Maintaining a blog is a colossal work. It sounds as a truistic statement just to feed the vanity of the bloggers, but it’s not the case. I started a year ago a web design blog and I expected that its administration would consume much time and resources.
In spite of all my preparations, I underestimated how much time and resources I should allocate for running the blog: promoting the blog posts takes much time than writing them, the homepage is never completely designed,and the monetization is a complex task. These are just a few lessons I have learned from this experience.
In this light, neglecting the security of your blog is understandable, but certainly it’s not a smart idea. I was one of the many bloggers that simply didn’t care about security. I have a strong antivirus, a strong password and I have tried to stay away from “dangerous websites”. I thought that it was enough to avoid being hacked but the reality proved that I was wrong.
Consequently, a few months ago I decided to get my hands dirty with WordPress security; now I want to share my opinions with you. First of all, I am a non-developer blogger and many times I associated WordPress security with a Php proficiency level. I talked with other bloggers and they shared the same idea; it will be great to know if you agree with me or if you have a different viewpoint. Well, right now I think that it is partially true – you can take care of your website security without being a Php wizard. Of course, the better you know Php, the better you can protect your website! Wrapping up, anyone can substantially improve the security of a WordPress blog! The only requirements – passion, time and a bit of good luck!
Secondly, I thought that if a hacker wanted to break my website, it would only be a matter of time until he/she did the trick.I didn’t change my mind, but I learnt how to harden my blog. There is no 100% secure website but you can take action and make a real hell hacking a website. I purposely bolded a matter of time – it’s a huge difference between being able to hack a website in just a few hours and hacking it in a week. Only hackers that have spying missions will invest his/her resources to permanently trying to hack a website.
Thirdly, the WordPress security specific terms make most bloggers run away from this area. Yeah, there are some terms hard to describe and understand, but none was born top level security expert. Step by step, any blogger can learn how to secure his blog and the terms related to website security. In the next lines I will explain to you some of these terms.
Unfortunately, it’s not enough to study about WordPress security, you should put the theoretical knowledge into practice. Here is my personal guide of securing a WordPress powered website. I believe that it is a good starting point for a non-developer blogger; it’s perfectible and I am open to your suggestions.
The golden rule of website security says that it’s better to prevent than to clear. I strongly emphasize that taking proactive measures is the best way to assure the security of your blog. The developers behind WordPress work day and night to make better and more secure versions, but simultaneously the hackers try by all means to find new vulnerabilities.
Bingo, what is vulnerability? This term describes a product weakness that allows an attacker to compromise that product. It’s not a quite complex definition, but I think that it resumes the essence of its meaning. If you want a more insightful definition, this article from Microsoft is your next lecture!
The latest Sucuri report demonstrates that the security of a website isn’t a luxury and the attacks are more and more sophisticated. Beside these, WordPress is the leading CMS by the number of attacks! My intention is not to alarm you, I want to present the exact situation and give you a plan to improve your website security.
1. Pick quality hosting
There are tons of blogs treating the matter of picking the right hosting; in spite of that, all the answers begin with “it depends on” (if you want to name them as answers as long as these begin with “it depends on”). The WP White Security informsus that 41% of the hacked websites take place because of the hosting provider.
It’s pretty difficult to trust the hosting reviews because these aren’t accurate due to affiliate marketing commissions (don’t get me wrong, there are still blogs that offer objective reviews). However, I think that the recommendations of the WordPress.org should work the best in terms of reliability, speed, customer service and obviously, security! The main drawback is the cost, but quality can’t be achieved with low prices!
2. Update your WordPress version, themes and plugins
Please, don’t disregard the article just because of this piece of advice – it’s stupid, but you should know that it’s one of the most used vulnerability by hackers to get the control of a website. Or maybe this tip isn’t as stupid as you think – a lot of data can be obtained by a smart hacker by hacking plugins or themes that aren’t updated. I guess that everyone heard about Panama Papers. Well, behind the huge data loss is believed to stay a vulnerable version of an extensively used plugin called Revolution Slider! In this situation, the breach has positive effects – people have found out the names of the leaders who hide money from them.
It’s a real paradox, the simpler a method is to protect from being hacked, the more ignored it is! The plugins have the most vulnerabilities (there is more coding behind a plugin), but also the WordPress versions and themes should be updated. Imagine that a hacker finds out that you use an old WordPress version. Almost certainly, any hacker has a database of WordPress versions and their vulnerabilities. This is a helpful archive in this respect and it can be used freely by any hacker! Of course, the hackers update their databases as soon as a new vulnerability is founded! Take their example and update your themes, plugins and WordPress versions to avoid security issues!
3. Strong passwords – strong websites
It is another widely spread security tip that is known by everyone. In spite of this, almost 8% are hacked due to the weak passwords. Honestly, I think that you have no excuse of being hacked in this way! Sometimes, the hackers use sophisticated methods to steal your account credentials, but sometimes they use the brute-force. Yeah, this is another term specific to website security!
The concept of brute-force is simple; the hacker tries various combinations of username and password to enter into your website. It’s a laborious job and it requires much guess work and time. Unfortunately, there are software solutions that do the dirty job and these are extremely fast. If your username is admin (which is a very common username), then you give to the hackers a precious help!
4. Limit login attempts
One of the most efficient solution against brute-force attacks is to limit the number of login attempts. The concept is simple and effective: the website admin limits the number of unsuccessful attempts to login. As example, if a user attempted to login for five times in a row, his/her IP is blocked or he/she is required to login after a specific period of time. Luckily, there are some trusty plugins as Jetpack Protect, Login LockDown, and Login Security Solution. Of course, the plugins are packed with many other additional features – you are able to monitor the IP attack sources, get notification when an account is hacked and customize the number of login attempts.
5. Two steps authentication
This measure is more complicated, but it significantly reduces the risk of being hacked. It’s about two-steps authentication – a new term from website security area. This designates the method of using a supplementary code or password to login into your website. It’s not complicated at all, but it requires extra time. Practically, you enter your “conventional” credentials and you are required to send a code to your smartphone. Once you receive and type it into the submit form you are able to log in. Pretty hard to manage hacking a website that uses two steps authentication, isn’t it? On top of that, it’s simple to implement! Of course, as for any WordPress related problem, there is a plugin to resolve it! WPMU Dev proposes you six reliable and efficient plugins for implementing a two steps authentication.
6. Disable login hints
To be honest, I didn’t pay attention to the fact that when typing the username or the password wrongly, you get a message informing that the username is incorrect typed or the password isn’t matching. So, a hacker gets a confirmation from your website if he/she manages to steal your username. For instance, if the username is “admin”, the hacker will be notified that he/she typed wrongly the password – certainly the username “admin” is tried by any hacker! In this case, half of the job is already done.
Luckily, it’s simple to make disappear this hint, just add the next lines of code into your functions.php file. If you aren’t too keen to the WordPress core files, this video from WordPress Beginner shed light on this matter.
functionno_wordpress_errors() return 'Bad luck! Back off!'; add_filter( 'login_errors', 'no_wordpress_errors' );
7. Keep your computer safe
Applying all the above tips will make your website more secure than the huge majority of them, but it is still vulnerable. Another modality used by hackers to break into a website is to infect the computer of the website administrator. Usually, an administrator periodically checks her/his website and it’s a pity to be hacked by a virus stored on your computer files!
Consequently, you should have installed on all your devices a strong antivirus software; some of them are even free so you have no excuse!
8. Avoid phising and spear phising attacks
Both terms are specific to website security and to some extent I think that all of us were victims of such campaigns. If you received unwanted messages about medicines and magical solutions to improve your sexual life, then you were a victim of this method.
As you probably deduced, phising is an illegality in which the attacker tries to get credentials or other kind of login information by posing as a trusted entity. These attacks usually happen via email.
Spear phising is a finer version of phising –it’s a targeted attack. However, anyone may be the victim of a phising attack!
Many WordPress powered websites are blogs and the bloggers use to get in touch with lots of people – readers, potential sponsors, other bloggers, guest writers, websites’ buyers etc. Therefore, I recommend on paying attention to any email received from unknown people. For instance, I received an email informing that a rich investor from Canada is interested in buying my domain and he is ready to pay good money. It was a wow offer for me…in fact too attractive to be true! I searched online for “this rich investor” and I found out that he was interested in many other domains. I should purchase a certificate (from a scam agency) and eventually provide them the credentials. To be honest, I was ecstatic when I firstly read the email and I was almost on the point to buy the certificate. Surely, other WordPress bloggers experimented the same situation and feelings. Unlikely, some bloggers achieved the certificates and maybe provided the login credentials.
How to Determine if a Website is Hacked
Unfortunately, there are cases in which even the most vigilant website administrators are cheated by viruses or hackers. Therefore, it’s recommended to have a solid grasp about determining if your website is really hacked. Also, it’s a good idea to have a clear delimitation between a security breach and a plugin or theme malfunction. Sometimes, a plugin or a theme may not work properly from various reasons and you can get panicked that the website is hacked.
