By Matt Mascarenas
The first thing to understand is that, no matter what a security consultant may say, there’s no such thing as a 100 percent hack-proof website. With enough time, talent and resources, anything online can be breached. Just ask NASA, T-Mobile, whitehouse.gov, Sony, AT&T, eBay, Target, Adobe, JP Morgan Chase, the Utah Department of Workforce Services or University of Utah Hospitals & Clinics, to name a few. Your site probably isn’t as high-profile as those listed above, but if it’s built on WordPress, it has a target on its back. There are, however, steps that can — and should — be taken to make your website difficult to hack.
According to Forbes, more than 75 million websites run on WordPress. It powers more than one-fourth of the world’s websites. WordPress is easily the world’s most popular content management system (CMS). It leads the CMS market with more than 60 percent of the worldwide market share. This is mainly because it’s super-easy to use. It allows contributors with zero coding experience to add text, links and images to create a professional-looking website quickly and easily.
Of course, WordPress’ extreme popularity also has a downside. All these legitimate websites draw more than their fair share of unsavory characters. Hackers attack WordPress sites for a variety of reasons: to hijack incoming and outgoing links and traffic, to hold the site for ransom, to steal credit card numbers and identity information, and many more.
Plugin Attacks
One of the reasons that WordPress is so popular is the huge number of plugins that are available. Because WordPress is an open-source project, developers from all over the world are able to create and submit free plugins. Unfortunately, not all these plugins are safe. According to wordfence.com, nearly 60 percent of all successful attacks come through plugins. For this reason, you should try to make sure to get your plugins from reputable sources — legitimate companies. This can be tough to determine, but use your best judgment. Look at the company’s website, paying close attention to the types of contacts that are available, terms of service, privacy policy and general appearance of the site. Look at the plugin’s community rating and popularity. A plugin with a rating of 4 or 5 and thousands of downloads is most likely safe. Also, search the company name, looking for warnings or accusations of fraud. As a safety net, always back up your data before you install a plugin. Finally, remember to scan for malware once your new plugins are downloaded, just to be safe.
Once a vulnerability is found in a plugin, a reputable developer will update it as quickly as possible to keep attackers from exploiting the weakness. For this reason, you should always keep your plugins updated to ensure security. While there is no 100 percent security guarantee when using third-party software, following a few common-sense guidelines will minimize your site’s vulnerability.
Login Page Attacks
WordPress is so popular with hackers that there are automated bots constantly attacking — they literally never stop trying to break into WordPress sites. Bots are programmed to search for login panels. Once a login panel is discovered, the bot attempts to gain access by simply guessing username and password combinations until it gains access to the site. This is called a “brute force” attack. The simplest way to safeguard against brute force attacks is to use a complex user/password combination. Your user name should be a combination of numbers and letters and should never be anything obvious like “admin” or your company name.
Another effective way to safeguard your WordPress site is with cell phone sign-in — also called two-step or multi-step authentication. With cell phone sign-in, the user is sent a number or password via text when they attempt to login, which will need to be verified before they are granted access to the site. This effectively blocks any brute force attacks because the bot has no way of learning the code that’s sent to your phone.
Hide My WP
Plugins can also be used to augment your site’s security. The WordPress security plugin that I most often recommend is called Hide My WP. Hide My WP hides your WP login page and protects your site from about 90 percent of SQL-Injection and XSS attacks that target PHP files. You can also use Hide My WP to alter your URL and remove the WordPress identifiers. Bots that are specifically programmed to attack WordPress sites will ignore yours if they don’t identify it as a WordPress site. Hide My WP will even notify you by email when someone attempts to access your site.
Hide My WP is available at six different levels, which equates to hundreds of security options. Pricing varies according to the feature package that you choose, and starts at a one-time fee of about $20.
Sucuri
For business owners who want to take security a step further, I recommend Sucuri, a WordPress security platform. Sucuri monitors your site, scanning for and responding to attacks. Several basic attributes make Sucuri a great option. For one thing, Sucuri doesn’t just tell you when your site has been compromised — technicians find and repair damage caused by attacks. The subscription plan you choose will dictate how frequently your site is scanned and how quickly it will be repaired. Another nice feature is the set annual fee. This means no surprise bills will show up. Lastly, there’s no complicated setup. These features make Sucuri a true set-it-and-forget-it security option that you can trust is working behind the scenes to keep your business up and running.
Sucuri is available at three feature levels. You get security monitoring, malware and hack repair, DDoS mitigation, increased performance and 24/7 customer service with all three options. Packages range from $200 to $500 per year.
Unfortunately, WordPress has become a favorite target for hackers. The reason is not a problem with poor security; it’s a result of the system’s popularity. There are, however, steps that you can take to dramatically improve your site’s security. Some are as simple as setting up a username and password that a hacker won’t easily guess; others are more involved. It’s important to know that you have options and you can make your WordPress site as secure as you’d like, depending on what kind of commitment you’d like to make.
Matt Mascarenas is a digital PR specialist at Red Olive, a full-service agency in Sandy.