Is it just us, or have there been a lot of data breaches lately? Beyond the big names in the news, we’ve also had our fair share of WordPress hack events, like that big defacement issue back in 2017.
Unfortunately, security breaches are very real…
As a website owner, it’s up to you to be vigilant and to ensure that your site isn’t susceptible to being hacked.
If any of these things apply to you, make sure you remedy them ASAP. It’s just not worth putting your business at risk!
1. Not updating WordPress
If there’s one commonality among WordPress hack victims, it’s this:
Not updating WordPress!
According to Sucuri’s Hacked Website Report, somewhere between 55-61% of WordPress hack victims were running out-of-date WordPress when they got infected, and that’s definitely not a coincidence:
(Charts by Visualizer Lite.)
By default, WordPress security updates are supposed to happen automatically. But some hosts disable that functionality, so you can’t count on that always working.
In our experience, the people who don’t update their sites fall into two camps…
- They put off updates (or ignore them completely) because they’re too busy, OR
- They’re afraid that updating their site will break it.
If you belong in the first category, stop procrastinating already – it just takes a few seconds to update your site.
If you belong in the second category, you can take some steps to ensure nothing breaks your site.
First, create a complete backup of your site before you run an update.
In the unlikely event that your site does crash, you can easily restore the previous version.
2. Not updating plugins
Running in the same vein, it’s also important to update the plugins that you use.
If you use outdated plugins without updating them, you’re essentially exposing yourself to security flaws and bugs…
Again, Sucuri’s study has some helpful data – 18% of WordPress hack victims were hacked just because they hadn’t updated plugins with known vulnerabilities. The plugin developer knew there was a problem and fixed it – people just didn’t update the plugin to secure their site!
Additionally, in a survey of WordPress hack victims from Wordfence, over 55% of people who knew how the hacker got in said it was because of a plugin issue.
If you’ve got a ton of plugins and you find it hard to keep track of all the updates, we recommend using Wordfence.
This plugin comes with a malware scanner that will check your other plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. It also draws your attention to potential security issues when a plugin you’re using has been closed or abandoned.
3. Not protecting your WordPress admin directory
In that same Wordfence survey, one of the most common WordPress hack attempts involved getting access to your WordPress login credentials, either through brute force attacks or password theft:
To prevent that from happening, you’ll want to protect your WordPress admin directory (your /wp-admin page).
First and foremost, make sure you password protect your WordPress admin page.
By default, you’ll require a password to get into the directory, but we’re talking about adding another layer on top of that.
That way, anyone trying to access your WordPress admin will need to provide an extra username and password.
If you need a walkthrough on how to do this, check out Step 2 of our article: 4 Ways to Tighten WordPress Security.
If you don’t like that approach, another good alternative is two-factor authentication.
With two-factor authentication set up, your site users won’t just require a password to log in – they’ll also need to input a code that’s sent to them via text message, email, or an app.
To do this, check out our WordPress two-factor authentication guide.
Last but not least, it’s not a good idea to use “admin” as your WordPress username.
Hackers might attempt to get into your site using this default username, so you should definitely switch it up.
While WordPress doesn’t let you directly change your username, you can still do it by following these methods.
4. Using weak passwords
This one’s pretty obvious – if you use weak passwords, it’s easier for hackers to access your accounts.
We’re not just talking about the password that you use for your WordPress admin account, though.
The same thing applies to your other passwords, including your:
- Web hosting accounts
- FTP accounts
- MySQL database
- Email accounts associated with your WordPress admin account
To learn more about generating a strong password, read How Secure Is My Password? Here’s Your Answer, Plus How to Pick a Strong Password.
5. Using dodgy themes
If you do a quick Google search, you’ll find a good handful of websites that distribute paid WordPress themes for free.
At first glance, this might look like a cool money-saver for website owners on a tight budget.
In actuality, though, most of these sites are pretty dodgy…
If you download and install a theme from them, you might end up compromising the security of your website.
Remember, there’s no such thing as a free lunch.
Stop WordPress hack attempts before it’s too late
Sad to say, the average WordPress site owner doesn’t consider security a priority.
When you’re setting up your site for the first time, you’re probably more concerned with the look and feel of your website than anything else.
And once you get your site up and running, you’ll turn your focus to churning out great content, neglecting security as you go along.
Obviously, this is a huge mistake.
You don’t wait to wait for a WordPress hack attempt BEFORE you start caring about your site’s security – when that happens, it’ll be too late.
So set aside an hour or two and make sure that your WordPress site is secure and up-to-date.
Do you have any questions about fixing these security issues? Let us know and we’ll try to help!