As WordPress becomes more and more popular as a content management system, it also attracts undesired attention from hackers across the globe. With so many WordPress sites active on the web, it is easy for hackers to locate WordPress sites by consistencies in the way WordPress is setup. These include:
By running a few simple searches, a hacker can quickly find sites running off WordPress.
A very common hack attempt is a the brute force login. This is where hackers will locate the wp-login.php page and run scripts in an attempt to login as an administrator. This usually involves using the username “admin” and then by the use of scripts, populating the password field with random dictionary based words and number combinations. This can be quite successful considering how many people these days still use admin/password123 or similar easy to crack combinations.
With thousands of free themes and plugins available and the majority no longer maintained, it can leave many sites with backdoors waiting to be exploited. Hackers can locate these backdoors and use them to install scripts or malicious code on your website. It is best practice to use paid themes and plugins that are kept updated or popular items that also have regular updates.
Incorrect permissions on files and folders on your WordPress hosting can lead to hackers modifying your WordPress install. Ensure the correct file and folder permissions are setup on your installation. Folders should be set to 755 and files set to 644.
Many hackers will inject malicious code into the head of WordPress php files. This code can be hard to find and also can be injected into every single php file on your site making it near impossible to find and remove. The best solution is starting fresh with a clean install of WordPress and migrating your content over.
There are a number of ways to assist in preventing your site from being hacked. By following a few simple rules it will give you site the best chance in avoiding a future hack.
This includes:
The above might sound like a lot to do and it is if you do it manually. Thankfully there is a plugin that can take care of all this for you. WP Better Security is a free plugin that will greatly increase your security settings with the click of a few buttons.
WordPress regularly releases new versions which often contain crucial bug fixes and updates. It is essential that WordPress is kept up to date to avoid any security breaches.
It is recommended that you take a backup of your database and website before any major updates to avoid any data loss. Backups should be taken regularly anyway, but be sure you aren’t backing up a site that has already been compromised.
Matt runs m2media, a Brisbane Web Design company specialising in WordPress Design and Development. For more information or assistance with either preventing your WordPress site from being hacked, or fixing hacked sites, please contact m2media.