With malware up 140% in the past 2 years, and in recent months a number of our clients wordpress websites hacked, we took time to explore why wordpress websites are hacked, and what measures we can employ to maximise wordpress security.
For the majority of our clients understanding exactly how the hackers get into your site is probably a lesson in biochemistry taught in French. In other words it’s foreign. It’s safe to say however that a hack on your website isn’t personal. It’s usually conducted by scripts and software that looks for vulnerabilities in your core wordpress files, your FTP, hosting server, or plugins. If you are a sadist and really want to understand how these monsters are getting in then check out this post on smashing magazine – common wordpress malware infections. It’s a great technical summary, from some of wordpress’s best security guys.
Why do hackers do it in the first place? I’d probably consider there to be three main reasons why people hack.
1) ‘You’ve been hacked by….’ type code, which I assume is some form of tagging. I guess by understanding how you can get into the hosting server or website you can gain some kind of knowledge as to how to prevent it, and then sell security products off the back of it. WordPress security is a big industry, and I guess some people are trying to profit from vulnerabilities. In other words, I found the hole, this is how you fill the gap. Pay me.
2) Just for the sake of it perhaps. Like kids tagging walls by the train station. Mindless, annoying, rodents.
3) The 3rd reason is probably the most common reason which is to install some code that links back to their prescription pill website. I’m yet to hear of anyone buy any online medication from a hacked website, and typically google bans such code with messages of ‘compromised website’ so I’d be surprised if it’s for SEO reasons. Mind numbing stuff really.
So for most of our clients it’s more important that we focus on how to stop the hackers getting into your wordpress website. It’s widely understood that the simplest strategy for preventing hackers getting into your wordpress website is to:
1) Keep your version of WordPress updated.
Outdated wordpress files are the single most common reason for a hack. New versions of wordpress are released every 3-4 months, so it’s important when these releases come out that you upgrade. Usually these upgrades provide some additional functionality, but they also often close some important security holes.
Unfortunately updating your core files automatically, by clicking the message at the top of the screen, is fraught with danger when you are hosted by a server that is packed tighter than a bag of rice from Coles. Typically hosting is cheap because it’s been maxed to capacity, so when you try and click update, the allocation of memory required to perform the update isn’t enough, and your wordpress upgrade fails. Ouch. This will leave your website in limbo, which can only be overcome by updating the files manually using FTP.
Updating your wordpress core files manually requires knowledge of FTP, and the core wordpress file structures.
We typically update our wordpress clients websites in 3 ways:
– Using WP Engine: Using WP Engine as the host engine we have all our sites on a network. We can then easily update all sites in the network using WP Engine’s dashboard.
– Using InfiniteWP: This piece of software is a master dashboard which gives us visibility over all sites that we’ve produced via the installation of plugins in each site. It’s a great way to control the network, but it can be buggy at the best of times, so it still requires manual checks by us.
– When we are doing any maintenance on your site, usually on a pay for play basis, we do the update there and then. Kind of like going to the dentist, getting a filling, and then getting your teeth cleaned.
2) Plugins are outdated or are insecure
Plugins are 3rd party applications that you essentially plugin into your website to provide additional functionality. Some of these plugins communicate with other social platforms like youtube, picasa, flickr, facebook, instagram etc, and by so doing can leave your website open to hacks. The majority of official plugins are safe, but some commonly used plugins are known to have holes. Again the best way to stay ahead of the hackers is to update the plugins as they are released. It’s the same reasoning for wordpress, the updates are usually to improve known security issues.
3) Poor password selection
Some hackers get into wordpress by simply trial and error with your wordpress dashboard login. That’s why it’s particularly important to have a username and password that is unique. We are also in the process of installing software that limits the number of login attempts to 3. This is something that WP Engine has standard.
As mentioned above is to host our sites with WP Engine who provide full security consulting and a ‘no-hack’ guarantee where if the site gets hacked they’ll fix it for free. They also provide daily backups which is reasurring in case something seriously bad happens!
The 2nd option, if you have your website hosted with another provider, is for us to install Infinite WP and manage your site that way. We will do weekly back ups, and quarterly wordpress and plugin updates. It’s still a bit of manual labour for us, and at $180 per year, is more expensive than WP Engine, as such we’d obviously recommend moving your site away from your current host.
The last solution is to sit and pray that the hacking gods won’t find you and bring you down. We’ve done that, and still do, even with the aforementioned security measures, but unfortunately it’s an ongoing war. I hope this provides some context into what we do to secure your site, and why it pays to put deadlocks and shutters on.