4 Most Common WordPress Exploits that Business Owners Neglect
Posted by Brendon McLeod • 09.03.2016
You can lessen the chance of someone hacking your WordPress website if you’re willing to take a more proactive approach to your online security. We’ve compiled some best practices you can employ to dissuade hackers, protect your site from security breaches and vulnerabilities, and avoid potential threats
Top 3 Goals of WordPress Hackers
Most WordPress websites are not supporting multi-million dollar companies. So, you might be wondering why a third party would even want to hack your website. The main reasons a third party might want to hack your website are as follows:
- Steal your traffic and redirect it to a website of their choosing
- Use your server to send out illicit emails
- Steal personal information about you and your website users
6 Signs Your WordPress Website Has Been Hacked
If your WordPress website has been hacked, you are probably already aware of it. But, here are some signs to look for:
- Your website/web service goes down
- Weird/inexplicable URLs show up in search results
- Undesirable content appears on your website
- Your website redirects to an unauthorized website
- You can no longer log into your own website
- Your server is sending out masses of unauthorized emails
4 Most Common WordPress Exploits for Hackers
Your WordPress website can be vulnerable if you don’t pay attention to these four common areas that hackers love to exploit.
Limit the number of admin accounts in your WordPress site. Employees can pose an internal threat; the more personnel you have with access, the more opportunity you introduce for an admin account to be neglected or face a brute force attack. It’s best to have 1-2 people managing the site with the following guidelines:
- Use passwords with random series of characters. It is a necessity to use passwords with complexity and not dictionary words or names.
- Don’t use the same password on multiple accounts/sites.
- Change the passwords on a periodic basis – at least once a year.
- Delete former employees’ and service providers’ users/logins.
WordPress periodically releases updates to its core software to resolve bugs and deal with security vulnerabilities. It’s vitally important that you update WordPress immediately when new security updates roll out. Updates are beacons to hackers essentially telling them how WordPress is currently vulnerable. So, if you don’t have the updates installed, you can be exploited. It is ideal to install updates within 24 hours. The better hosting companies offer a service to install these WordPress updates automatically for you (see #4 on Hosting).
Plugins are extra programs that you install within WordPress that provide additional functionality to your site. The beauty of WordPress is that it is open-source and everyone can contribute to it and build plugins to improve it. But, therein is the double-edged sword of open-source software. Not all plugin developers are equally conscientious or skilled when it comes to security. So, we recommend the following with respect to plugins:
- Quantity: Limit the number of installed plugins in your website to only those that you actually need. Remove any that you aren’t using.
- Quality: Not all plugins are created equal. We tend to only incorporate plugins into our best practices after they have gone through a few versions and have been adopted by a large user base (basically only the best-in-class for a given requirement/feature). If you are choosing between two potential plugins, choose the one with higher installs and ratings.
- Confirm the quality and the reputation of the developers that create plugins and whether they are being actively developed. Test out their response time to questions to see if they actually provide support. Do some Google searches for complaints about the developer, issues of usability, etc.
- Confirm that the WordPress plugins you are using are being updated once a week.
Hosting may be a commodity in the eyes of most business owners. However, it is critical that you understand the quality of both the technology and service you are using. Your web designer or internet marketing company should be able to help you assess various hosting options if you lack the technical understanding to confirm the following:
- Confirm that your hosting company uses the most up-to-date server environment. WordPress is hosted on the LAMP stack – Linux, Apache, MySQL and PHP. You want to make sure your host is using the more recent versions and managing all the server-side software and updating them regularly. Ensure your hosting company has excellent support and response time; if there is an emergency you’ll want to be in touch quickly. Look for 24/7 phone, chat, and email support. Test them out to see if they live up to their promise.
- If you aren’t taking your own backups, ensure that your hosting company is taking backups and can prove that they can restore it within a given time period that is acceptable to you in the event of a disaster.
- Ensure that your hosting company is being proactive and patching their servers against global threats, for instance, the Heartbleed bug (April 2014) or Guardians of Peace, Sony Entertainment hackers (November 2014).
- See if your hosting company provides automatic updates to the WordPress core and plugins.
Prevention is key. Implementing these practices will minimize the risk of getting your WordPress website hacked. If you have an issue with the security of your WordPress website, please contact us.