How to Protect Your
WordPress Site from Hackers
By Julia Borgini
WordPress powers over one-quarter of the world's websites, from CNN and Best Buy to a lot of B2B Writing Success members (like me!).
Cybercriminals are paying attention, and they're starting to hack WordPress sites more frequently. They shut down your site or redirect visitors to an inappropriate one.
Your traffic plummets and all of the time, energy, effort, and money you've put into your site starts to evaporate.
According to Sucuri, a web security firm, 78% of the hacked and infected websites they looked at were WordPress sites.
The main reason is that WordPress is open source software, which means the code for it is visible to everyone — and makes it an easy target for cybercriminals.
If they can find a security hole in the WordPress code itself, or in a popular plugin used on WordPress sites, they've got quick access to a large number of sites.
Who would attack your freelance site?
Generally speaking, your site would be attacked by: a human, a bot, or a botnet.
Human cybercriminals tend to target high-value websites that store valuable information like financial or other private data because they can then sell it on the black market.
These types of attacks are quite sophisticated because the cybercriminal is able to control the speed at which they attack your site and to avoid any security measures you may have in place.
Bots are software programs that target a large number of websites looking for a vulnerability in well-known software like WordPress. They're usually just trolling for information that they would then use to exploit your site.
An example of this would be checking to see if you're running a version of WP that has a known security hole and then exploiting it automatically.
- Botnets are a collection of computers running bots in parallel, all trying to hack a massive number of websites at the same time. Usually the first bot will turn the host site into a member of the "hive," and then it multiplies quickly from there.
What do cybercriminals do with your site?
Hackers are looking to control your website at an administrative level so they can read all the files and data on your site. They can modify any file they want, make changes to your database, and ultimately change the way your site behaves (including altering the content it serves to visitors).
Hackers use your small WP site to:
- Send spam: Hackers install scripts and programs on your site that send out spam emails, so it looks like you're the spammer.
Host malicious content to avoid content filters: Instead of sending spam, they may take over your site and host criminal or other spam content on it, such as porn and illegal drug sales.
This helps them get their content on the internet because your site does not yet have a bad reputation online, so it makes it through all the typical filters.
Redirect site visitors to another malicious or spam website: Just like they may use your site to host malicious content and get past filters, they may use your website to redirect traffic to other malicious or spam websites.
Your site is not flagged as a known spammer (yet) or "bad" site, so it bypasses most basic filters on web browsers or servers. If they include your URL on a spam email, it bypasses spam filters in email programs and still redirects them to the malicious website (this is also known as "spamvertising").
- Attack other sites: Once they have control of your site, hackers use your site to run bot attack scripts to hack into other websites. They may use it alone or as part of a botnet cluster to perform mass attacks like brute force attacks.
Steal your website data: Most freelance websites don't fall into a category of why a hacker would use it for criminal activities, but it's included on this list for completeness.
Your site may be a target of hackers if you store customer and member names and email addresses. Hackers either target those people for attack or sell the data on the black market for other criminal activities like identity theft.
How can you protect your WordPress site?
To avoid the headache of a hacked site, all the work it would take you to restore it, and the potential loss of reputation you might endure, here's a list of things you can do to protect your website.
- Use strong usernames and passwords for all users on your site. If you're not good at developing a strong password, simply search for "password generator" in your favorite search engine and you'll find plenty to choose from.
- Remove the 'admin' username from your website immediately. It's a default option that many people don't bother changing, but it makes it so much easier for cybercriminals to access your site. Pro tip: Avoid changing the admin username by combining it with your name, as they can guess this one too easily.
- Keep your WP site and all plugins updated. Many people remember to update WP, but forget the plugins, which is a problem for you if you're using a popular plugin.
- Delete any unused themes and plugins from your site.
Obscure your site's login page. All WP sites use http://websitename.com/wp-login.php for the user login page and http://websitename.com/wp-admin.php for the admin login on every single WP site.
Makes it pretty easy for hackers to figure out your site's "doorway," doesn't it? Obscuring these pages reduces the number of automated cyberattacks your site will get.
Security plugins (like Wordfence) tend to offer this option, so check to see if your favorite security plugin offers it too.
- Install a security plugin. There are both freemium and premium plugins out there, so do a little research to see which works best for you and your budget. Just make sure you're buying it from a reputable developer and not a cybercriminal!
Advanced Geek WP security option
Keep your WP files protected on your web host's servers. For your website to work, WP needs read/write access to certain folders on your web host’s servers, such as your wp-content folder, which is where all of your uploaded images and files go.
Final security thoughts
Online security is an important thing to remember these days, especially when it comes to open source software like WordPress.
The free cost makes it attractive to smaller website owners like B2B Writing Success members. Just remember that cybercriminals are paying attention. They can find out who's using WP and they know how to exploit it for their own gain.
Avoid the headaches of a hacked website before it happens and take a look at your site's security setup. You'll save a lot of time, effort, and your online reputation.
Are you using any different security tactics on your WordPress site? Share them in the comments below, as we can all benefit from your experience.
The Professional Writers’ Alliance
At last, a professional organization that caters to the needs of direct-response industry writers. Find out how membership can change the course of your career. Learn More »