“Why would anyone hack my site?” you might ask. Well, let’s be clear, the majority (99%) of attacks are not targeted to a specific company.
The fact is that most, or the great majority, of attacks are automated¹.
This means that various bots (pieces of software) developed by hackers crawl the web and look for vulnerable websites.
Then if they’re successful, the website will get added to the hacker’s collection and can be used for any purpose, or sold out to other hackers. These websites can then be used as link farms (spam), ISIS propaganda, extracting users’ personal (or credit card) information, and anything inbetween.
You really shouldn’t feel overly safe just because you run a relatively small website.
Hackers don’t discriminate.
A recent example that I think shows this off very well is the website of Australian politician, Rob Oakeshott. This goes to show that getting hacked can happen to anybody, at really inopportune times.
The website was fixed as of a couple days ago, but it stayed that way for two weeks, for anyone googling his name to see.
Hopefully at this point you are wondering what you can do to ensure this doesn’t happen to your website. There are so many different kinds of hacks, and platforms that they can take place on, so I am going to narrow this down to WordPress – one of the most popular frameworks out there, with 25% of all websites now using it, making it a prime target for hackers.
Here are my top 3 tips for WordPress websites that will significantly improve your website’s security.
- Make sure you are running the latest version of WordPress
Running the latest version is probably the most obvious security measure that should be taken. However, with over 86%² of WordPress installations running outdated versions of WordPress, this point is still one that needs to be stressed. Remember that hackers are actively seeking old and outdated versions – so it is important to stay on top of your updates – just make sure to back up your data first.
Each update of WordPress not only brings new features, but also brings bug fixes and security fixes, which help keep your website safe against the more common, easy-to-exploit vulnerabilities.
You can update your website simply by clicking the ‘Update’ button on your website, keep in mind though the newest version might not always be compatible, if you aren’t sure contact a professional to check.
- Make sure you are running the latest version of any plugins or themes
Running the latest version of WordPress is not enough, and often the weakest link in a WordPress website is the themes or plugins, as they can both contain vulnerabilities that compromise the security of your WordPress site.
The Slider Revolution plugin is an exceptional example here. Slider Revolution is a popular WordPress plugin that is used by a large number (1.4 million)³ WordPress websites. A vulnerable version used by people who had not updated the plugin allowed malicious users to steal database credentials, which would then allow total compromise of the WordPress site through its database.
Therefore, it is essential to make sure that all the themes and plugins you are using are updated to the latest version. By keeping these up to date, you can ensure that the site is covered with the latest security updates.
If you are on one of our support plans, you will notice that your theme may be upgraded to a newer version every so often. This is us updating the theme to correspond with WordPress’s new security measures, and to make sure all of our code is up to date with latest conventions and standards. If you aren’t on a support plan, then you should check with whoever manages your site that your theme is remaining consistent with updates – or simply chat to us about it.
- Last but not least, make sure your username and password are secure.
I would wager that a good 50% of people that come to me because their WordPress website was hacked were using a username like ‘admin’.
The first thing that hackers will try when logging into a WordPress account is ‘admin’, because it is the most common username.
Here are the stats of attempted logins in the month of May for the StudioHawk website:
Your username is not editable once you have made a WordPress website, and unless you are tech savvy, changing it (which is recommended if your username is any of the above) may require you to hire a professional.
It goes without saying that your password should also be secure, and if you are using any one of these common passwords⁴ I will be very disappointed. Make sure your password is secure, and is not a combination of common words (e.g. JohnSmith1).
What is our procedure?
Our procedure is to install a few WordPress plugins for Security, such as WordFence, and make sure that we are running backups to ensure that in the event of a hack, we can roll back and fix any exploits with minimal downtime. It is also advised to limit the number of login attempts, which discourages hackers from attempting to brute force their way in. However, this doesn’t deter them from using vulnerabilities!
If you have any doubts about your website’s security, have a chat to us and we will have a look at it for free – no obligations – just piece of mind.
Get in touch!
¹ ‘Why do websites get hacked?’ by Tony Perez –https://blog.sucuri.net/2015/02/why-websites-get-hacked.html
² ‘WordPress Stats’ by WordPress – https://wordpress.org/about/stats/
³ ‘Slider Revolution Active Installs’ by BuiltWith – http://trends.builtwith.com/websitelist/Slider-Revolution
⁴ ‘The 25 Most Popular Passwords of 2014’ by Gizmodo – http://gizmodo.com/the-25-most-popular-passwords-of-2014-were-all-doomed-1680596951