In 2016, internet security company Wordfence surveyed 1,032 people whose WordPress sites had been hacked. More than 60% of the respondents didn’t know how the hacker got into their website. If you know how WordPress hackers conduct their attacks, you can better prepare.
A Crime of Opportunity
Even if your website is small and you can’t think of any reason you would be a target, take precautions. Hackers are opportunistic. According to Torque, “The first thing you need to understand is that it’s not about your site in particular or you personally. Most sites get hacked merely because it’s possible.”
The flip side of this is that it may only take minimal effort to ward off potential attackers. You could lock your car and have an alarm, and someone could still break in. But, why would they do that when they can just open the door of the car next to it with the windows rolled down?
How Do WordPress Hackers Get In?
Skilled WordPress hackers can write code into plugins that makes them do things you don’t want them to do, including steal all of your information. Keep your plugins up-to-date and delete any that you no longer use. Plugins may be the source of at least half of all WordPress hacks. Only use plugins from reputable sources. How do you know what is a reputable source? Use options from the WordPress directory. In the directory, treat choosing a plugin like you would treat shopping for anything else online. Look at the number of downloads, and read reviews. Make sure that it has been updated recently, say within the last year or so. You can also screen plugins using tools like Theme Check and Plugin Check.
This technique works a lot like exploiting plugins. Take the same precautions. Get your themes from a reputable source. Look over the code yourself or, if you are not versed in code, have a trusted developer do so for you. Keep you theme up-to-date.
If you know how to do so, search all of your plugin and theme files for “base64_“. Acccording to Alex Moss at Search Engine Watch, this little piece of code is a red flag. He explains, “This function has obvious honest intentions but is used widely in WordPress themes and plugins for dishonest means. This function is used by the developer to insert encoded scripts without your being able to find them as easily.” Essentially, “base64_decode” says “the following is written in a language that you will probably never be able to understand, so it could say literally anything.” Get rid of it.
Attacking Your Admin Dashboard
This is the part of your site most likely to be hacked, as it’s the perch from which the attacker can do the most damage. Start by password protecting your admin page. Be careful about who you give administrative rights to your site and make sure they are following protocols you set forth for strong usernames and passwords. (See more on this below.) It’s also a good idea to purchase and install a SSL (Secure Socket Layer) certificate. You can do this quickly and inexpensively. It is required if you want to collect payments through your site, but it adds a layer of reassuring security even if you don’t.
User Name and Password Guessing
Also known a brute force attack, this is where the hackers simply try to log in until it works. This doesn’t mean there’s some guy typing away like the Kermit the Frog typewriter meme. Hackers use software to instantaneously check millions of username and password combinations. You can install a plugin that limits the number of login attempts within a given hour. By doing so, you will reduce your chances for a brute force attack. Illuminea recommends deleting the default username “Admin” altogether. Create complicated passwords with a variety of different types of characters.
The time to secure your WordPress site is now. Hacking has become all too common, and it’s easier to prevent it than to clean up the mess later. For more information on WordPress security, explore WordPress itself and consult with other users in the forums.