That it’s better to stop WordPress hackers than to recover from them
A pound of remedy is worth an ounce of preventive. With respect to website hacks, this can’t be more real. WordPress pages are hacked by bots published to manipulate established vulnerabilities and not by sophisticated hackers. These flaws include weak keys, obsolete themes and plugins, and bad web hosting.
The following stuff can be done while a web site is hacked:
- Files which contain malicious code or PHP backdoors can be uploaded to the server
- It is possible to change files already on the list, such as your theme files,
- You can also insert code into the WordPress database
- You can connect users with administrative rights to your account on WordPress
- You can publish various posts and pages which contain spam code
- Your website could be redired to malicious pages
In other words, it can be a Huge mess to repair if the site is compromised. It will also take hours to recover and if Google tries to blacklist your domain, your SEO may make a major drop. See: Sites Hosting Ransomware Get Google’s 30 Day Ban.
Fortunately, it’s very straightforward to avoid hackers, but it needs vigilance.
10 Tips to Avoid Attacks from WordPress
Use strong passwords
In order to watch all your passwords, you can get a password monitoring service like 1Password. For any internet account, you can no longer use the same password and get away with it. You can not use the name of your dog, or the preferred name of your soft drink or band. You need passwords that are unmemorable, lengthy, complicated.
I’ve had two customers contact me in the last few weeks after their Gmail, Instagram, or AppleID got compromised due to a faulty password being used. A password security software is very easy to use to learn what your secret is. My customers used passwords in both cases that could be guessed in under 1 second by a password recognition app!
Here, measure the reliability of your current passwords. And then offer some serious thoughts about using 1Password and building lengthy, complicated, and mysterious passwords and changing them regularly. With 1Password, you have only one difficult password to recall.
Keep up to date WordPress themes, plugins and key
It’s not enough to login or do updates once a month or less. Exploits can happen on large amounts of pages within days as soon as they are released. Within a few weeks of the Gravity Forms flaw being revealed, my overlooked website that I did not update was abused. When there is an upgrade, you must automatically download it. Read my article about how to easily upgrade your WordPress themes and plugins to keep your site from breaking up.
You can use the Shield WordPress Protection plugin to conduct auto updates for you with plugins that don’t have front-facing features. Check out my post on plugins for web maintenance if you run more than one web.
Maintain a clean server
On the server, uninstall inactive copies of WordPress. Existing those is easy to overlook. Unused WordPress scripts, extensions, templates, etc. will also be abused even though they are not used, not involved, not even connected with the current installation. Edit Edit Delete delete. Managed a crowded cabin
Search your plugins and themes to help you continue
Do not use plugins and themes which are no longer protected. If you haven’t changed your plugin or theme in a year or so, replace it. This can be a major thematic challenge. Most developers travel by night, and don’t stick to follow their theme for more than a couple of years.
Look for a theme or plugin with latest support requests that have been replied to in a timely way, strong star scores, and recent and regular updates as you shop for a theme or plugin. The best subjects are not always top-selling subjects, but they are more likely to have continuing help and promotions. Read the comments for response consistency and sound. Look for support, curiosity, thoroughness, timely response, strong articulation, and optimistic attitude.
Premium WordPress themes sometimes come packaged with third party plugins. These packaged plugins may or may not be modified on schedule by the creator of the theme. The Revolution Slider, for instance, a common animated slider, comes packed with hundreds of ThemeForest themes. In 2014 the Revolution Slider suffered a significant security flaw. However when they modified their themes, theme developers who combined it with their themes did not actually change the feature. As a result, for months after the flaw was found, several themes on ThemeForest circulated a extremely unstable feature. This flaw has resulted in the targeting of tens of thousands of websites and directing traffic to suspicious sites.
The upshot of all this is that if you buy a premium theme that comes bundled with premium plugins, such as Visual Composer, Layer Slider, Revolution Slider or others, buy these plugins Individually, then you can be explicitly informed about changes to such plugins and not dependent on a developer theme to keep you secure.
