If you’re running a website using WordPress, you’re at a much greater risk of being hacked. WordPress powers around 27% of the world’s websites and has about 59% of the world’s content management system (CMS) market share.
WordPress is not used solely by bloggers or inexperienced webmasters. The following major companies all use WordPress to power their websites:
- BBC America
- MTV News
- Sony Music
According to internet website security company Sucuri, WordPress accounted for 83% of the CMS infections recorded in 2017, up from 74% in 2016. Why are WordPress websites so popular among hackers? For starters, the platform is famous for having tons of vulnerabilities mainly stemming from its open-source programming.
Next, WordPress has such a large share of the market, which makes it much more profitable for hackers to target the platform. Over 75 million websites use WordPress, making it ripe for the hacking.
Unfortunately, much of why WordPress is so popular to hack is because of its users. WordPress users make many mistakes when they create a website, and these mistakes result in the website’s getting hacked. Here are the top three reasons why WordPress webmasters get hacked, and then what you can do to secure your website.
Fail #1: You Picked a Substandard Hosting Provider
You get what you pay for, and numerous “cheap” website hosts also skimp on many features that are essential to protect your website adequately. Hackers know this, and they target substandard website hosts and websites hosted on them.
Substandard website-hosting providers usually exhibit the following traits:
- Provide backups only once weekly, or no backups at all
- Don’t support the latest MySQL or PHP versions
- Don’t scan for malware
- Don’t offer a firewall or DDoS protection
- Don’t provide directory protection
- Have an uptime guarantee of 99.9% or lower (the best providers should be 99.99% or better)
If a website host is substandard in one area or offers inferior features on at least one service plan, then consider the whole host substandard. Even if hackers can’t hack your website directly, they may still wreak havoc on your web server, which ultimately impacts your performance. Read more about the best website hosting services here.
Fail #2: You Installed Faulty Themes or Plug-ins
According to WP Template, about 29% of hacks come via an insecure theme and 22% come via vulnerable plug-ins. The template or plug-in may be out of date or programmed by someone who isn’t security-conscious. Hackers will take advantage of any vulnerability they can find to try to hack your website.
In 2015, for example, there was a major vulnerability discovered in the WP Slimstat 3.9.5 app that left over 1 million websites susceptible to being hacked. The vulnerability allowed cyberattackers to crack the secret key of the plug-in and perform SQL injections that allowed hackers to take over websites.
Another major exploit was found in the popular photo app TimThumb back in 2012. A vulnerability in the ‘external image resize’ function allowed hackers to inject PHP code into web servers. The app’s developer even admitted that he had become a victim of hacking due to the faulty app and ultimately quit developing it.
If these examples of vulnerability exploits aren’t already alarming, note that you also have to contend with themes and plug-ins that are distributed by hackers and malware websites. Since WordPress is open-source, anyone can create and distribute software for WordPress. They’re usually passed off as helpful apps, and in many cases, they provide the functionality promised. The programs also include extra code that allows a hacker to either penetrate your website or use it to spread malware, redirect users to websites, and more.
Fail #3: You’re a Slacker as an Admin
Another common reason that WordPress websites get hacked is that website admins are shirking their responsibilities, failing to keep their websites as secure as possible. This involves some or even all of the following:
- Failing to use strong passwords
- Failing to protect the wp-admin directory
- Failing to update WordPress regularly
- Failing to update themes or plug-ins regularly
- Giving incorrect file permissions to user accounts
- Using standard FTP over SFTP or SSH
The first four are the most common shortfalls for admins. They use a weak password or fail to update either WordPress, its themes, or plug-ins regularly. Regular updates ensure you get the latest release, which often includes security updates.
Less common — but still problematic — are file permissions and insecure FTP usage. If the file or directory permissions are not set correctly, then hackers may be able to get read and write access to your website. Also, if you use standard FTP over SFTP or SSH, you’re asking to get hacked, as standard FTP sends unencrypted passwords to your web server. If hackers are sniffing the website, then they can steal your passwords.
