It is frustrating to find out that your WordPress site has been hacked. In this article, we will share the top reasons why WordPress site gets hacked, so you can avoid these mistakes and protect your site. Your security scans are positive and it confirms: your website has been successfully infiltrated. And when it comes to WordPress, “hacked” is never a word you want to hear.
Is WordPress Secure?
Here is a million-dollar question that a lot of people ask. Is WordPress secure as a platform?
The short answer is “YES” it is indeed a secured platform! The numbers speak for themselves; WordPress makes up over 32 percent of the top 1,000,000 websites on the internet. There is no denying in the fact that why the CMS acts as a real darling in the eyes of attackers. Some even call it the Microsoft of the web.
However, there are times when evil minds end up creating code to run on WordPress; this is when security vulnerabilities happen. In most cases, there is a team right on top which develops and releases instant updates in a very timely manner as compared to other major open source content management systems. So, now we’ll explore some tips and practices to protect your WordPress website and never had it hacked.
Insecure Web Hosting Services
When it comes to the web, you may find a perfect correlation between price and quality of hosting. Hosts who can hire more professionals/experts might charge more in comparison of others. You shouldn’t avoid several critical issues like security or put off for another day. You must even consider looking around for a quality host provider who can offer everything from convenient budget to quality services in one package. When it comes to secure WordPress hosting, I encourage you to take a look at SiteGround or Bluehost.
Outdated WordPress Versions
One of the commonalities among WordPress hack victims is not updating their website. According to several reports, the reliable ones, 55-61% of WordPress hack victims were running out-of-date WordPress when the hack appears, which is not a coincidence. WordPress security updates happen on an automatic basis. However, there are some users, especially the non-techies, who disable that functionality altogether. People who don’t update their site regularly fall into two traps:
- Firstly, they put off updates or ignore them as they are preoccupied.
- Secondly, they are afraid that updating will break their site’s performance.
Luckily, if you are the one who falls into the latter category, try taking these steps so that nothing breaks your site. For example, create a complete backup of your site before you run an update. Even if the site crashes; you will always have the option to restore to the previous version.
Week Passwords Are Common In Hacked WordPress Sites
Don’t be offended because this point is for those who still use the same password for every single website they visit. Well, it’s time for an intervention. And consider it mandatory too! Also, stop storing credentials in Google Sheets. In the context of WordPress, you require setting the password rules. With the help of the Force Strong Passwords plugin, you can set it across your entire user base.
Miss The Two-Factor Authentication
You may think that I’m asking a lot from you today, but it’s simply because I care. You have set a strong password set for your WordPress site, but have you considered setting a “Two Factor authentication” process for logging into your website as well? This means that every time you log in to your website, you will need to authenticate with another device.
Although it is challenging for hackers to spoof, after all, full disclosure is something which is not impossible. Thus, it automatically adds one more layer of security to prevent unauthorized access to your website. Fortunately, WordPress has many different solutions for two factor from more commercial implementations like Duo Security that’s fully featured or something more straightforward like Two Factor from George Stephanis. Other popular plugins have 2FA built-in as an additional feature like Jetpack, and WordFence.
Protect WordPress Dashboard
One of the most common WordPress hack attempts includes getting access to your WordPress login credentials; this can be either through brute force attacks or password theft. To prevent this from happening, you need to protect your WordPress admin directory (in short your wp-admin page). Of course, one of the best ways to do it is by enabling solid password protection to your WordPress admin page.
The second thing you can consider is the two-factor authentication up as I mentioned above. Here the users don’t just require a password to log in – they’ll also need to input a code on the text message, email, or an app. Fabrizio uses WordFence with two-factor authentication enabled on Visualmodo, however, as I mentioned earlier, there are many other plugins you can use to set up 2FA. Do not use “admin” as your WordPress username. This is the most common idea used by hackers to get into your site using this default username, so you should switch it up.
Bad WordPress Themes Means Hacked Sites
Since we don’t have all day, I won’t go into a great deal of detail with this. You can do a quick Google research later if you like. Initially, it might seem like a cool money-saving tactic for website owners but what you may not know is most of the websites that sell cheap and cheerful themes are dodgy. Dodgy in the sense their themes are badly coded, lack timely updates, and have poor support.
Downloading and installing any random theme might compel you to end up compromising on the overall security of your website. You know the old saying, there’ no such thing as a free lunch. For a premium theme, make sure you get it from a reputable WordPress development company. A company that has been around for a very long time and have built up trust and reputation, like Rare.
Plain FTP instead of SFTP/SSH
Generally, FTP accounts are used to upload files to your web server using an FTP client. Although most of the providers end up supporting FTP connections with the help of different protocols. With the help of plain FTP, SFTP, or SSH, things can be connected easily. Now the thing is when you connect your site using plain FTP, your password is automatically sent to the server encrypted which can be easily spied upon or stolen in worst cases. So, instead of plain FTP, try using SFTP or SSH. Fortunately, most FTP clients can connect to your website on SFTP as well as SSH. You just need to change the protocol to ‘SFTP – SSH’ when linking to your site.
WordPress Hacked Reasons Final Words
This is just a partial list. There are many things you can do and I can simply go on and on. We hope this article helped you learn the top reasons why WordPress site gets hacked.