One of the downsides of using a popular CMS like WordPress is that hackers will try their best to exploit security vulnerabilities which may have been exposed in out of date software and plugins. In this post I’ll outline why hackers try to hack your website, how they do it, and what you can do to prevent it happening to you.
Why would somebody want to hack my website?
Sometimes hackers will do it for fun, just to show you that they can.
Sometimes they’ll hack your website, deface it in one way or another and hold it to ransom. This means you’ll have to pay up before they allow you to have access or before they’ll put it back to the way it was before the hack.
The most common reason somebody would want to hack your website is to gain access to a new server. Once they’ve got access to a server, they can use it to send unsolicited spam emails to unsuspecting web users everywhere. These will usually be the kind of email that asks you to confirm your credit card details or other sensitive information. After they’ve sent a few thousand emails from your server, that server will become blacklisted, rendering it useless to both you and the hackers. Though this can be reversed, it’s not something you want to happen in the first place.
How would somebody hack my website?
There are plenty of ways for hackers to find a way in, but the reality is that the weakest link in your websites security is most likely you. A poorly maintained website with a basic username and password combination won’t present much of a challenge for a hacker. The most common method of exploiting these weaknesses is what’s know as a “brute force attack”. What this means is that the hacker will use a automated program to repeatedly attempt to log in to your website using common username and password combinations. These attacks can last for hours or even days, and they can make hundreds of attempts within an hour.
How can I prevent my website from being hacked?
Strong login details – Your websites first line of defense should be a strong username and password combination. The most common passwords that are attempted by brute force attacks are generic names like admin, administrator, test, testuser, test 1 etc. They will also attempt to use your domain name. So if your website name is www.jimsplumbing.com, they will try ‘jimsplumbing’. Needless to say, you should NEVER use any of these usernames on your website.
Your password should be long and complicated, not something you can remember or guess. Preferably, it would be 12 or more characters, and a mix of letters, numbers and symbols. You should also refrain from using the same password in more than one place.
Keep your software updated – WordPress is constantly evolving, therefore it requires constant upgrades. It is highly recommended that you keep your website and all installed plugins up to date. Security is one of the main reasons this software is updated. Once an exploit is found, it is removed, but it is also highlighted that the exploit exists in older versions of the software.
WordPress will give you constant reminders if your version is out of date. As soon as you log in you’ll see a prompt to upgrade right at the top of the dashboard. The same goes for plugins, when you view your installed plugins, there will be an update prompt below the plugin where necessary.
Back up your website regularly – While not strictly a preventative measure, it’s always a good idea to keep a recent backup of your website, you never know when you might need one. It’s always reassuring to know that you have a safe, clean installation of your website ready to go in case of emergency.
Use security plugins
BruteProtect – BruteProtect is a free plugin which is designed specifically to deter brute force attacks. BruteProtect uses an ever increasing list of blacklisted IPs (which are know for hacking) to simply restrict access to your site from suspicious visitors.
Sucuri – Sucuri is another excellent plugin which offers a range of preventative and post-hack features. It can scan your site for suspicious files, notify you of changes to core files, notify you of user logins (failed and successful) and help you to establish any underlying weaknesses in your website.
Do you need help with your website?
Remember to get in touch if you need some help with anything I’ve covered in this post.