Keeping WordPress and Your Data Safe and Secure

Featured article by Craig Murphy of ALT Agency, A Birmingham based web design agency

WordPress is a massively popular open source platform and it is estimated that either hundreds of thousands of them do get hacked each year or leave their self vulnerable to get hacked each year.

It’s not that WordPress is a poor platform, far from it, it just appears that people don’t take as much care of them as they should and so robots crawling the web can easily find ways in.

So, just what are the causes for these all too common WordPress hacks and what can you do to prevent them?

Out of date WordPress

One of they key benefits of WordPress is that it provides regular security updates to it’s core files. The great thing about these updates are that they are often done automatically or at most with the click of a button.

You don’t need a web designer to perform these updates, they often take just a few minutes or less and once done provided a better level of protection to your WordPress website.

The only downside at times can be conflictions with non-compatible plugins, so be sure before updating to take a back up and once updated be sure to run through your site to ensure everything works as it should do.

Solution: WordPress allows you to automatically turn updates on which will send you an email alert each and every time it’s done.

Out of date Plugins

One of the most common way WordPress websites are hacked: Out of date WordPress plugins, yet, they are so easy to update.

Just like a WordPress update you literally press a button saying “update” and the job is done.

This does come with a caveat though as some plugins end up being customised and so can’t be update in the future – Your web designer will make you aware of this, but when this happens it can make updating plugins difficult.

Solution: Be sure to confirm with your web designer/WordPress developer which plugins can and cannot be updated.

WordPress highlights from your dashboard the number of plugins available to be updated, simply press this and press update and your plugins will be up to date within seconds.

Weak Passwords and Usernames

If you have any security software installed on your WordPress website or server, it’s not unusual to notice a ton of Brute Force attacks from overseas countries trying to gain access to your website.

This is a simple brute force attack and often takes part around the default “admin” username and uses robots to guess your password.

Solution: The solution to this is very simple yet often overlooked – Simply use passwords that are at least 8 characters long and use special characters such as numbers and symbols to help further secure your password.

You can also remove the default WordPress admin account to prevent brute force attacks on the admin account.

A third and final way to add further protection is to add a captcha plugin to your WordPress admin login page to prevent bots from constantly attempting a brute force hack attack.

Not using Security plugins

One of the ways via your server that your WordPress webhost can get hacked is through vulnerable server folders.

A little more advanced than the above, this one isn’t as difficult as you may think to solve.

There are plugins available such as Sucuri that help you sort this issue out with a few clicks of a button and its called “hardening folders” – What this does is it changes the permissions of your folders on your server to prevent robots exploiting them and uploading malicious files to gain a backdoor to your website.

Solution: You may need to speak with your web developer to sort this out for you if you find it a little tricky.

Tools such as Sucuri provide real time monitoring of your WordPress website and can easily secure your WordPress website from hackers.

By using Sucuri you can get 24/7 alerts should a file be uploaded or changed in your WordPress site, get alerted if you are suffering a brute force attack and also be able to harden your folder permissions to prevent hackers using them in a malicious way – best of all, Sucuri is free!

Secure Web Hosting

One way that WordPress websites and folders get hacked is through poor web hosting.

When you are on a shared web hosting platform, likely with other WordPress websites, there is a higher chance your website will get hacked.

It’s something we have seen many times – Frustrated website owners whos websites keep getting hacked despite their best efforts who won’t accept it’s their web hosting.

Like the common cold a hacked WordPress website can compromise a server and fly through a WordPress website like it’s nothing.

Solution: Whilst this one is a little more difficult to sort, if your web host has done everything or blames it on plugins or something else and there is nothing more you can do, then it’s likely time to move your webhost to something like WPEngine.

WPEngine are the worlds leading authority and provider of WordPress hosting, they will not allow vulnerable sites or plugins on their server and have real time monitoring to prevent hack attacks.

Since moving clients to WPEngine we have not seen a single hack attack as WPEngine take their hosting and security very seriously where other hosts do not.

Remove XML-RPC

A file that the robots look out for a hit hard when doing brute force attacks – Yet the great news is, it’s easily solvable with the help of a little plugin.

Whilst some plugins such as JetPack rely on this file – You can experiment with turning it off to prevent brute force attacks.

Solution: You can contact your host and ask them to disable direct access to XML-RPC to reduce the chance of a brute force attack.

There’s also a handy little XML-RPC plugin that you can download to prevent XML-RPC being available to the public.

Hide your WordPress version

Whilst commonly available and very often neglected, prevention is better than cure, so by removing your WordPress version file you can make it more difficult for robots to find out the version of your WordPress site and hack it.

All this data does is provide robots with an open file saying “this WordPress site uses an outdated version of WordPress…come on in!”

Solution: The good news as with most WordPress problems is that this can be easily sorted. The Sucuri plugin mentioned above hides and removes the WordPress version from public along with an alternative called Perfmatters which will also allow you to hide your WordPress version from the public and robots.

Conclusion

Yes, WordPress can be easily hacked if neglected, but it’s also an incredible platform that can be secured by a WordPress developer with a little knowledge of security.

Most of these updates can be done automatically and the folder permissions and lockdowns only need to be done once to protect you.

Maintenance and the correct set up is key to keeping your WordPress website secure.

WordPress does not have to feared, with just a few tweaks mentioned above your website will be reasonably safe from hackers – It’s a platform to be loved and security is just a little extra thing you have to do to enjoy protection from those horrible web robots!

About the Author

This article was provided by Craig Murphy of ALT Agency, A Birmingham based web design agency – Craig has over 18 years website development experience and has helped many frustrated clients solve their WordPress hacking problems.