The Basic Guide to Avoiding Most WordPress Hacks
If you’re looking to avoid getting your WordPress website hacked, there are several steps you can take to protect yourself. Most are simple steps, but they require consistent action on your part.
Best Practice #1: Choose quality hosting
This isn’t just a cliche. Too many website hosts offer substandard features for the sake of making a quick buck while leaving you largely unprotected. Look for a provider that provides daily backups, antivirus and malware protection, the latest PHP and MySQL versions, anti-DDoS protection, and secure directories as standard features for all plans.
Also, consider choosing a host that’s already known for being optimized for WordPress. That doesn’t mean that it offers an auto-installer or that it’s compatible with WordPress. It means that they provide WordPress customizations along with tools and support staff who are knowledgeable in helping you build and protect your website.
The most obvious choice for WordPress-optimized hosting would be WordPress.com. It offers both free and paid WordPress-hosting plans. To learn more, check out our expert review or visit their pricing page.
Other providers that include WordPress-optimized hosting include:
Our article about the best website hosting for WordPress shows more examples.
Best Practice #2: Be careful of the plug-ins and themes you install
First, you want to install and run as few WordPress plug-ins as possible to reduce the number of potential risks to your website. Eliminate or disable any plug-in in your WordPress backend that you don’t need for your website.
Next, only install plug-ins and themes from trusted sources. Just as you wouldn’t automatically download a program or open an email attachment from an unknown party, you should stay away from plug-ins and themes from sources that aren’t well known.
WordPress.org is the ultimate directory of safe plug-ins. All plug-ins listed in its Plug-ins section are typically thoroughly tested and considered safe. Choose Plugin is another source for plug-ins that serves as a database of available WordPress plug-ins. It also gives you information that can help you determine whether a plug-in is safe, including latest update, rating, total downloads, active installs, and more.
Also, there are plenty of ways you can test your plug-ins and themes before you install them. Install both Plugin Check and Theme Check to your website to regularly scan for bad themes and plug-ins. Sucuri offers a database of plug-ins with known vulnerabilities that you should consider checking before installing a suspect plug-in.
When installing plug-ins or themes, there are a few things to look out for before downloading. If you find any of the following about a plug-in, look for a different one:
- A history of problems, security or otherwise
- Incompatibility with the current WordPress version
- Infrequent updates, or hasn’t been updated in a long time
- A large percentage of bad reviews
- Lack of support or documentation
- Reports of hosts banning the plug-in
Best Practice #3: Take your admin duties seriously
If you won’t take your duties as an admin seriously, then why bother to build a website? Just hire someone else to do the job. If you want to keep your website secure, you need to do all of the following:
- Use strong passwords and change them regularly. Don’t use them for anything else.
- Regularly update your WordPress, themes, and plug-ins to the latest version.
- Protect your WordPress directories and enable the correct permissions on all files and directories.
- Never use standard FTP to upload files.
- Hide your login page and WordPress version number, and disable the plug-in and theme editor.
Also, as an added step, disable PHP reporting for your website. Themes and plug-ins give information in errors that can be exploited. By disabling reporting, you further lock down your website against potential threats.
These are not one-time steps to take. They’re regular duties you should perform multiple times each year, if not on at least a monthly basis.
What’s The Worst That Can Happen? You Don’t Want to Find Out!
Some of you are probably thinking that getting hacked is no big deal or that your website is not important enough to get hacked. I thought the same thing back in 2010. Unfortunately, that year I found out the hard way just what can happen when your WordPress website gets hacked.
My website was hacked and used to distribute malware. My provider had a strict policy about websites that spread malware, and so mine was taken offline. All my files were erased, and my backups were purged from the system. Nearly four years of work that I had done on the website was gone in a matter of hours.
When you fail to secure your website, you risk losing your website along with your reputation. Personally, I lost a major client, but it was a valuable lesson learned. By taking the time to secure your website now against hacks, you’ll protect your website data as well as your hard-earned reputation.