Securing your WordPress website from being hacked

WordPress
9½ Minutes to Read
Ian Chapman

Over the last few weeks, we have noticed an increase in the number of client (and prospective client) websites that have been broken into (a.k.a “hacked”) – with varying levels of damage occurring.

The purpose of this article is to explain what the potential risks are, how you can minimize the chance of an attack, and what you can do if you are targeted.

NOTE: Keep in mind as you read the article is targeted at small and medium sized businesses and doesn’t really apply to larger “Fortune 500” type institutions.

Why are websites hacked?

An intrusion into your website is usually done for financial gain – usually unsuccessfully. Hackers look for websites that they can upload malicious code or web pages to that redirect visitors to SPAM-like products pages.

Many (if not all) of the sites they redirect visitors to are not actually legitimate websites. Rather they have been setup for the sole purpose of stealing credit card information. Other pages are setup to capture user’s passwords, which are then later used to access private information.

In some cases, compromised sites will also be used to send out thousands of SPAM emails.

What are the consequences if my website is “hacked”?

In some innocuous cases, the result is a minor annoyance. Your website will have a few randomly inserted files that are implemented so poorly that you may not even notice them lying around on your web hosting server.

In most cases though, the damage to your website is somewhat noticeable. Usually we see that a portion of your website layout has been broken and some page content has been modified.

Should your hosting account also be used to unknowingly send out SPAM emails, you may also find yourself being added to worldwide “blacklists”, resulting in your legitimate emails being blocked.

However, some of the more problematic cases have resulted in tens of thousands of malicious files being created, many of which are indexed by Google. If Google becomes aware of any infected pages, they will inform searchers looking for your site. Alongside your website’s listing, will be a message stating “this site may be hacked”. While that is helpful for visitors, it is certainly bad for your business.

Usually a website cleanup can be resolved in a day or two, however, that doesn’t mean business goes back to normal. For one particular client, after cleaning up the website, we submitted a request for Google to review the website before they would remove this damaging label. While it was eventually removed, it did take approximately 2 weeks of waiting before Google was able to reply to our inquiry. This is simply down to the volume of websites that they need to review.

Google Search Results Hacked
Would you be willing to click on a website link if Google placed a warning like this beside it?

What is the cause?

Unfortunately, there is no single answer. The possibilities include:

  • Weak password settings
  • Out of date WordPress files and plugins
  • Virus-infected computers within an organization
  • Unsecure web hosting provider

While WordPress is a robust platform and generally secure, its own popularity makes it a target for website hacking. In most cases we have seen, it is out of date websites that are allowing security breaches to occur.

With every piece of software (WordPress included), bugs do exist. Software developers are constantly updating, enhancing and securing their code. Keeping up to date with the latest versions helps to ensure that your system is as protected as possible.

However, many websites are launched and then never maintained. This “set it and forget it” mentality increases your chance of your website becoming a target.

Out of date WordPress plugins
This website that has not been updated in 6+ months and almost all of the WordPress plugins are out of date

Shouldn’t my website already be secure?

Security is a measure of relativity. You can have a more secure website or a less secure website, but you can’t have a 100% secure website.

5F7649370BThe same applies to your home – you can improve its security over time, but it will never be completely foolproof to thieves. Burglars can learn new tricks, and as technology advances, they gain access to more sophisticated tools to break locks and disable alarms.

Imagine you were to go away on a holiday with your family. Since a thief is lazy by definition (they don’t actually do legitimate work for a living), he will want to make his “job” as easy as possible. So they will scan your neighbourhood looking for an unsecure target.

On the first day you are away, everything would appear normal with your home: your car is parked outside, your kitchen light is on, and your porch is clean.

A couple of days later, the thieves patrol your street again – this time late at night. They notice that you car hasn’t moved, your lights are still on when you should be in bed, and newspapers are piling up on your front porch. These clues signal to the thieves that you are a relatively easy target and are more likely to choose your home as the one to break into.

The same thought process applies with your website and hackers. These digital intruders usually employ lazy techniques that target out of date websites because it suggests that no one is monitoring them. That allows them to fly under the radar without being noticed, giving them ample opportunity to implement their malicious code.

example-malware-html-code
An example of malware-infected PHP code

What can be done if I am infected?

To date, we have been able to restore the website of all the clients who have run into these issues. Of course, individual results will depend on the seriousness of the intrusion, the type of backups that are available, and how often your content is regularly updated.

Unfortunately it simply takes manpower to track down the issue(s), restore the original files, and remove the infected code. Usually this involves a day or two of our billable time.

The more significant cost is the customers you lose if Google manages to apply the dreaded “this site may be hacked” label to your search listings. I know if I saw such a warning next to a business during a Google search, I certainly wouldn’t take the chance to click on it.

How can I prevent this from occurring?

Strengthen Your Passwords

As mentioned earlier, changing all your website login passwords to be stronger is a great start. Avoid using common words or phrases that can be found in the dictionary and be sure to include uppercase, lowercase, and special characters (stars, ampersands, dollar signs, etc.). Also remember to do the same for your web hosting and FTP passwords.

Secure Your IT Environment

Making sure your internal IT environment within your office is up to date with virus scanners and malware detection is also important. We know for a fact that two of our clients have had their credentials “intercepted” by illegitimate software hiding out on their employee’s computers scanning their keystrokes for passwords being used to login to websites.

Monitor Your Website

In a similar fashion, your website should also be kept up to date on a regular basis to minimize the chance of any intrusions. This includes updating your WordPress platform to the latest stable version, and updating all of the plugins along with it (make sure to test that the new versions work with your website’s template).

It would also be wise to incorporate some security plugins that will prevent repeated “brute force” login attempts and shutdown some of the more popular avenues that hackers may attempt to infiltrate your site.

Aren’t my webhosts’ backup enough?

It’s not wise to put all your eggs in one basket by relying on your web hosts’ backup system

In an ideal world, it would be nice to be able to restore your website to its former glory by simply logging into your webhosting account and clicking the “restore” button.

However, that approach makes the assumption that you know when your site was infected. Was it yesterday? 5 days ago? A month ago?

Even if you can figure out the timeframe for your intrusion, a full restore of your account will overwrite all aspects of your website (including your email inboxes). For sites that have new content updated on a very regular basis (ex: orders on eCommerce stores), there is the potential to overwrite a lot of critical information.

You could use your hosting backup to do a manual restore, but this is an extremely time-consuming, painstaking process and provides no guarantee that you’ve repaired everything correctly.

I’m not a WordPress expert – I need help!

While many of the above items can be implemented directly by our clients, we are also able to handle these tasks for you. With the rollout of our various maintenance plans, we include all the necessary security and monitoring to minimize the threat of an intrusion.

If you are a current client with Leaf Design and wish to improve the security of your WordPress website, get in touch with us and we can discuss which maintenance plan suits your needs best. Just like insurance, it’s better to be safe than sorry.

In Conclusion

The goal of this article was not to inject fear into website owners, but rather to inform them of the potential attacks their website might be facing. While most of our clients will never experience the hardships of having to recover from such an issue, when it does happen, it can be a painful experience.

Having a plan in place to deal with such emergencies is what is important to minimize the impact on your business. Stay informed and stay protected.

Ready to move forward?

Speak with us and we’ll make things happen on your next web project