How to Protect Your
WordPress Site from Hackers
By Julia Borgini

WordPress powers over one-quarter of the world's websites, from CNN and Best Buy to a lot of B2B Writing Success members (like me!).

Cybercriminals are paying attention, and they're starting to hack WordPress sites more frequently. They shut down your site or redirect visitors to an inappropriate one.

Your traffic plummets and all of the time, energy, effort, and money you've put into your site starts to evaporate.

According to Sucuri, a web security firm, 78% of the hacked and infected websites they looked at were WordPress sites.

The main reason is that WordPress is open source software, which means the code for it is visible to everyone — and makes it an easy target for cybercriminals.

If they can find a security hole in the WordPress code itself, or in a popular plugin used on WordPress sites, they've got quick access to a large number of sites.

Who would attack your freelance site?

Generally speaking, your site would be attacked by: a human, a bot, or a botnet.

  • Human cybercriminals tend to target high-value websites that store valuable information like financial or other private data because they can then sell it on the black market.

    These types of attacks are quite sophisticated because the cybercriminal is able to control the speed at which they attack your site and to avoid any security measures you may have in place.

  • Bots are software programs that target a large number of websites looking for a vulnerability in well-known software like WordPress. They're usually just trolling for information that they would then use to exploit your site.

    An example of this would be checking to see if you're running a version of WP that has a known security hole and then exploiting it automatically.

  • Botnets are a collection of computers running bots in parallel, all trying to hack a massive number of websites at the same time. Usually the first bot will turn the host site into a member of the "hive," and then it multiplies quickly from there.

What do cybercriminals do with your site?

Hackers are looking to control your website at an administrative level so they can read all the files and data on your site. They can modify any file they want, make changes to your database, and ultimately change the way your site behaves (including altering the content it serves to visitors).

Hackers use your small WP site to:

  • Send spam: Hackers install scripts and programs on your site that send out spam emails, so it looks like you're the spammer.
  • Host malicious content to avoid content filters: Instead of sending spam, they may take over your site and host criminal or other spam content on it, such as porn and illegal drug sales.

    This helps them get their content on the internet because your site does not yet have a bad reputation online, so it makes it through all the typical filters.

  • Redirect site visitors to another malicious or spam website: Just like they may use your site to host malicious content and get past filters, they may use your website to redirect traffic to other malicious or spam websites.

    Your site is not flagged as a known spammer (yet) or "bad" site, so it bypasses most basic filters on web browsers or servers. If they include your URL on a spam email, it bypasses spam filters in email programs and still redirects them to the malicious website (this is also known as "spamvertising").

  • Attack other sites: Once they have control of your site, hackers use your site to run bot attack scripts to hack into other websites. They may use it alone or as part of a botnet cluster to perform mass attacks like brute force attacks.
  • Steal your website data: Most freelance websites don't fall into a category of why a hacker would use it for criminal activities, but it's included on this list for completeness.

    Your site may be a target of hackers if you store customer and member names and email addresses. Hackers either target those people for attack or sell the data on the black market for other criminal activities like identity theft.

How can you protect your WordPress site?

To avoid the headache of a hacked site, all the work it would take you to restore it, and the potential loss of reputation you might endure, here's a list of things you can do to protect your website.

  1. Use strong usernames and passwords for all users on your site. If you're not good at developing a strong password, simply search for "password generator" in your favorite search engine and you'll find plenty to choose from.
  2. Remove the 'admin' username from your website immediately. It's a default option that many people don't bother changing, but it makes it so much easier for cybercriminals to access your site. Pro tip: Avoid changing the admin username by combining it with your name, as they can guess this one too easily.
  3. Keep your WP site and all plugins updated. Many people remember to update WP, but forget the plugins, which is a problem for you if you're using a popular plugin.
  4. Delete any unused themes and plugins from your site.
  5. Obscure your site's login page. All WP sites use for the user login page and for the admin login on every single WP site.

    Makes it pretty easy for hackers to figure out your site's "doorway," doesn't it? Obscuring these pages reduces the number of automated cyberattacks your site will get.

    Security plugins (like Wordfence) tend to offer this option, so check to see if your favorite security plugin offers it too.

  6. Install a security plugin. There are both freemium and premium plugins out there, so do a little research to see which works best for you and your budget. Just make sure you're buying it from a reputable developer and not a cybercriminal!

Advanced Geek WP security option

Keep your WP files protected on your web host's servers. For your website to work, WP needs read/write access to certain folders on your web host’s servers, such as your wp-content folder, which is where all of your uploaded images and files go.

For more information on file permissions in WP, check out this post and the explanation from the WP Codex.

Final security thoughts

Online security is an important thing to remember these days, especially when it comes to open source software like WordPress.

The free cost makes it attractive to smaller website owners like B2B Writing Success members. Just remember that cybercriminals are paying attention. They can find out who's using WP and they know how to exploit it for their own gain.

Avoid the headaches of a hacked website before it happens and take a look at your site's security setup. You'll save a lot of time, effort, and your online reputation.

Are you using any different security tactics on your WordPress site? Share them in the comments below, as we can all benefit from your experience.

This article, How to Protect Your WordPress Site from Hackers, was originally published by B2B Writing Success.

The Professional Writers’ Alliance

The Professional Writers’ Alliance

At last, a professional organization that caters to the needs of direct-response industry writers. Find out how membership can change the course of your career. Learn More »

Click to Rate:
Average: 5.0
Published: August 11, 2016

4 Responses to “How to Protect Your WordPress Site from Hackers”

  1. Hi Julia,

    I wonder why hackers would be interested in "little 'ole me", but then I consider that we work with prominent companies that would be a target. I am not a techie by any means, so I am glad you wrote this. Questions: How are we to know who is a reputable dealer vs. cybercriminal? Re: Professionals who manage other people's websites; do they know to do all of this and can someone like me depend on them to do all of this?

    Nora KingAugust 12, 2016 at 11:56 am

  2. Thank you for this information it was very useful and the question asked was the question I had. Is there anyway to stop the cyber criminal if a site is already hacked?

    Guest (Write life)August 17, 2016 at 3:51 pm

  3. My site was attack by hacker this friday and he/she install some script on my site

    When i open my homepage it show Hacked by:
    their names bla bla and some gay music plays

    I delete all files and change host and now i read this article and my mistake was password I have Admin as username so practicly the hacker have 50% of my password

    Guest (Barbo)December 4, 2016 at 5:38 pm

Guest, Add a Comment
Please Note: Your comments will be seen by all visitors.

You are commenting as a guest. If you’re an AWAI Member, Login to myAWAI for easier commenting, email alerts, and more!

(If you don’t yet have an AWAI Member account, you can create one for free.)

This name will appear next to your comment.

Your email is required but will not be displayed.

Text only. Your comment may be trimmed if it exceeds 500 characters.

Type the Shadowed Word
Too hard to read? See a new image | Listen to the letters

Hint: The letters above appear as shadows and spell a real word. If you have trouble reading it, you can use the links to view a new image or listen to the letters being spoken.

(*all fields required)