Here I suggest you some tools to have a clear evaluation of your website security!
Google Search Console (formerly known as Google Webmaster Tools) is a precious resource that helps the website administrators to have useful insights (indexing, search traffic, crawl aspects and security) about the managed websites. The users of Search Console can set up to get notified any time Google identifies a suspicious activity regarding the website administration. Also, here you get some valuable information when the website is hacked.
Wrapping up, if you own or administrate a website, Google Search Console is a tool that should be used frequently and you should start using it even to secure the website.
This is another tool provided by Google and it follows the same pattern – it’s simple and efficient. You should type the name of the website into the search box and Google will give you the verdict in no time. Let’s hope that the current status will be “not dangerous”!
3. Google organic search
Yeah, it’s a good indicator to check your website, but it should be regarded as a last solution. Google uses to flag the hacked website in search listings. Quite probable, you spend a lot of resources to earn the first or the second position in the search results. It’s totally unwanted to be number one when users search for your keyword and Google to flag your website with messages as “This website may harm your computer” or “This site may be hacked”! Also, the users will avoid clicking your website name!
4. Analytics tools
Usually, a website hacked is associated with a traffic spike, so you should check your analytics in this respect. Of course, a traffic spike should be a reason of happiness, but sometimes is better to be circumspect!
Aside from these tools, the webmasters has at their disposal many online scans that are able to provide useful information and helpful security hints. Here is a list of some of the most appreciated by WordPress users, in no particular order:
Sucuri is a famous provider of WordPress security solutions and their scanning tool works as a magnet to attract new customers. Obviously, it lets you know if your website is suffering from injected spam, defacements or malware.
2. Virus Total
Virus Total is a simple tool that does a great job. It allows scanning a file or a URL and informs about the viruses found – let’s hope that Virus Total will report 0 found viruses. In spite of its simple design, behind this tool is an active community waiting for you to join them.
SpamHaus is a great security help for any type of website. It has two distinct tools: IP Address Lookup and Domain Lookup. The first tool is useful to determine if an IP address is associated with spam or illegal activities. As example, if you noticed that an IP address attempted multiple times to login to your website you should check it and find additional information about.
The second tool, the Domain Lookup informs if your website is on their list of spam sources. I wish you to never be added on this list, but in case that you are, SpamHaus offers you information about how to resolve your security issues and finally, be erased from the list.
Quttera is another impressive tool that should be used periodically by anyone interested in his/her website security. It analyses a lot of files, therefore it takes some minutes before listing the result. Also, due to the multiple website analyzed simultaneously, it is possible to get a message requiring you to try later their services. It’s not Ok, but the services are free and top-quality, so a little bit of patience is golden!
Unlikethe previous tools, this requires a subscription, but it’s similar in terms of efficiency and usefulness. Acunetix is a security leader and their online scan offers lots of precious information. They have a special offer – 14 days to test for free and benefit from their services.
How to Clean a Hacked Website
In spite of so many tools for hardening the website security, there are still tens of hacked websites each day! I hope that the next subparagraphs will be just a reading for improving your general knowledge and not something to put in practice. You guessed, in the next lines we will discuss about how to clean the hackers attacks.
First of all, in these cases it’s inestimable how important a backup copy is. Fresh content is required to keep a strong connection with the readers and feed the spiders of search engines. Many WordPress creations are blogs or news magazines, so you shouldn’t waste your content if you are hacked. There are tons of solutions to back up your website and many are free. Check this list of backup plugins provided by WP Beginner or this article written by a WPMU Dev expert.
Secondly, you should stay calm! If you are panicked, it’s quite possible to take the wrong decisions! Don’t forget, there is nothing that can’t be repaired. Thirdly, if you are a non-developer blogger, it’s better to ask for the services of website security agencies. The prices are expensive for a low budget website, but you have the certitude that the clearing is done by experts.
Altogether, a courageous non-developer blogger is able to clean his/her hacked website. Here is a personal strategy of cleaning a website – I hope that you won’t be ever forced to apply it for your website, but it’s wise to pay close attention to each of the below steps.
1. Get in touch with your host
Usually, on shared hosting, the hack may have affected more websites and the hosting team is already alerted when you are asking for help. Also, a reliable hosting company has a security team that frequently deals with various types of hacker attacks. Consequently, the security specialists are able to help a non-developer website administrator. Follow their pieces of advice and you have big chances of minimizing the hack effects.
2. Change the passwords and restore a backup
Before starting to clean the infected files, you should change the passwords – both yours or of other website users. If you have a backup solution, then you are lucky. You just rollback to a previous version and the infected files disappear. You should still be cautious by applying this method – you may end up by losing important pieces of content. This is the reason why is so important to create backups on a daily basis.
