If you find our resources valuable, please support us by making a small donation. Thank you!


How to Protect Your WordPress Website

How to Protect Your WordPress Website

[Do you get our weekly free newsletter with the latest scams and tips to stay safe? Sign up now and be smarter and safer using the Internet! ]

Many small businesses and individuals (e.g. bloggers and self-employed folks) use the free open-source web software called WordPress. It is such an easy-to-install, easy-to-use, feature-rich software tool for creating websites. There are thousands of themes, plug-ins and widgets available for WordPress that it is, hands-down, the “every man’s” and “every woman’s” web creation software.

Unfortunately, its popularity has also made it a serious target by scammers and hackers. And, like any software, WordPress software and accompanying plugins sometimes contain security holes that become exploited in a variety of malicious ways. (A full listing of the WordPress vulnerabilities and details can be found here.)

TDS routinely sees scams that are hidden on someone’s hacked WordPress website. The easiest way to spot a hacked WP site is seeing “wp-content” in the scam link that comes from a legitimate website, such as these two examples. Notice what the mouse-over reveals at the bottom of each screenshot… A website domain followed by /wp-content/. That means both websites are WordPress websites and we’re certain the owners have no idea they have been hacked.

1-Intuit-PayrollApproved 2-Nantucket banking disabled
Sadly, most hacked WordPress website owners never know they’ve been hacked and the scammers continue to use the hacked web servers to host their scams and malicious software. (We try to notify owners of hacked websites when we find them and tell them where the offending files are located. That’s what we call a “scamorcism.”)

However, there are several easy steps that can be taken to tighten up your WordPress security and harden your website against hacking.

1. Password security: Every admin-level password should be at least 10 characters long and follow high security protocols (Check out our article on creating strong passwords.)

2. Install Limit-Login-Attempts plugin: This WP plugin will limit the number of attempted logins on your website to prevent hackers from using “bots” to try to use brute-force attempts to figure out your admin passwords. These bots will try logging into a website thousands of times per minute in their effort to guess a password. With this plugin installed, a user who attempts to log into your site unsuccessfully “x” number of times will get locked out for hours or even days, depending on your settings of the plugin. This plugin has saved our derrieré many times!

3. Install WordFence Security plugin: WordFence is an outstanding security addition to any WP website and includes many features, such as informing you anytime an admin user logs into the site, scanning the site for malicious links that may be posted by visitors, and informing you when updates are ready to be installed on your website, and much more! There is a free version and paid version.

4. Keep your WP & plugin software up-to-date: Security flaws are discovered all the time in software. Keep your WP software and plugins up-to-date to avoid being taken advantage of by old exploitable software.

5. Change the standard “admin” account name: Don’t give the hackers an account name they can count on using to hack a password for! Change admin to something else.

The Blog at ChildrenOnline.org has WordFence installed and in use. Here is a message I received in July from our WordFence plugin:
3-IP lock out at ChOn

I visited IPChecking.com and looked up the Internet address to see what country this “admin” user was from. This “admin” turned out to be someone in Russia!

4-IP from Russia locked out
ChildrenOnline.org doesn’t have any website administrators in Russia! (Doug of TDS used to own this domain in 2014.) The next day I received another email from our WordFence plugin about an attempted login. This attempt came from IPChecking.com shows that this Internet address points to a small town in Kansas, though its registration is identified as Chicago, IL. However, this IP has been blacklisted because it has been identified as a source of spam. (http://www.ipvoid.com/scan/

5-IP lock out 2
I was curious enough now to log into ChildrenOnline.org and check the WordFence log file to see what caused the logins to be blocked. Here is a small sample of what I found:
6-admin lock out

Hackers will routinely try to hack into accounts named admin, administrator, webmaster, and root.

Applying these few small modifications means you can sleep easier knowing that it is harder to hack your website! We’re not saying that your website is going to be like Fort Knox, but there are so many hackable websites available across the Internet that the hackers are very likely to be easily discouraged on your website after a short while and move on to someone else.

Additional resources:

1. Common WordPress Malware Infections by Siobhan McKeown (Oct. 2012)

2. WordPress Security Plugins

Here are more sample screenshots of the lockout from attempted hacks at ChildrenOnline.org:

7-webmaster lock out8-root lock out 2