WordPress is used on more than 30% of all websites which makes it the most targeted platform for hackers.
It accounted for around 80% of all infected Content Management Systems on the web, which is why it is important to understand why and how such malicious attacks work and what you can try to do to reduce the risk.
Why websites get hacked
There are number of different reasons why websites get hacked:-
- They want to install files on your site in order for it to send out Spam emails.
- They want to install files on your site in order to add redirects to other sites.
- They want to gain access to data such as harvesting email addresses, credit card information etc.
- They want to install malware in order to infect the computers of visitors to your site.
- They see it as a challenge and want to prove they can hack a site and also to potentially deface it.
Ways in which websites are vulnerable
- Insecure hosting such as when a server has not been updated and there are security holes. Also allowing things such as FTP rather than SFTP which is the secure method for transferring files to and from a server.
- Additionally the use of weak usernames and passwords for a servers account or the database which can potentially allow a hacker full access to your entire website.
- Not having the correct file permissions and ownership, which can allow access to crucial files such as the main wp-config file which stores information about your database and giving them full access to it.
- Running old software which has not been updated either the core website system or plugins. Updates for WordPress and plugins are released contsantly, sometime for added functionality but other times in order to patch any security hole which may have been discovered.
- Installing software from untrusted sources.
How to make a website more secure
- Make sure that the server is regularly updated for patches especially ones released as ecurity updates.
- Configure the server to only use up to date protocols such as using TLS and not SSL.
- Use strong Cyphers.
- Make sure that there is a Firewall set up on the server.
- Use a genuine not self certified SSL certificate for the server on all services such as the servers control panel.
- Use a SSL certificate on the website.
- Restrict the access for certain directories on the website.
- Restrict the access to the admin area by limiting it to certain IP addresses and you can also set 2 factor authorisation.
- Disable the WordPress file editor as otherwise if a hacker gains access to your WordPress admin area they will be able to use this to upload malicious files.
- Install security plugins which can used to harden the website in various ways, such as not allowing PHP execution in the uploads and other folders and hardening the database since SQL injection is one of the main methods used by hackers. Security plugins can also provide scanning for malware, blocking hacking attempts such as Bruteforce attacks and send various types of alert notifications. Monitoring plays a very important role in security, as it is an ongoing process.
- Keep the website up to date.
- Backup, backup, backup, in multiple locations and covering a long enough period of time such as 30 days or longer in case the worst happen, at least you you will be able to restore the site back to a state before it was compromised.
Risk reduction, not elimination
Security is not an absolute, it’s a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It’s about employing the appropriate security controls that best help address the risks and threats as they pertain to your website and having in place robust disaster recovery procedures such as multiple backups etc.
You can find out more using the button below.