The bitter reality
The reason why I decided to write this article is that many times our clients have found themselves in total despair and frustration when their WordPress site keeps getting hacked. Hacks such as the Japanese Keyword Hack or the Malware Redirect hack can break a WordPress site once. However, if you are not careful with your WordPress site, these hacks might reappear.
Truth be told, the psychological and financial burden of a WordPress site that keeps getting hacked is massive and it can take a great toll on the user, the brand, the service. And those users who have gone through this experience multiple times, do understand what we are talking about and how a hacked WordPress site can mess up everything and can leave you in dismay. Having your WordPress site hacked is already a pain in itself, so imagine the frustration of the people when their WordPress site keeps getting hacked. They lose their sleep over it, they feel stumped, they are in dismay.
If you are at your wit’s end because your WordPress site keeps getting hacked, read this article as it will definitely hit a nerve.
Why does a WordPress site gets hacked again and again?
Before embarking on an analysis of the reasons why a WordPress site keeps getting hacked, we need to clarify that WordPress itself is a very secure platform. Being an open-source software and having a dedicated community to support it, means that any security issues that may arise, are dealt with promptly and efficiently.
So what are the reasons which contribute to your WordPress site is vulnerable and thus, repeatedly hacked?
1. Not running the latest version of WordPress on your website
WordPress releases a new update almost on a monthly basis. Every update comes with a number of fixes for bugs, security, performance and compatibility issues. Neglecting to update your WordPress site to the latest WordPress version makes it vulnerable to hackers. There is no excuse in using an outdated version of WordPress.
2. Not updating the plugins and themes of your website
All active Plugins and Themes have updates which are released regularly. These updates may not be as frequent as the WordPress core releases. Sometimes they are more sporadic but equally significant, as these too when neglected can become an entry point for hackers. Though a WordPress site can have a myriad of plugins and updating all of them can be gruelling, not updating them is neither a secure nor a wise option. No matter how daunting a task it may be, having to deal with the consequences of a hacked site is a more strenuous task.
A word of Caution: Make sure you purchase your Themes and Plugins from trusted sources and vendors. As these release updates regularly and provide you with support and guidance if need be.
3. Dubious Hosting Environment
Not all WordPress hosting platforms are built alike and not all hosting services are reliable. This means that depending on the way your host’s platform is built, it might not be secure enough. Thus, the hosting platform on which you run your website can affect your site’s health and performance. Managed WordPress Hosting platforms, for example, are designed in a way that they block off many of the common attacks.
4. Using Weak Passwords
Not securing your online presence with strong passwords is childish and irresponsible. When it comes to your WordPress site you need to use unique and strong passwords for all the accounts which are related to your WordPress site. Having the same password for your WordPress Admin account, your WordPress web hosting cPanel, the email accounts connected to your WordPress site, the database and any FTP accounts, only makes the life of the hackers easier and your site more susceptible to a hack attack.
5. Unguarded access to the WordPress Dashboard
This is related to the previous point we analysed. The WordPress User page found inside the Dashboard area is one of the most important areas of your website. It is an area where roles are assigned to different users and thus the users have access to perform certain actions on the website. Imagine not hardening the WordPress login page and inviting a hacker to take over the roles and the control of your website. This is why the login page must always be guarded with a strong password and added layers of security.
Oh, and using Admin as your username is not considered a secure option!
6. File Permissions gone bad
File permissions allow the webserver to control access to files on your WordPress site. When file permissions are incorrect they can allow access to a hacker to compromise your website.
7. Not utilizing the use of SFTP/SSH
When uploading files to your web server always opt for an SFTP or SSH account. By sending your files via a plain FTP account you practically invite the hacker to join your account.
8. Insecure WordPress configuration file
The wp-config.php file contains your WordPress database login credentials. If a hacker gets their hands on that file all the hard work and the effort you have put into building your website will vanish in an instant. Not securing the wp-config.php file allows a hacker access to the login credentials to your WordPress site’s database and grants the hackers complete access to your website.
9. Keeping the default WordPress Table Prefix
WordPress, by default, uses wp_ as a prefix for the tables that are created in the database. So during the installation, it is advisable that you change the prefix and ideally choose more complicated ones which will make it more difficult for a hacker to guess the table names.
10. No uptime monitoring of your WordPress site
It is advisable that you are aware of your WordPress site’s status. You need to keep an eye on its health, performance and availability. Monitoring your site provides you with real-time insights so that you are immediately notified of suspicious behaviour on your website.
Tips to prevent your WordPress site from getting hacked repeatedly
As you can understand you cannot afford to take your website’s health and security lightly. No matter how much a laborious task it might be or no matter how time-consuming, you need to take some necessary steps to guarantee its security.
Here is a list of small tips and necessary steps you need to take to prevent your WordPress site from getting hacked.
Update, update, update!
Keep your website running on the latest updates. From the WordPress core to the Theme and the Plugins, update everything as soon as a new release is out. If you are afraid of the compatibility of a new release that it might break your site, you can always opt for testing the new release on a staging environment.
Use Unique, strong Passwords on all the accounts
Very often a WordPress site is a good source of income for users. For this, you cannot afford to mess up its performance, security and health by being irresponsible with the Passwords and Usernames. Lockdown everything with strong passwords which are unique to each connected account. Make it difficult for hackers to surpass the different layers of security. Use difficult Usernames and generate strong passwords for each account, use 2-factor authentication and even limit the number of login attempts. There are relevant plugins available which can offer these top features and help you add extra layers of security to your WordPress site.
Control Everything (from File Permissions to the database, to user roles and the actions performed on the website)
Multiple layers of Security means not only controlling who has access on your website but also who performs certain actions, reads and writes certain files and even which files can be visible or accessible only to you. It is practically in your hand to construct and maintain a well-sculpted security network on your website. For this set, the directory permissions carefully, to ‘755’ and files to ‘644’ to protect the whole file system. Disallow file editing, secure your WordPress database and change the default wp_ tables prefix into more complex ones, which will not be easily understood or interpreted by the hackers. Take full control of the role and the permissions allowed to the users on the website.
For a more detailed analysis on how to protect your WordPress site from getting hacked you should check out this very interesting and detailed article.
Perform a thorough Clean-up of your hacked WordPress site
This might seem redundant to you but from our experience, many clients often do not do a good job at cleaning a hacked WordPress site themselves. This means that there might be corrupted and malicious files remaining in the database of a WordPress site, only to compromise it shortly after it was cleaned up. The truth is though, that the WordPress website was never really cleaned-up since the job done was not thorough.
So if your WordPress site is hacked once, if you are an advanced WordPress user you can clean it up yourself following these guidelines on what to do when your WordPress site is hacked or you can ask a Security Professional to do it for you, so that your WordPress site will stop keep getting hacked.
Having your WordPress site keep getting hacked is a frustrating situation which has a great financial and mental cost on you, while at the same time, it can take a great toll on your reputation as a brand and your reliability too. Thus, it is not only a matter affecting security and performance, but it is also a multifaceted issue which affects all aspects of a business, a brand, a service. In order to prevent your WordPress site from keep getting hacked you need to be proactive and you should not spare any effort, time and money to guarantee multiple layers of security warding off hackers.
Being Proactive is the best way to secure your WordPress website
Professionals in the field are always ready to offer their knowledge and expert skills and valuable resources providing knowledge on these issues can help you have more insight on how to protect your WordPress site from being hacked.