your Server Bandwidth
Hackers may steal your server’s resources to host nefarious activities, such as Bitcoin mining and brute force attacks on other website. Learn more about cryptojacking in this Scientific American article written December 2017.
9. Vandalize Your Website
And, of course, there’s website vandalism. For the most part, hackers are doing this to establish a calling card for themselves while simultaneously hurting your brand. One of these such defacements happened to a massive number of WordPress websites in February 2017 and continued to happen even after WordPress issued the patch because users didn’t update right away.
Steps To Keep Your WordPress Website Safe and Protected
Remember that having a WordPress website is not a set-it-and-forget-it kind of thing. When you do the following, you’ll be keeping one of your most valuable marketing tools safe and working well for you:
- Backup the filesystem and database regularly, at least weekly
- Update WordPress, plugins, and themes promptly
- Make sure all the plugins and themes are kept updated by the plugin authors so that they are secure and compatible with the latest version of WordPress
- Keep your username and passwords secure
- Use a security plugin, monitor activity regularly and run vulnerability scans regularly
For more tips see WordPress Website Maintenance and Security
—
Would you like help and support to keep your WordPress site is kept secure and safe from malicious code, vulnerabilities, and corrupt files; functioning correctly, as well as kept up-to-date and backed up? Webb Weavers Consulting can have your back with a WordPress Website Maintenance Plan.