Hacking looms large in the public consciousness these days, with high-profile attacks making headlines. Actually, hacking takes place constantly. There’s a good chance someone is trying to hack your site right now. Protecting your WordPress security means staying on the same page with your web team. Check in with them regularly. To guide you, we’ve developed this list of WordPress security questions your web team should be able to answer.
Why Would Someone Want to Hack Our Site?
Before you can fend off hackers, you must understand their motivation. Consider what information gets exchanged over your site that someone might want. They may target obvious things like credit card information, so you’ve probably taken steps to lock that down. But they might want client lists or email addresses. There’s also such a thing as website vandalism. Vandals, as the name suggests, want only to mess up your site. They could be seeking to embarrass you or simply disrupt your business for political or personal reasons — or no reason at all.
Sometimes, hackers hack simply because they can. Threedeep Marketing lists the top three reasons WordPress sites are hacked. Their number one? Hackers know it’s vulnerable. They might exploit outdated themes, plugins, or your dashboard. If you neglect to install updates on any of these things, you give a hacker a reason.
Hackers may not take an interest in your site itself, but rather wish to harness the computing power of your servers. They can use your servers to hide their identity or to mine Bitcoin.
If your site includes a blog, your comment section provides an easy target. Spammers will gladly blanket your comment section with advertising for their product. Picture the emails in your junk mailbox with subject lines touting designer handbags and prescription drugs. Spam comments look similar.
Think through all of these possible motivations with your team. Read this post for more on HOW hackers could attack your WordPress site.
Who Has Access to the Dashboard?
WordPress allows you to create numerous user accounts, with five different levels of access. These are Administrator, Editor, Author, Contributor, Subscriber. Only an Administrator can add or delete other users and change users’ information.
Periodically review who needs an account and at what level. Ensure that each user creates a strong password and shares it with no one. Remember to promptly delete anyone who leaves the company. Your web team should maintain a list of users. They should be able to tell you who has what access and why.
How Do We Backup Our Site?
Whoever is responsible for your site’s security should be able to answer this question easily. They likely use a plugin for regular backups. Make sure it’s a well-rated and reliable plugin and that it’s always kept up-to-date. One example, UpdraftPlus, has a 4.8 rating and more than a million installs as of this writing. Another, BackUpWordPress, has a 4.8 rating and more than 200,000 installs.
- How often is it backed up?
- Where is the backup stored?
- How do we access the backup if we need it?
How Safe is Our WordPress Database?
According to the site WPBeginner, and others, the WordPress Database is a hacker’s favorite target. When you install WordPress, the database prefix is wp_. Change it! Go to your root directory, open your wp-config.php file, and change the prefix to something longer and harder to predict. WPBeginner offers a brief video showing how to change the prefix.
What is Our Plan of Action if We Do Get Attacked?
Consider the potential effects of a hack. Actually list them out. You might start with this list. You should have a plan in place for these possible scenarios. On the technical side, think about how you will regain search engine ranking and lost traffic. Google may actually notice a hack before you do and will quarantine your site. This action can prevent further damage but will severely damage your hard-won ranking.
On the other hand, remember the public relations side. Discuss who will be in charge of putting out a press release, if necessary, or contacting customers. You may need to warn your customers if their information has been compromised and plan how to earn back their trust.
Appoint roles within your team for who will do what in the event of a hack. If you act quickly, you may minimize fallout.
In short, if you use WordPress, think about WordPress security. It is better to plan ahead than scramble when a problem surfaces. Work as a team to fully understand your vulnerabilities and course of action in the face of a hack. Just as you prepare for other disasters, you can prepare for this one, and give yourself peace of mind as your run your business.