How would you feel if you woke up one morning to find that the site you have poured your heart and soul into had been hacked? Gone is your pride and joy and in its place is some ugly ad site or inane message from the hacker.
The bad news is that once a site is hacked, it is normally very difficult to clean. In fact, without a known clean backup, you risk having to start from scratch again.
Yes, WordPress sites are often targeted by hackers, and odds are your site will be a target at some point. But the good news is that there is a lot you can do to protect yourself (and your site).
Most attacks rely on known “shortcuts” used by 1-click installers (and most developers). By simply taking a bit of extra time to set up your WordPress site properly you will automatically block many hacking attempts.
Follow our step by step instructions here: How to Start a WordPress Blog Without Making the 1-Click Installation Mistake.
Is Your WordPress Database Secure?
1-click installers are included with most hosting accounts, and they seem like an easy way to get up and running. The problem is that each installation will have the same database name, database user and (often) database user password.
Hackers know these details and can use them to bypass WordPress altogether and add malicious content or additional users. Once they have installed these “back doors” your site is effectively theirs to control.
A full manual install takes less than 10 minutes and is incredibly easy. Why would you risk your site to save yourself this amount of time?
Is Your Table Prefix Non-Standard?
If you don’t know what a table prefix is, don’t worry.
All you need to know is that by default WordPress uses “wp_”, and hackers know this. Many of their attacks rely on this fact, and can be thwarted simply by using some other prefix.
Most 1-click installers will not give the option to change this, but a manual install will allow you to set it to whatever you want.
Is Your Admin Username Secure?
By default WordPress creates an a user with full rights to your site and names it “admin”. Even though a manual install allows your to change the name, most people don’t.
Imagine how easy it makes it for hackers knowing that more than 90% of WordPress sites still use this account to access the dashboard. All they have to do is run a “brute force” script to crack the password – and anyone can get access to enough computing power to do that in under 24 hours these days.
Simply replacing “admin” with something harder to guess will make it exponentially harder for a hacker to gain access to your site.
Is Your Password Secure And Hard To Guess?
It is scary how many people use passwords that are easy to guess – pet’s names, birthdays, significant others, etc. If you use anything that could easily be discovered on social media, or with a google search, then you are making it way too easy for the hackers.
And if you are worried about having to remember some random string of characters and numbers (the most secure sort of password), then maybe it is time to invest in a password management program – 1Password is the best for Mac and Roboforms will do the job for PCs.
Have You Deleted All Unused Themes And Plugins?
Themes and plugins also contain code that can be exploited by potential hackers.
Play it safe – deactivate and delete any themes and plugins that you do not absolutely need.
OK, so you have the basic setup done in a way that makes it harder for hackers to gain access to your site.
But site security is not a once-off effort. There are things you need to do on an ongoing basis to keep hackers out of your site and ensure you can clean up quickly should they gain access.
Is Everything Up To Date?
Have you noticed how often WordPress is updated? Sure, there are some new features added now and then, but the majority of the releases are to address known security issues.
And if WordPress know about the security issues, you can bet the hackers do.
Don’t take the risk of hackers gaining access through a hole that WordPress (or theme/plugin developers) have already closed. Make sure you regularly check your WordPress dashboard for available updates and apply them promptly.
Do You Run Regular Backups?
This one won’t stop the hackers, but it will certainly make the job of recovering easier.
Unless you are adding multiple articles a day to your site, a full site backup on a weekly basis should suffice. If you are posting more regularly you might want to add a daily database backup to the mix.
Of course, you could do this manually, and there are some decent free backup plugins. But I highly recommend you install and use BackupBuddy. Yes, it costs a few dollars, but it allows you to automate the whole process and makes it incredibly easy to restore your site should you ever need to.
Are Your Backups Stored Off Site?
What good is a backup file if you can’t access it when you need to restore from it?
Many hacks can make such a mess of your site that any backups stored on it may become inaccessible and/or corrupted.
Play it safe and store your backups somewhere other than just on your site. If you use BackupBuddy you can configure it to automatically store the backup files in your Backup Buddy Stash (cloud storage especially for your backups).
Do You Regularly Scan For Malware?
Don’t be fooled – many hacks are not immediately obvious.
Often hackers will deliberately not leave any visible signs of attack for weeks (or months). Why? So that when your site is restored from a recent backup, they still have access through the back door they installed and can wreak havoc again.
Yes, even if you are running regular backups, you still won’t know when your site was hacked
You do have the option of running a manual Sucuri check any time you want, but this is only a remote scan and won’t show everything. If you want more peace of mind, sign up for a Sucuri subscription. Sucuri will then actively monitor your site and let you know as soon as a hack occurs.
What to do next
If you answered “no” to any of the above questions then your site is at serious risk of attack. These days it is not so much a matter of “if”, but “when” someone will try to attack your site.
Don’t make it easy for them – plug the gaps NOW! If you need help securing your site or if your site has been hacked, get in touch so we can advise you of the best path forward.