To start with, it is not just WordPress. All websites with a Content Management System (CMS) on the internet are vulnerable to hacking attempts.
The reason that WordPress sites are a common target is because WordPress is the world’s most popular website CMS. It powers over 33% of all websites which equals hundreds of millions of websites across the globe.
This immense popularity gives hackers an easy way to find a number of websites that are less secure, so they can exploit them and their shared vulnerability, whatever it may be.
There is a common misconception that hackers are looking to abuse personal data or hold a website hostage. While this can happen, in our experience over 95% of attacks are looking to simply spread spam! They access the server and hijack it to share viagra links and the like. The other common occurrence is beginners who are learning to exploit less secure sites just for the thrill of it.
This does not diminish the seriousness of the threat. A brand can be significantly damaged by a website being down or showing spam content (especially of an adult nature).
So why does it happen? Let’s take a look at the top 4 reasons and how they can be very simply stopped before a problem arises.
1. Plugins and Themes
Outdated or dodgy plugins and themes are the number one reason we see a website get breached. External plug-ins and themes can be risky, as they include code that will be run on your application server. Once a vulnerability is located on a theme or plugin, the hacking community spreads it like wildfire and often it is mere hours before millions of sites have been impacted.
Prevention is simple. You should update plugins and themes on a regular basis, as developers will release security improvements. You should also be extremely judicious when picking plugins and aim to keep them to a minimum and from reputable developers with good ratings and feedback.
2. Hosting vulnerabilities
This is a simple one.
With website hosting, you generally get what you pay for.
Cheap shared hosting, for a few dollars a month, can be prone to common WordPress hacks. We have seen several occurrences of a cheap hosting provider being targetted and all of the sites on it getting hacked. This can often mean you lose your website completely.
If your web hosting platform has a track record of being unsafe and prone to common WordPress hacks, there’s nothing you can do other than leaving it for a safer alternative.
Start by looking through online reviews and picking a host that has a proven reputation with WordPress sites, and ideally was built to work with WordPress primarily.
We always recommend choosing a provider that is local to you (or at least in the same country).
Think about your online passwords. Are they strong? I am guessing not.
Your admin password is the master key to your website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach your website if he/she gets access to these accounts:
Web hosting control panel account
- WordPress admin account
- MySQL databases used for your WordPress website
- FTP accounts
- Email accounts used for the WordPress account
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for hackers to get to your password with some hacking tools.
We recommend the use of a Password Vault like Last Pass which will allow you to maintain extremely strong passwords or even better, using two-step authentication. Two-Factor Authentication (2FA) turns logging into your website into a two-step process. As usual, you log in a regular way but then will find yourself prompted to enter an additional code sent to your phone. This one extra step increases the security of your site exponentially by separating the login into different steps. Check this list of free plugins that will help you set up 2FA. Those hackers that were thinking of trying to mess with your site are probably already changing their minds.
4. WordPress Updates
According to Sucuri’s Hacked Website Report, somewhere between 55-61% of WordPress hack victims were running out-of-date WordPress when they got infected, and that’s definitely not a coincidence:
By default, WordPress security updates are supposed to happen automatically. But some hosts disable that functionality, so you can’t count on that always working.
In our experience, the people who don’t update their sites fall into two camps…
- They put off updates (or ignore them completely) because they’re too busy, OR
- They’re afraid that updating their site will break it (which with a bad theme or plugins can be the case)
If you are in the first camp – what are you waiting for! And if you think your site may break, then taking a backup or speaking to a developer is your best option.
WordPress updates happen for a reason and staying up to date is imperative to your site staying secure.
Stop WordPress hack attempts before it’s too late
Your average website owner doesn’t consider security a priority.
When you’re setting up your site, you’re probably more concerned with the look and feel of your website than anything else.
And once you get your site up and running, you’ll turn your focus to churning out great content, neglecting security as you go along.
Obviously, this is a huge mistake.
You don’t want to wait for a WordPress hack attempt BEFORE you start caring about your site’s security – when that happens, it’ll be too late.
Taking the time to mitigate the risks above is a great first step – or reach out and we would be happy to discuss with you in more detail.