How to Protect Your WordPress Website
[Do you get our weekly free newsletter with the latest scams and tips to stay safe? Sign up now and be smarter and safer using the Internet! ]
Many small businesses and individuals (e.g. bloggers and self-employed folks) use the free open-source web software called WordPress. It is such an easy-to-install, easy-to-use, feature-rich software tool for creating websites. There are thousands of themes, plug-ins and widgets available for WordPress that it is, hands-down, the “every man’s” and “every woman’s” web creation software.
Unfortunately, its popularity has also made it a serious target by scammers and hackers. And, like any software, WordPress software and accompanying plugins sometimes contain security holes that become exploited in a variety of malicious ways. (A full listing of the WordPress vulnerabilities and details can be found here.)
TDS routinely sees scams that are hidden on someone’s hacked WordPress website. The easiest way to spot a hacked WP site is seeing “wp-content” in the scam link that comes from a legitimate website, such as these two examples. Notice what the mouse-over reveals at the bottom of each screenshot… A website domain followed by /wp-content/. That means both websites are WordPress websites and we’re certain the owners have no idea they have been hacked.
Sadly, most hacked WordPress website owners never know they’ve been hacked and the scammers continue to use the hacked web servers to host their scams and malicious software. (We try to notify owners of hacked websites when we find them and tell them where the offending files are located. That’s what we call a “scamorcism.”)
However, there are several easy steps that can be taken to tighten up your WordPress security and harden your website against hacking.
1. Password security: Every admin-level password should be at least 10 characters long and follow high security protocols (Check out our article on creating strong passwords.)
2. Install Limit-Login-Attempts plugin: This WP plugin will limit the number of attempted logins on your website to prevent hackers from using “bots” to try to use brute-force attempts to figure out your admin passwords. These bots will try logging into a website thousands of times per minute in their effort to guess a password. With this plugin installed, a user who attempts to log into your site unsuccessfully “x” number of times will get locked out for hours or even days, depending on your settings of the plugin. This plugin has saved our derrieré many times!
3. Install WordFence Security plugin: WordFence is an outstanding security addition to any WP website and includes many features, such as informing you anytime an admin user logs into the site, scanning the site for malicious links that may be posted by visitors, and informing you when updates are ready to be installed on your website, and much more! There is a free version and paid version.
4. Keep your WP & plugin software up-to-date: Security flaws are discovered all the time in software. Keep your WP software and plugins up-to-date to avoid being taken advantage of by old exploitable software.
5. Change the standard “admin” account name: Don’t give the hackers an account name they can count on using to hack a password for! Change admin to something else.
The Blog at ChildrenOnline.org has WordFence installed and in use. Here is a message I received in July from our WordFence plugin:
I visited IPChecking.com and looked up the Internet address 188.8.131.52 to see what country this “admin” user was from. This “admin” turned out to be someone in Russia!
ChildrenOnline.org doesn’t have any website administrators in Russia! (Doug of TDS is also co-owner of ChildrenOnline.org) The next day I received another email from our WordFence plugin about an attempted login. This attempt came from 184.108.40.206. IPChecking.com shows that this Internet address points to a small town in Kansas, though its registration is identified as Chicago, IL. However, this IP has been blacklisted because it has been identified as a source of spam. (http://www.ipvoid.com/scan/220.127.116.11/)
I was curious enough now to log into ChildrenOnline.org and check the WordFence log file to see what caused the logins to be blocked. Here is a small sample of what I found:
Hackers will routinely try to hack into accounts named admin, administrator, webmaster, and root.
Applying these few small modifications means you can sleep easier knowing that it is harder to hack your website! We’re not saying that your website is going to be like Fort Knox, but there are so many hackable websites available across the Internet that the hackers are very likely to be easily discouraged on your website after a short while and move on to someone else.
1. Common WordPress Malware Infections by Siobhan McKeown (Oct. 2012)
Here are more sample screenshots of the lockout from attempted hacks at ChildrenOnline.org: