3 common ways hackers target WordPress websites

Before we even talk about how hackers target WordPress websites, we first need to address the obvious question:

Why would they even want to?

After all, your average WordPress website belonging to a home-based business or personal blogger doesn’t contain sensitive information (like credit card details, or passwords) worth stealing. Right?

Correct. But stealing sensitive information isn’t the main reason hackers target websites. They do it:

  • To insert backlinks to other sites (that boost those sites in the search engine rankings).
  • To mask their identity when the hack bigger websites.
  • So they have somewhere to store (usually illegal and sensitive) files they don’t want stored on their own server.
  • To form a network of sites from which they can launch DDOS (denial of service) attacks on big websites.

And sometimes, they do it just because they can – for ‘fun’.

Why are WordPress websites particularly vulnerable to hacking?

Three reasons:

  1. WordPress is a hugely popular platform (because it’s so easy to use).
  2. People generally set their site up themselves (using the default settings).
  3. Thousands of plugins have been created for the platform.

These are all strengths of WordPress. But, from a security point of view, they’re all weaknesses too because they provide the following four avenues for hackers to get into WordPress websites:

1. Via plugins

As mentioned, plugins are amazing. They allow people with no coding ability to add complex functionality to their WordPress websites. Need a contact form, pop-up subscribe form or image gallery? Installing a WordPress plugin on your website will give you these and more.

Unfortunately, more than 50% of WordPress website hacks come via plugins whose code is either deliberately malicious, or is so outdated it’s easy for hackers to use to gain access to your site.

How to protect yourself

  1. Only install plugins from the official WordPress repository, have high star ratings, and are being updated constantly.
  2. Ensure you’re notified about a plugin update via your WordPress admin, update it on your site.

2. Via brute force attacks

These automated hacks are made possible by the fact that:

  • The admin login page for most WordPress sites is yourwebsite.com/wp-login.php
  • The admin username for most WordPress sites is ‘admin’

Hackers write code that add /wp-login.php to the end of every website. If that url brings up a login form, the code populates the ‘Username’ field with ‘admin’ … and then they’re on their way. Their code will now guess hundreds of passwords per minute and if they get a direct hit – they’re into your site.

How to protect yourself

  1. Have a strong password that contains letters, numbers and special characters
  2. Install the Login Lockdown plugin that locks your site after a certain number of failed logins
  3. Use two-factor authentication (where you have to enter a code sent to your phone) each time you login
  4. Make your username something that’s hard to guess (definitely do not use ‘admin’ as your username)

3. Via the WordPress platform code

Quite often, hackers find a security hole in the base code for WordPress – one that can be exploited to gain access to a site. WordPress is very good at finding out about these security holes and releasing updates that close them.

How to protect yourself

  1. Keep your WordPress installation up to date. As soon as you get a notification in your WordPress admin area that an update is available, hit ‘update’

What if you never login to your WordPress admin area?

A lot of small businesses have WordPress websites and if they’re not adding information to their site regularly (most aren’t), they have no reason to login to their site’s admin area. This means they’re missing notifications that their WordPress platform, themes and plugins have available updates.

What can you do to keep your site safe in this scenario? Two things:

  1. Set a reminder for yourself to login to your WordPress admin area every day and check
  2. Pay for a service that will do this for you. (The Swish Web Care service, for example, checks for updates on a daily basis (amongst many other things.)

It’s better to never get hacked than try and repair a hack

We’ve been working with WordPress websites for nearly 10 years and can say this with certainty – once a site’s been hacked, it’s very hard to close all the doors that hackers have opened into the site. Which means a hacked site is likely to get hacked again and again.

It’s MUCH easier if your site is never hacked in the first place.

Taking the steps above to secure your site will put your site ahead of 90% of the other WordPress website out there. If you want to automate the above and never have to worry about your site getting hacked … drop us an email to find out how we can help.