Secure your own home and data network
In particular, if you are running Windows, you run virus scans all the time. Be careful what sites you are visiting. You can inadvertently give away your WordPress login via a trojan tracking keystroke that will steal your passwords as you type them into your keyboard. Protecting your computer is often about not visiting malware-distributed websites. But even known sites, such as the cooking blog for friends, might be hacked. So, anywhere you go on the web, you need some protection.
To Mac OS:
- Usually scanning software is not needed but I like Avira because it recognises patterns of malware along with signatures from malware and trojan.
- Turn on the Firewall in your system configuration (Safety & Privacy). Check the Enable Stealth Mode box in the Firewall Options. This will make your computer unable to be visible on networks.
For your PC:
- Avast and Avira! The anti-virus applications are both good.
- Be sure you’re running Windows Firewall.
For the Network:
- See these excellent tips for safeguarding your home network.
Run a security plugin for WordPress
I highly recommend the plugin for MalCare by the developers of BlogVault. They have a free and premium version of both. What I like most about their plugin is that there are no options for configuration that can be very confusing with other plugins for security. In addition, all the malware scanning takes place on their cloud servers, so the performance of your website has no effect. It also features brute-force authentication and a powerful firewall.
Just $99 / year is the paid version, which is a bargain compared to other similar services. You can use this link off your first year for 10 per cent: https:/malcare.com/womeninwp
Please try it out and let me know in the comments below how that works for you.
I like iControlWP’s Shield WordPress Security too. I used Wordfence in the past, and it produced errors in the error log files on several pages continuously. Other popular plugins out there can easily break your site or have you focused on “safety” measures that do nothing for security while missing out on important things such as login protection.
Not logging on to public WiFi networks
By logging into your WordPress site on a public network, you’re essentially giving away your login credentials to anyone else on the network who might run the sniffing software for packets. If you do not have an SSL certificate installed on your site (which encrypts your network username and password) then use a Virtual Private Network ( VPN) service to encrypt your network traffic. Use this even if you have an SSL certificate on your site, as staying on any public network in a virtual private network is good.
Install your site with an SSL certificate
This encrypts the data transmitted via the site by you and users to your site, such as when submitting contact forms or using pages to login. Otherwise, information is transferred in the mail like a postcard, meaning it can be read by anyone who is looking. Installing SSL on your site allows you to log in to security while travelling (via https). This is offered for free by many hosts, and you can use the Really Simple SSL plugin to force https to be used for your content.
Consider better hosting on the web
When it comes to security, hosting companies like WP Engine, Site Ground, Kinsta and Flywheel have your back. They regularly do security scans and clean your hacked site for free, although I have learned that people are hacked on these services, and it can take days (or not at all) to get unhacked. I would still recommend running the MalCare plugin, since hosts are not experts in malware. I’ve been hosting most of my sites with SiteDistrict lately, because their performance in terms of site speed is quite excellent (with Kinsta right up there), and their support is hands-on and proactive.
Your site backup
Although backups are not always helpful in recovering from a WordPress hack, they are important for recovering from a catastrophe, particularly when it comes to damage to your website, where all of your site’s content is stored. See my post on WordPress Backing Up.
Continuous tracking of the Site
- To be alerted to any problems on your website , it is important to sign up for the Google Search Console.
- Control on-site error reports the the File Manager or FTP (SFTP) cPanel.
- View Raw Access Logs on server to display, in particular, any users who access files on the site. POST Submissions. If this is not allowed, the archiving of Access logs may be switched on in your cPanel.
- You may use the Audit Trail functionality of the Shield WordPress Protection plugin to trace any modifications to files or site access.
Security at WordPress isn’t complicated. Hack cleanup is. To review your website, please take a little time to make a list of items you need to do and check them out one at a time. Begin by upgrading everything and setting up a backup solution. Update your plugins and go to Google Search Console to sign up. Passwords changed. Soon I will write another post about how to inspect your site for stolen files, so stay tuned!