Let’s talk about hacking. I’ve dealt with hacked websites before and it’s not fun, especially when there are no backups in place (see last week's email). I recently had a client come to me for help with her site. When she tried logging in for the first time in almost a year the site crashed and all that was left was the following error message flashing on the screen:
Parse error: syntax error, unexpected T_FUNCTION in /homepages/9/d336685355/htdocs/rhssoccer/wp-content/themes/business-park/inc/widgets/widgets.php on line 21 Turns out the site had been hacked, and hacked very, very thoroughly. The site had no backups, off-site or otherwise, except for the ones done by the host, and those didn’t help since the hacker had gotten started months earlier.
Why would anyone want to hack your website?
Most of the time attacks are vulnerability-based, not website-based, which means the hacker does not pick a website and then try to find their way in. Instead they pick a known vulnerability, and then they try to find all the websites that can be attacked with it. This means that everyone is a target, no matter how big or small your site.
Most of the malicious bots out there trying to get into your website aren’t targeting you personally. They don’t want your password or identity or vital information. The majority of the time when a WordPress site is attacked it’s to inject code and create traffic for a spam-like website.
WordPress Security Checklist
Today I’m going to provide you with a checklist you can get through in 20 minutes that will help you secure your WordPress website.
- Update WordPress core, plugins and themes to the latest version. Leaving old or outdated WordPress core files, plugins and themes on your website is basically leaving the front door open for a burglar to come in and wreak havoc. With WordPress especially, version updates often include security fixes and improvements. If you’re running older versions, any security issues are typically known and can be exploited.
- Remove/change the “admin” user. The default username for the main WordPress user is admin. Bots and hackers know that and take advantage of it.
- Create strong passwords for admin users. The more difficult the password, the harder it is for it to be guessed.
- Choose a security plugin + configure it. WordPress security plugins secure your website from any potential issues and known vulnerabilities. My favorite is Wordfence Security.
What are you doing to secure your WordPress website?