3. Determine the infected files
This is the most demanding step; finding the infected files is a difficult job. The non-developer administrators should ask the hosting team about which files are hacked. Usually, the host will email a list with the name of the infected files and some directions about how to clean them.
Another solution is the use of online scans that provide guidance in cleaning the website. These suggest the infected files and what kind of actions you should take. Once you have the files that are infected, you should eliminate and replace file by file.
4. Update everything
Well, I am sure that if you had your website hacked, the matter of update WordPress core, themes and plugins will be treated way more serious.
5. Request Google a review
If you are hacked, Google most likely will be the first one that finds out. The website administrators are warned via Google Search Console about possible security issues, but Google warn the Internet users about the hacked websites, too. Of course, not only Google warns the users about hacked websites, but also the rest of the search engines and even the browsers notice users about hacked websites.
Definitely, it severely damages the traffic – who dares to visit a website when Google tells you that the respective address is used by a hacker? Consequently, a website administrator should act fast and clean the website. Immediately after finishing this job, Google specialists should be informed that the website is clean and ask them for a review.
I hope that the security specialists will confirm that the website doesn’t have any malicious code and it’s safe for users. However, here is a guide elaborated by Google to help you dealing with this matter.
As I previously said, in the WordPress world the miracles are possible and many of them are metamorphosed in the shape of plugins. The WordPress repository is full of highly efficient and active plugins that are unpriced tools to harden your website. Here I listed for you some of the best solutions, in no particular order.
Wordfence Security has 1+million active installs and 4.9 out of 5 rating. I have spent much time in WordPress repository and I don’t know another plugin having so many active installs and such a good rating at the same time. These statistics should convince you about its mighty power. I am a user of this plugin (no affiliate links here) and I recommend it to anyone who doesn’t want to spend much time on website security. It does everything you need to make your website a real fortification that stands up against hackers’ attacks.
It’s unbelievable, but the plugin is free! You have tons of features even if it’s a free version. If you still want more, there is a premium plan for this amazing plugin. You should check Wordfence official website for more details; Learn Center is a precious source of information for any WordPress users and you should use the experience of Wordfence specialists to harden your website.
This is another plugin that fully deserves your attention. It’s a popular plugin, extensively used by many WordPress websites – in other words, it’s reliable, efficient and powerful. The plugin is built taking into account the needs of a non-developer WordPress user, so there will be no problems when configuring it. The interface is attractive and designed to maintain the interest of the user. For instance, the security strength meter is an original and eye-catching solution.
Amongst other important features, you have protection against Brute Force Login Attacks, complete information regarding the accounts activity, schedule backups, add different firewalls and import/export security settings.
This is another top-notch plugin that won’t let anyone to hack your website. Its previous name was Better WP Security; it is the same efficient tool against website attackers. Some of the settings may be confusing for the less experienced WordPress users but this article is a golden nugget for them. Here you have clear and precise explanations; you have a bonus – a short video to watchabout how to better configure the plugin. Aside from hardening your website, iThemes Security creates backup versions of the website, therefore it has two major roles – back up solution and security strengthening plugin.
Sucuri is a well-known company for anyone that has a solid grasp about online security. Their WordPress plugin is a great tool that helps the users to significantly improve the security of their websites. Amongst many options and features, the developers claim that one of the most underrated function is security activity monitoring. Practically, the website admin is able to see any modification/activity of the users. In simple words, Sucuri Security gives you the possibility of preventing any security breaches. Obviously, the plugin is efficient against Brute Force or Denial of Service attacks. Well, it’s time for another term – Denial of Service. The explanations from Wikipedia are clear and the examples are suggestive.
According to Wikipedia, a Denial of Service is compared to the situation where hundreds of people are struggling to enter simultaneously into a shop.
Clearly, none can enter through the door and in this way the shop is blocked. The same idea is applied to a website – the attacker prevents the legitimate users from login to the website.
This is the end point of our journey; if you carefully read this post and apply at least a half of the tips presented, the chances of being hacked are low and you can fully focus on other aspects. Still, the security of a website is a dynamic field and you should stay updated to the latest news. As you see, hardening your WordPress website isn’t as complicated as it sounds for a non-developer blogger. Almost everything can be resolved with the help of a plugin.
In the end, I am curious to find out your opinion about WordPress security and what you are going to do to improve the security of your websites. The more opinions, the best for all of us! Of course, you can share the posts with your friends to let them know how to secure their websites.