Why WordPress Keeps Getting Hacked And How To Prevent It

Getting your website hacked is one of the worst things that can happen to your business in the modern world. The age of file cabinets and paper documents is long gone and now virtually all important information is being shared and even stored online.

Because of this, a successful cyber attack resulting in data theft can potentially cost you a lot of money and set your business back considerably.

Furthermore, it’s becoming increasingly easy to hack a website that isn’t secure enough, and a lot of users utilizing WordPress-based websites have discovered this to be true, based either on their own or someone else’s bad experiences.

So what is it that makes WordPress so vulnerable to attacks from hackers, and is there anything you can do to stop them?

How Secure Is WordPress?


Ironically enough, WordPress is actually a very secure platform in and of itself, and due to the fact that it is open-source software, it’s much easier for security holes to be patched up. There’s a lot of people (enthusiastically called “white hat hackers”) that deliberately hack websites not to cause any actual damage, but just to see if there’s a weakness in WordPress’s security.

If there is, they report it to the development team who work very hard on keeping WordPress updated with frequent security patches.

Addons


The real problem arises because of WordPress’s huge extensibility, or the ability to install numerous add-ons, extensions and themes into it.

Anyone can develop and publish add-ons for this fully open-source platform, which is a great thing; the only downside is that not all of these add-ons were coded with maximum security in mind, and installing them can often make your website less secure.

One of the most common reasons for a successful hack of WordPress is because of an insecure extension installed on the website. Always take great care when installing addons or plugins, and check if there have been any incidents of security breaches due to the plugin’s activity.

Improving Security


There are quite a few ways that you can take in order to increase the overall security of your WordPress website. Some are quite simple to do, and others require you to know a bit about coding in order to implement them.

We’ll start off with the simplest, and get into the more complicated methods later on.

Backup Your Website

This is pretty much common sense these days, but it’s also the number one thing a lot of people tend to overlook. Always, always have your website backed up, so that in the event that a malicious attack does succeed in taking down your website, you don’t lose months of hard work just because you didn’t keep another copy of it someplace else.

A good way to do so is to purchase an external hard disk and do daily backups of your entire website; that way all of your important files are kept on an offline medium and no one can access them without your permission.

There are also a lot of online options for backups such as the BackUpWordPress plugin, if you prefer to store your files on the Cloud and be able to access them anywhere.

Security Plugins

Despite what we just said about third party plugins being the reason that your website is less secure, there are actually those that can improve your security. By installing a good security plugin such as WP Security Scan, you’ll significantly decrease the chances of a cyber attack.

These plugins constantly scan your website for any sort of malicious code, and act upon it immediately in the event that they detect any.

Protect Your Internet Connection

You’ll further decrease the chances of a security breach on your website if you make sure that your Internet connection is private and encrypted.

First of all, your real IP address should never be visible to anyone else, lest you want to be the victim of a nasty DDoS attack.

That being said, we highly recommend that you subscribe to a good VPN provider – they’ll provide you with a new IP address and encrypt your connection by sending it through secure tunneling protocols, additionally keeping you safe from all sorts of online malware.

Keep WordPress Updated

As we already mentioned, WordPress is constantly improving its security, patching up holes and making the platform more stable. It’s essential that you keep up with these updates because hackers are constantly trying to find new ways to compromise WordPress’s security.

Older versions of software are not only less secure, they’re also less stable and less optimized, so it’s just good sense to keep everything up to date.

Change Your Password Frequently

Another easy way to increase the security of your website is making sure to change your password once a week to once every two weeks.

One of the main ways that passwords are cracked these days are brute-force attacks, or trying every possible combination of characters until the password is “guessed”.

Since there are millions of combinations, this process can take a long time, and the more often you change your password, the less likely a brute-force attempt will succeed in cracking it.

Prevent Directory Browsing

This one requires a bit of fiddling around the .htaccess file. Browsing the directory of your website is one way that hackers can learn a lot more about your website and potentially devise a way to hack into it.

A directory tree appears automatically when your web server can’t locate an index file on your page, although it can be brought up manually as well. Just add these two lines to your .htaccess file:

  • #disable directory browsing
  • Options All –Indexes

Once you do that you’ll have disabled directory browsing for all users, and no one will be able to see the inner layout of your website.

Restrict Admin Access To Static IPs

For the best security, only you and a handful of people that you trust should have full privileges on your website.

Using your .htaccess file, you can actually restrict admin access to your WordPress site to everyone except a certain number of static IP addresses.

Just copy the following code into the .htaccess file:

 # deny access to wp-admin
 order deny,allow
 allow from xx.xx.xx.xx # This is your static IP
 deny from all

Now, just replace “xx.xx.xx.xx” with your IP address, and WordPress will prevent any other address from accessing your wp-admin folder, and fiddling around with any sensitive data you might have in there.

This takes literally seconds and is one of the best ways to protect your website. Note that you should only do this if you have a static IP, not a dynamic one.

Conclusion


As you can see, there are a lot of ways in which you can keep your website’s security from being compromised.

Security is one of the most important aspects of running a website these days, as there truly are a lot of malicious people out there that can and will try to target your website (whether to try and steal your data, use your PC for a DDoS, or a number of other reasons known only to them).

We hope that you’ll be able to utilize these tips with your own WordPress site, and keep it secure from malicious attacks.

WordPress is a great platform to use and it doesn’t look like it’s going away anytime soon, so you should definitely know how to protect it.

Note: The opinions expressed in this article are the views of the author, and not necessarily the views of Caphyon, its staff, or its partners.

Author: Adam Ferraresi

Adam Ferraresi started his career as a web developer and he loves his job from the day one. With time, as he progressed with his skill, he found his passion for writing about many different topics concerning web development. From that time, he has expanded his views and is now writing on all sorts of different subjects. Adam is also a trusted writer of wefollowtech.com. He’s stationed in Dallas, where he spends his free time playing guitar and cooking for his friends.

2 thoughts on “Why WordPress Keeps Getting Hacked And How To Prevent It”

  1. Thank you for the tips Adam. I am following most of these but the last one was a nice little hack there. What would suggest for a Dynamic IP for WP-Admin though? Most of the ISP providers for home internet come with dynamic IPs

  2. Thanks for your information…I suggest always back up your website! If you maintain regular backups this allows you to easily rollback if you are attacked, and restore your website. We also recommend running backups before you update your WordPress version and plugins. If you happen to be on a managed WordPress host many of them now offer one-click staging areas which are perfect for testing updates before you touch your production site.

Leave a Reply

Your email address will not be published. Required fields are marked *