How to Prevent Your WordPress Website from Being Attacked

WordPress is known as the best blogging platform for a reason. I am sure everyone knows it as an amazing CMS platform which enfolds a multiple number of features and functions on it. One excellent thing with WordPress is it has got a plenty of plugins and resources which helps in enhancing the functionality of any website.

How to Prevent Your WordPress Website from Being Attacked

The recent attack on WordPress blogs by unidentified hackers has brought the vulnerability of WordPress to attention. Categorized as ‘brute force’ attacks, they made the news and warned WordPress site owners – once again – that it is in their best interests follow safety best practices.

The Evolution of WordPress

It has taken WordPress 10 years to become the most popular web content management system in the world. It is estimated that 22% of new sites and approximately 60 million sites in all, are powered by WordPress. CNN, eBay, Forbes and Sony are just some of the leading brands that maintain WordPress sites. The CMS generates over 4 billion page views and close to 40 million posts each month. According to website monitoring service Pingdom, WordPress is the blogging system of choice for the world’s top 100 blogs.

These numbers will definitely give you an idea about the massive impact of WordPress on businesses and individuals using the cyberspace.

Even as WordPress has evolved, sites and blogs powered by this system have become the favorite targets of hackers. The bottom line is, WordPress security must be taken seriously. If you are not aware of the security risks and the mitigators/controls you can use to bring risks to acceptable levels, read on.

Vulnerabilities in WordPress and How You Can Counter Them

To understand how you can safeguard your WordPress site against malicious intents, you first need to know about the vulnerabilities in the system. An idea about the possible ways in which your WordPress site/blog can be attacked, can prepare you for counter-measures at your end. These are the most common attacks on WordPress powered sites:

1. Brute-force password attacks:

If your site has been the victim of a brute force attack, then right off the bat, it can be assumed that your username and password credentials are not up to the mark. Basically, this type of attack involves trying to guess your username and password. So, if you still have the default ‘admin’ username or a weak password, you are extending an open invitation for attacks. Keep in mind that brute force attacks don’t stop after one failed attempt; attackers keep at it and manage to get the better of you. The persistent attempts at infiltrating your site can cause performance issues as they take a huge toll on your server memory.

How do you prevent it? The basic precautionary measure you can take includes not continuing to use the ‘admin’ username. Create a unique and hard-to-guess user with Administrator rights. If your name is Jennifer or Tim – which you display publicly on your blog – don’t use the same as your username. That would make it too easy for anyone to guess. It cannot be emphasized just how important it is that you set a strong password. A good one will have lower and upper case letters, characters and numbers. An example for a complex password is B5l(78)O12g9 or IlOve&28BlOg. Here are some don’ts of creating a password:

  • don’t use string numbers in sequence like 456789
  • don’t contract your domain name, username or company name; avoid permutations of these names as well
  • don’t create alphabet-only or only numerical passwords
  • don’t create short passwords, i.e. less than 8 characters long
  • avoid using a word from the dictionary as your password
  • never use a password that is the same as your username!

You can also consider installing a login limiter for WordPress. This basically quarantines or blocks a username/IP address that is trying and failing to complete login requests above a specific threshold rate. For instance, a penalty time-out of one hour can be imposed on a limit of 10 attempted logins every 5 minutes. Such limits will discourage and frustrate hackers as they won’t be able to try enough variations to gain illegal access.

2. Cross-site scripting:

Abbreviated as XSS, cross-site scripting allows attackers to inject client-side scripts into webpages being viewed by other users. Attackers may take advantage of this vulnerability to circumvent access controls.

In script injection, attackers look for one of your site’s input elements – such as the name, search or contact field – and inject malicious JavaScript or PHP commands. There are many ways in which such an attack can compromise your WordPress site. Attackers may make their way into your database, insert data and make it visible to your visitors. They may steal sensitive customer or financial information, impersonate users by accessing and hijacking session information (communication between site and users), and even bring down your entire site.

How can you prevent it? There are different measures you can take to combat cross-site injection. File validation, data validation and output sanitization are some techniques. As these involve some technical background, it is best to look them up and understand them in their entirety, for successful application.

