I’ve seen it happen too many times.
WordPress accounts hacked, domains defaced, or redirected.
In the realm of IT security, there are variables you can’t control.
Something you can control, are the basic fundamentals of your own WordPress installation such as the following:
Maintain Updates
Updating WordPress is the single most important variable when talking about WordPress security. Hackers are constantly developing and exploiting the current code trying to find vulnerabilities, and unfortunately they’re often successful. For that reason, patches are a very common feature for WordPress updates. You want to check your WordPress installations at least once a week (I check hourly, haha) to ensure you’re up to date. Remember to keep your themes and plugins up to date, and if a component (plugin/theme) hasn’t been updated for years, then it’s time to ditch that component.
Stop Installing Plugins
It’s important to remove all redundant plugins. The more code you have on your WordPress installation, the more chances you give a hacker to find something they can exploit on your blog. For additional information regarding why you don’t need half the WordPress plugins you have, check out my latest rant on WordPress plugins here.
Change Administrative Username and Secure Your Password
Password cracking and bruteforcing is a major problem for WordPress control panels, especially if you make it easier for the hackers by keeping a default administrative login username. Remember, for a cracker to successfully crack your credentials, they have to know your login ID and your password, so make your login ID hard to guess. Of course, your password should be at least 16 characters in length with a mix of upper case and lowercase letters numbers and special characters. If you want a lesson on password permutations so easy that I could understand it, check out my research on discrete math here.
Ensure Access to Backup Credentials
Ensure that you have access to the password recovery email address for your WordPress account. (Visit “users > all users” for information on your attached email address).
Remove Redundant Themes
I would remove all themes you’re not using at this very moment. The less files in your WordPress directory the better.
Secure Hosting Accounts, Registrar Accounts, Cpanel, and Privacy (whois) Accounts
If you’ve bothered to read the first 5 steps, you’d know that you need to have a very complex password and access to the recovery address to each of these accounts. Not only can your site get owned if your WordPress login credentials get compromised, but losing the password or otherwise having these other related accounts compromised also contributes to overwhelming risks. In short; keep your accounts on lockdown; know their recovery options, and have a very secure password.
Be Weary of Phishing Attacks, Unfamiliar Emails and Scam Sites
I’ve been an unwilling witness to the increasingly complicated array of social engineering attacks, scam site (a scam site is a masquerading site phishing for passwords), Trojans, RAT-ware (remote-access-tools-ware), Backdoors, and a truly ugly collection of scams. Malware is increasingly sophisticated and often difficult to detect. The sophisticated nature of malware developers and malware development teams both able to find and execute 0 day exploits and develop Malware not detected by an anti virus engine is therefor a frequent occurrence. To learn more about how to effectively prevent executing Malware, check these resources: A Virus Free Computer in 6 Easy Steps, Online Accounts & Your Data Security, Beware: Bogus Scareware and Fake “Support Calls”.
False sense of WordPress security
Certain people think “well, since my blog is tiny I’m at no risk for it to be hacked”.
That’s a false sense of security however, because you’re all at risk.
We all are.
Hackers scan for vulnerabilities and they don’t care how big or small your following is.
They just care if your blog has vulnerabilities or not.
The Profitability of Your Website’s Vulnerability
One thing I’ve noticed over the years is that hackers are more interested in money than ever.
Sometimes a hacker will hack your WordPress installation and insert ads; they will try to remain undetected so they can monetize your blog. In other instances the hackers are much more offensive and aim to deface a website.
For this reason, in my opinion, websites will always inherit risk to exploitation and WordPress installations in particular are at risk if left unattended.
Because unfortunately it’s profitable to do so.
Executive Summary
WordPress security is easier than anyone thinks. But, it does take effort to maintain patches. The steps I’ve provided are the bare essentials to any secure WordPress blog and will thwart 99% of WordPress attacks.
But remember, there’s no such thing as a 100% secure WordPress installation, or a 100% secure anything, but these are easy steps you can take to ensure you’re at least moderately secure.
Think of all the major companies getting hacked in modern times.
I’ve read about major companies and their websites being hacked, so anyone is vulnerable.
DNS’s get hacked. Registrars get hacked. Domains get hacked. And unfortunately, WordPress installations get hacked. Some things get hacked and it’s impossible to avoid regardless of how up to date your software is.
That being said in my opinion the majority of these vulnerabilities are the result of outdated software, lack of patches, lack of IT security policies and most importantly the risk of social engineering which is preeminent.
It’s impossible to defend against certain attacks as they evolve in complexity, but the things you can control are simple to accomplish; take action by keeping your WordPress installation up to date and strengthening your administrative passwords.
Better than nothing, right?