Thousands of WordPress sites continue to be hacked & injected with malware every day. Not surprising considering WordPress is the world's most popular free blogging and website software.
Around 80 million people currently use WordPress.
Free plugins & themes being amongst the most popular features.
If you're wanting to avoid being hacked, there's 4 questions that need to be answered:
- Do you update your wp core, themes and plugins when new updates become available?
- Do you backup your sites files as well as your databases?
- Do you store your backup on your server or in a safe location away from your live site?
- Do you use the default login username, admin and a short password?
Here's a list of the 3 most common ways your site could be hacked and damaged or lost entirely.
1. Out Of Date Free Plugins & Themes
Its easy to install a free plugin or theme and based on the latest WordPress stats, there's been hundreds of millions of downloads.
When a plugin or theme gets updated, the changes are disclosed in a changelog. Most of the time they include security updates which hackers can easily exploit as they know exactly what is vunerable.
If you haven't updated the plugin or theme, you run the risk of allowing your site to be hacked.
Another problem related to free plugins and themes is the owners don't have any incentive to fix security holes unlike premium plugins and themes because they don't get paid to.
- Update WordPress core files
- Update plugins for WordPress
- Update WordPress themes
2. Weak Login Details
I think most of us can remember the default login username when we first installed WordPress is admin.
Its a bit of a no brainer to understand that experienced hackers know this as well. What they do is use software programs to scan the entire internet looking to exploit this weakness.
Most WordPress users have a login address which ends in wp-login.php
Click your login link now and check this is correct on your site.
So hackers know the address to most WordPress login pages as well as the username.
If you're using the default login username, admin and also have a weak password like your dogs name, fluffy, its only a matter of time before your site will be exploited.
3. Database Injections
Unlike old style HTML websites which don't use a database, WordPress does.
I'm sure you know that your site is made up of a database and files.
phpMyAdmin manages your MySQL database(s) which you can access from cPanel.
If a hacker gets into your database, they can do anything.
Delete it, mess it up, redirect all your url's to malware distributing sites, Viagra or Canadian Pharmacy etc.
The work involved in cleaning this up is a nightmare even for the people that do it for a full time living.
- Change your database pre fix to avoid hackers exploiting your content
- Protect your .htaccess files
- htaccess files & WordPress security
Google Security Warnings
If your site is hacked & injected with redirects to malware distributing sites, Google will find out.
When they do, they'll issue a warning to all your site visitors before they land on your site advising them of the risks.
Click this image to view a warning from Google, Bing and most other browsers.
Avoiding Security Breaches
- Here's a long list of security solutions as well as another list on hardening WordPress.
- Take full backup of your sites files and databases and store them away from your server.
If you don't want to learn more about securing your installation, you may consider using a service:
- Use a managed WordPress host which Guarantee's the security of your site
- Use a WordPress security service which scans your installation and takes backups on a regular basis
- Install a premium plugin which automatically creates a daily full backup and sends it to a storage location of your choice. i.e: Dropbox, Amazon s3 etc.
If you've got daily full backup stored in a secure location and your site does get hacked, you're safe. If you don't, what have you got to lose?