3. Attacks on specific vulnerabilities in older WordPress versions or WordPress plugins:

It is not uncommon to hear about attacks on older WordPress versions. If you are using a version of WordPress after 2.8.3, you’re on the safe side; it is however advised that you upgrade to the latest version (3.5.1), which includes a number of fixes that can keep your site safe. Out-of-date plugins are extremely vulnerable to attacks – if you have been holding back on updating to newer versions, it’s time to do the right thing.

A good way to prevent hacking is to use quality plug-ins with good ratings, many downloads and active author support. Reliable authors will address security issues and accordingly update their plug-ins.

How to Keep Your WordPress Site Secure

WordPress site/blog owners can take a number of precautionary steps to strengthen security. Here are some you can invest in.

  1. A basic technology update to keep hackers away from identifying system loopholes is essential. There are many areas where hackers can spot loopholes and plan attacks. A comprehensive technology update will include malware checks, laptop password updates and anti-virus updates. Also make sure that your operating system, ISP and router have adequate firewalls.

  2. It is important that you back-up your entire database using a plug-in or even manually. You can choose from some excellent plugins that perform automatic full-site backups, such as BackUpBuddy (available on a yearly subscription and the easiest option for restoring a WordPress site), VaultPress (monthly subscription) and WordPress Backup to Dropbox (free and premium).

  3. As mentioned earlier, don’t hesitate to update plug-ins or your WordPress site, fearing that it would break your website. Some best practices in this regard include (a) ensuring that back-ups are up-to-date, by scheduling them on a daily or weekly basis (b) updating WordPress, plugins or themes at the earliest – pay attention even to minor updates as they will contain critical security fixes and (c) for major WordPress, theme or plugin updates, wait for a while until developers have conducted live testing on the updates. If you have another WordPress install, you can try duplicating your website and updating it first to determine if it’s fine to do the same with your live site.

    Note: You can follow news about the latest fixes/patches on WordPress Development.

  4. It is best to invest in a good hosting service. A provider well-versed with WordPress will be able to handle permissions and installation more capably, and the variation in service will be apparent to you. Partnering with a reliable service that knows WordPress can do its bit for site/blog security. Here are some options:

    Bluehost: A popular choice, Bluehost offers shared and upgraded shared hosting with added resources and fewer users on one server.

    Dreamhost: It detects hacks proactively

    WP Engine: This is a good bet if you want top-of-the-line WordPress security. From regular security scans to daily back-ups, it helps you address security issues easily and conveniently.

  5. There are quite a few free and paid security plugins that can monitor and protect your WordPress site. A free security plugin – Wordfence – offers multiple monitoring levels and is also available as a premium plan. Bulletproof Security (limited monitoring), Sucuri (malware clean-up), WordPress Firewall 2 and VaultPress are other options you can explore. The WP Security Scan is also a good security solution; this plug-in scans your blog for vulnerabilities and reports malicious codes to you.

  6. New WordPress sites are more prone to attacks as there is a much less likelihood that they will have all the key security fixes. Hackers have been seen to capitalize on this. You can avoid presenting your WordPress site as a newbie by removing the text link ‘Powered by WordPress’ in the footer, removing default posts on the Homepage and adding as many posts as possible to your site, to make it appear as if it’s been in existence for a while.

  7. As discussed earlier, it is important that you change the default admin log-in and have a strong password. There is a good choice in tools to check password strength. Some you can explore are Password Meter (AskTheGeek), Password-Review (LBW-SOFT) and Password Checker (Microsoft).

  8. As a cautionary measure, you can keep your visitors from browsing your entire directory. Hackers can study directory structures to identify security holes. To disable directory browsing, you can add the following to the .htaccess in your WordPress blog’s directory:

    # disable directory browsing
    Options All – Indexes
    

    Note: .htaccess is a file used by Apache to define your website’s access rules

  9. Make sure that admin files are adequately protected; only you and a limited number of bloggers should have access to them. .htaccess is one way to restrict access. Depending on whether yours is a static IP address or multi-user blog, you can restrict access only from a defined number of IPs. For more information on how to go about the same and step-by-step instructions, you can look up Apache’s documentation.

