Maintaining website security is a serious matter. Knowing how you can improve your WordPress security is the difference between running a successful site and ruining your reputation or losing your business at the feet of ever-preying cybercriminals. The rise in the number of compromised websites continues to increase as demands of consumerism and internet popularity rise. In fact, the number of WordPress databases that have been hacked has doubled in the time since 2009. In 2012, this figure stood at a whopping 170,000 websites.
If you are an online marketer, then it is most likely that you already have or will work on a WordPress-based website. There are thousands of active infections and malware on the internet, and quite a number of these target WordPress sites. What makes or breaks the security status of the site is its security setup to limit the vulnerabilities that affect it. Below are some of these vulnerabilities, most of which are easily avoidable:
- Having outdated software
- Poor system authentication and credential management
- Poor system administration protocols
- Limited technical knowledge
- Poor server security
- Shortcuts during implementation and security configuration
Common WordPress vulnerabilities and attack types
Knowing the reasons behind your WordPress database vulnerability already gets you halfway on the journey towards robust protection. You should also be keen to know the typical attacks that sites like yours are most often subjected to. The following paragraphs discuss common security issues in WordPress.
Back-doors allow attackers to access your website through methods that are considered abnormal including WordPress Admin, FTP etc. A backdoor can be very dangerous depending on the way the hacker managed access, which determines how much damage they can/cannot do. Backdoors can wreak untold havoc on your server and website.
Drive-by downloads are usually embedded onto your website using some form of script injection procedure. The purpose of the drive-by download is to download malware onto a user’s local access machine. A common drive-by download is one that informs a user that their site has been infected with some virus, and advises the user to install their anti-virus product in order to remove the malware.
Pharma hacks are also a common attack tool used by cybercriminals. A pharma hack is usually categorized as SPAM (short for ‘stupid pointless annoying messages). If your site is found to be distributing SPAM following a pharma hack, you risk being flagged by Google, which will alert your potential visitors from Search engine results pages or social media that your site may be compromised – very bad for business, obviously.
Put very simply, malicious redirects will send users from the site they wish to access to a malicious website. If your visitor is redirected from your site to another website, not only is this very annoying to the user, but that user may also be prone to attacks from infectious malware, unwanted advertising or random/foreign sites.
Brute force attacks
A brute force attack is what happens if a person attempts to gain access to your site by trying a bignumber of username and password combinations, until they find one that works. This is the reason that you are advised not to use common usernames and easily guessable passwords. Short passwords are much easier to guess than longer ones. For the latter, the hacker may use a program that can password-guess at a faster rate.
The zero-day attack takes advantage of a formerly unidentified vulnerability within your WordPress site, and it happens before you are aware such vulnerability exists. It is relatively difficult to foresee and prevent this kind of attack because they come before the developers have detected the problem and taken steps to fix it. However, ensuring that your general site security is up-to-date can help.
Top security tips to prevent site hacking
- Talk to your webhost – reports have shown that over 40 percent of website attacks occur at the server level. Talk to your webhost to know what measures they have in place to ensure that your databases are secure. The hosts can delete generic accounts so that you know who has access to your website’s backend all the time. Get rid of any non-essential access points or credentials including SSH, FTP and wp-admin. Steer clear of cheap web hosting services with shady references.
- Regular backup – while prevention is always better than cure, it’s important to run your backups frequently and regularly, so that in case of attack on your site, you can restore the site with minimal disruption. Do not leave your site backup with the web hosts, as they are unlikely to have a backup schedule that is suitable enough. Instead, routinely back up your databases and entire site to a place you trust in case there’s a breach.
- Avoid default credentials – brute force attacks are made especially easier if you maintain default configurations that come with your site’s administrator panels i.e. using admin as your username. Change any default or easily guessable usernames and install strong passwords that have a mix of numerals, special characters, and uppercase and lowercase letters. Avoid common sequences like sly123 in your passwords. You should note down your passwords somewhere secure, preferably offline, since the best passwords are easily forgotten.
Your WordPress databases are the brains behind operation of your entire site; which is why they are commonly targeted by hackers. One way to protect the database tables from unauthorized access is to change the default table prefixes, which usually begin with ‘wp_’ to anything else.
- Directory hardening – most web hosts allow browsing of site directories by default. This unfortunately means that a hacker can view your directories easily. To control this, update the .htaccess file to disable that setting. Your ‘Uploads’ folder is also visible to anyone online, and it stores all media that is uploaded onto your website. You should also update your .htaccess file to prevent online users from viewing that folder. Finally, update your file permissions to ensure that only the required persons can view or edit information in your database.
Author bio: A data IT professional, Sujain Thomas enjoys writing about field IT topics, such as database administration services. She works with remote DBA experts, providing DBA services and solving clients’ data problems.