Many website owners may think that their own website is so small or unimportant that it wouldn’t be an interesting target for hackers. Unfortunately, I have to disappoint you. Actually, almost every website is interesting to hack. It’s often about the more websites that are hacked, the closer the hacker gets to his or her goal. These goals are often financial or political. Some types of hacks are:
- Defacement: this removes a website and replaces it with a page made by the hacker, with for example a political slogan that he or she wants to pay more attention to.
- Sending spam: the hacker can also install a program on the website which can be used to send spam to many email addresses.
- Virus spread: sometimes the hacker adds a piece of code to the website, causing the visitor’s computer on the hacked website to be infected with a virus.
- SEO spam: with type of hack, the hacker adds links and content to increase the popularity of other websites in search engines and the number of visitors to those websites.
Carrying out attacks on the Internet: finally, the hacker can also install tools on the website that can be used to carry out a DDoS attack on the Internet. If the hacker has hacked hundreds to thousands of websites and allows them to visit a particular website at the same time, the hacker can use this to shut down the website because there is so much traffic coming at it in 1x.
Now that we know why hackers find it interesting to have access to your website as well, I give you 5 tips below to make your WordPress site more secure.
Tip 1: make sure you have good login security
The easiest way to access a hacker’s website is to simply log in with a username and password. Some suggestions to make the WordPress login more secure:
Use a good and difficult to guess password
You can use this website to generate a difficult password. Do you have trouble remembering such a password ? Then use a password manager. There are also free alternatives, such as LastPass. Make sure you never re-use passwords for multiple websites or online services. If a certain service is ever hacked and your password is intercepted, then hackers are smart enough to try that password in other places as well.
Change your username
The default username for logging into a WordPress site as an admin is: admin. Of course, hackers know that too, and they will try to access it with this username.
Add two-step authentication before logging in
It is recommended to add two-step authentication to the login process for your WordPress site. After you have logged in with a username and password, you will be asked for an additional code that will generate an app on your phone. Just having the right password isn’t enough to get in. You can find easily A good plugin for setting up two-step authentication on your WordPress.
Tip 2: keep WordPress, plugins and themes up-to-date and secure
Security holes are regularly found in WordPress, plugins and themes. These vulnerabilities are plugged into updates. Because security holes are made public, hackers will try to take advantage of these holes to access websites via that web. It is therefore very important that you regularly install the available updates. Not only for WordPress itself, but also for all plugins and themes you use.
And another remark about plugins and themes: be careful which website you use to download these plug-ins and themes from. Only use reliable websites, and the free and illegal downloading of premium themes and plug-ins is completely out of the question. These downloads often contain malware and all kinds of backdoors.
Tip 3: Install the “invisible reCaptcha” plugin
Your WordPress site often uses a number of forms. Think for example of:
- The form to log in
- The form to register on the website
- The contact form
- The form to request a new password, if you have forgotten it
- The form to leave a comment or review on a page
Hackers can write scripts that “attack” and abuse these forms to access your website, or to spread spam through the comment or contact form. To protect yourself against this, you can install the invisible reCaptcha plugin.
Every time a form is filled in, this plugin analyzes how risky the action is. If it is suspicious, the visitor must perform a “challenge” to show that he or she is not a robot. Only if this challenge is successful, the form will be sent.
Tip 4: choose a reliable hosting provider for your website
You may have secured the front door (your WordPress site) so well, but if the back door (your hosting provider) is open – hackers can still just come in. It is therefore important that you choose a good and reliable hosting provider.
Does your hosting provider keep the servers up to date?
It is important that your host keeps the operating system on the server, the control panel, the PHP version and MySQL version up-to-date. In all these parts, security holes are regularly found and closed.
Is your website secured with an SSL certificate?
An SSL certificate ensures that traffic between the user of a website and the server where the website is located is encrypted. This means that third parties cannot see or eavesdrop on this traffic. An SSL certificate can be recognised by the green lock in the address bar and by https:// instead of http:// at the beginning of the URL.
Does your hosting provider make regular backups and can you use them yourself?
If things do go wrong and your website is hacked, then it is good that you can fall back on backups made. Check if your host makes backups, how long they are stored, and how you can restore them yourself.
Does your host scan and remove malicious software?
A hacker often tries to place small programs on a hosting package, which he uses to open a backdoor to gain further access to the website. Such malicious programs can also be used to send spam or carry out attacks on the internet. These programs are called malware or exploits.
We recommends you to automatically scan every file that was placed or modified, and to compare that file with a database that is full of frequently used malware and exploits. If the file appears in the database, you should immediately quarantine the file.