  10. As a responsible WordPress site/blog owner, the onus is on you to address security proactively. There are multiple ways to do this. Download new WordPress software updates through CMS backend. When you do this, also verify the compatibility of the new release with your web server’s MySQL and PHP versions. If you notice any violations or bugs you can report the same to the WordPress community. You can submit information at security@wordpress.org. Encouraging users to report security issues is a good way for the WordPress community to be aware of the latest threats and effective measures at their disposal.

How Can You Deal with Spam?

Spammers are just as troublesome as hackers; WordPress site owners will vouch for this. Thankfully, there are different ways in which you can combat spam. Here are a few:

  • Moderate comments made by readers. Bots will be moderated but manual comments can be blacklisted or marked as spam. Enable the “Comment author must have a previously approved comment”. This means comments from trusted readers will get approved automatically.
  • Block suspected spam bots by noting the IP address on your dashboard. You can block one or a range of IPs to address spam.
  • Installing anti-spam plugins is also one way to combat spam. Three of the popular plug-ins that do this job pretty well are Quiz, Akismet and Simple Trackback Validation.
  • If you have the time and inclination for it, delete all the spam comments on a regular basis, depending on their frequency of occurrence.

There is no predicting when your WordPress site may be the target of malicious elements. If – despite your best efforts – your site is compromised, don’t panic. Inform your host about it, let your fans and readers know about (through Twitter or Facebook), implement the necessary fixes, change your passwords and importantly, make a note of what you should have done to prevent the attack. This will help you enhance site security for the future. Also, remember that it’s not the end of the world – you can have your hacked WordPress site up and running pretty quickly, depending on the type and extent of attack.

Like it? Share it.

11 Comments

  1. So basically what you’re saying is that the solution to wordpress being insecure is 1) use a decent password and 2) use a variety of plugins (word mentioned 9 times in the article) which themselves can introduce a pile of vulnerabilities themselves?

  2. LOL, it takes a multitude of these amazing plugins to allow it to be called a CMS. Otherwise it is just as you first stated and nothing more than a great blog tool. However there is an extension for Joomla called EasyBlog that puts ANYTHING that is inside WordPress to shame!!!

    • I completely disagree with you there Kevin, WordPress is a compliant CMS with just a few lines of code since version 3 you can easily add Custom Post Types to use WordPress as a powerfull CMS, few plugins for front end posting like gravity Forms and your away.

    • Not to mention, Joomla has a terrible backend interface. It is also nowhere near as easy to update the software as WP.

  3. great post — security is so important!

  4. Hey Jessica! Great post, helpful for WordPress bloggers and developer as well. Even every wordpress blogger wants to secure their content form attackers.

    -Mike

  5. Jessica,

    Great post by the way!

    If all fails, there’s a free web monitoring service that you can use to monitor your WordPress website to make sure that it’s not defaced by hackers. It’s called Content Site Monitor (contentsitemonitor.com). It allows you to specify certain content/keywords that you want to monitor and it will send you alert email if the content/keywords are missing from your site.

    That way, just in case all the measures you put in place fail, you still have a final defense to revive your WordPress website before your readers find out about it.

  6. Wow! beautiful…….hope hackers will not tamper with this new development?

  7. Very interesting. Thanks for sharing this post!!

  8. Some good info there,but as you say you will alway stand a chance of having your site attacked….but its good to be prepaired,thank you for sharing

  9. G’Day! Instantshift,
    Thanks for your thoughts, I run a very small website using freehostia.com free hosting services. Website is completely down! Tried to visit freehostia.com to look for troubleshooting answers, it wasnt coming up either for about 20 mins, now back up again. Anybody else with the same problem? my website comes up completely blank no error messages at all. Its connected to wordpress and I cant even log into wp-admin or login page or anything. If server was down would it prevent me from accessing my wordpress login page also? Any help would much be appreciated. Thankyou!
    I’ll be back to read more next time

Leave a Comment Yourself

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>