WordPress Website Security is extremely important for every website owner. Every day, we at Production Monkeys see attempts on the sites we’ve secured by hackers from around the world. If you’re not quite sure this applies to you, read on! We’ll show you why it’s more important for you now more than ever and what you can do right this moment to begin securing your website.
You’re not safe because you’re small.
Many small business owners feel that they are safe from hack attempts because they don’t run a wildly popular website like Fox News or Facebook. This concept is called security through obscurity. Business owners falsely believe that no single hacker is going to search out their small business website and hack it because they feel they have nothing of value to a hacker.
Unfortunately for small business owners who believe this, it is absolutely not the case. Hackers target small business websites because they generally are less secure. In fact, over 40% of cybercrime attacks target small businesses. Because these business owners don’t believe they are targets, they often don’t pay as close attention to their website security. This means a hacker can more easily gain access to these websites than if they were going to try to hack a company like PayPal or Google who have some of the best computer scientists working around the clock to stop such hacks.
Once a hacker gains access to these “low-hanging fruit”, they are able to install malicious software that attacks the users of the site or redirects users to outside websites using illegal SEO techniques.
Hackers don’t choose the sites they attack.
Most small business WordPress websites that are hacked are not hacked directly by a person. Instead, a hacker creates a script that runs 24/7 visiting domains and searching for obvious and common vulnerabilities. Once the script finds a vulnerability and gains access it is programmed to do something specific. This could be:
- Install malicious software that downloads to users computers
- Steal users information as they browse the web site
- Redirect traffic to other websites, these are usually dangerous adult websites or websites selling counterfeit goods
- Phishing attacks that attempt to steal user’s identity by tricking them into giving information either through email or onsite forms
- Defaced pages that make the site unusable and replaces it with some message that is important to them
- Hacktool hack that use your website to attack other websites so that it looks like you or your website is to blame
- Mailer hacks that use your website server to send spam mail until the site is blacklisted
Your info and/or client info is at stake.
Once a hacker has gained access to your website, they can take any information from the website, or the database and use it to their advantage. This is where it’s very important to have a unique password for every single website you visit. If you use the same password for any two sites, if one of them is exploited, a hacker could then gain access to any other websites that use your email or username and password combination. This is a very common way to quickly steal someone’s identity. Most people don’t want to remember difficult passwords, so they use the same one or two passwords for each site they visit. It may make the password easy to remember, but it also makes you an easy target.
It could damage your reputation.
A hacked website can install malicious software, viruses, or ransomware on a website visitor’s computer, sometimes without the user even realizing what is going on. If this happens because of your website, you’re not only liable, but your reputation with your visitors and customers is likely going to be irreparably damaged.
It’s happening more than you think.
The number of website users Google reports to warn about Malicious websites grows each year. Recently, it’s been reported that over 50,000 websites are hacked every day. The number of websites being hacked each day is increasing. In fact, Google currently Blacklists around 20,000 sites per week for malware and around 50,000 sizes per week for phishing attempts.
What to do?
Here are a few, keys steps you should be taking with your WordPress website to make it safer from hackers and malicious software.
Use strong passwords.
It may be frustrating to have to manage a big list of complicated passwords, but it is the best way to keep your Personal Information, and your website as secure as possible. Ideally, when you create your WordPress website password, you can use a password generator that creates a random password that is 16 characters long and includes uppercase and lowercase letters, numbers, and special symbols.
Here’s an example of what the new password might look like: P5&gNIdnBSa@3VMD
(Because we’ve posted this publicly, please don’t use it for your new website password.)
You can generate your own password here: https://lastpass.com/generatepassword.php
Don’t use ‘admin’ as your username.
By default, WordPress makes the first administrator username and then when you install it. Because this is standard practice, it leaves you vulnerable to attacks that try to Brute Force login. Brute Force Login attacks use admin as the username and rapidly bombard your website with password combinations until they are allowed entry into the dashboard and can install malicious code.
When it comes to securing your website, there’s obviously much more than just secure passwords and continued updates, these are just the most commonly vulnerable areas that a hacker might attack.
Keep your site up to date.
Above all else, the number one reason a website becomes vulnerable to hackers is that the software running the website becomes out of date. This has a very simple fix. Keep the website and plugins up to date. We’ve got an entire post devoted to this topic of why you should keep your WordPress site up to date if you’d like to read more. If you’re the DIY type, be careful before you upgrade anything and take a backup of the site in case something were to go awry during the process. Not confident in your backup and reverting skills? Give us a call.
Additional options to discuss with your web developer:
- Install security plugins that add a security firewall to your website.
- Block IP’s that attempt to login multiple times with the wrong password (prevents password guessing or Brute-Force attempts)
- Filter special character requests and PHP injections through forms and URL variables
- Serve the site over HTTPS by adding an SSL certificate to your hosting account.
- Change the WordPress database prefix
- Disable file editing
If you’d like to talk more about locking down your website from malicious scripts, hackers, and viruses, give the Production Monkeys a call and we’d be happy to help keep you, your business, and your clients safe on the web.