So, you’ve heard WordPress sites get hacked? It’s true, all websites (including WordPress sites) get hacked. You can think of your website as a door.
A door that’s left wide open will be much easier to get through than one that is closed, locked and bolted.
By following the steps in this article your WordPress site should be closed, locked and bolted, even have an alarm installed. So if you are looking for WordPress hack prevention, read on. If your WordPress site has already been hacked, that’s no time to be reading things, allow me to fix it.
Why do WordPress websites get hacked?
You can think of WordPress as a victim of it’s own success. As a CMS WordPress has a 60% market share and is growing with it’s closest competitor having 5% and declining. So whilst you may well have heard of WP sites being hacked more often than it’s competitors, it’s highly likely that you are aware of/know more people running WordPress than Joomla/Drupal/Wix et al.
Primarily though, it’s because users constantly leave their doors open which boosts the opportunity for bots to have access to their sites. So here are some easy steps to battle those bots and avoid looking at screens like these
1. Keep your site updated.
If you have ever so much as brushed passed a post on WordPress security, you already know this. I’d be astonished to find a single article out there that didn’t have this as the number one recommendation. For the new users out there, when I say keep the site updated, I’m not talking about adding content, I’m talking about your WordPress core, your plugins and your themes.
By far the easiest way to do this, is to sign up to a WordPress maintenance service but if you are not quite ready to take that leap, then once you are in anyway familiar with the WordPress dashboard area, you will immediately be greeted by the number of elements that need updating by little orange circles with the number of updates available, see below;
Whilst it’s important to keep your plugins/themes & core updated. Its equally as important that these don’t impact on your site. Keep abreast of what plugins you are using and the details of the latest update. With any major WordPress update, always wait a few days and check out some WP news sites such as WP Tavern or Torque to see what the general reaction has been.
2. Think about your login details
Changing your password is annoying isn’t it? I get it. You’ve got a favourite password, it’s done you proud over the years and you are sticking with it… Getting hacked though and potentially losing access and data to your website is yet more annoying still. A bit of care and attention on a regular basis means a hack is much less likely to happen and once it becomes routine, you’ll hardly notice. Also, when it comes to passwords, always remember, length beats complexity…
Think about your email, why not setup a unique alias for your website, say firstname.lastname@example.org. Your email is far less likely to end up on sites like have i been pwned (a useful tool to check if your details are at risk) It’s a win win as you can get overloaded with notifications at times, so in the interests of emails not ruling our lives, handy to keep these compartmentalised.
Also think about your username, it’s unique, so look after it! Many WordPress themes will display this automatically on posts/pages so you could look at switching this. WordPress provides a nifty way of doing this by going to users—your profile, then adding a nickname, then using the dropdown below and select the nickname to ‘Display name publicly as’.
3. Backup, Backup, Backup!
For a fourth time backup. By far the quickest way to get a site back up and running is to simply restore from the latest working backup. There are numerous backup plugins out there and many highly rated. In terms of a recommendation I’ve used Updraft and BackWPup without issue, but take a more comprehensive approach for existing clients these days.
The biggest issue with all of these plugins is the sales pitch. All are offered as a ‘one click’ solution or something that you can ‘set and forget’. In reality they are anything of the sort testing a backup on a regular basis is one of the most effective ways of bulletproofing your site. Plugins change, new updates can cause previously known issues, hosting environments change. So always; check your backups.
The next best thing to checking your backup? Backup to more than one location. Hosting account has been compromised? No problem, restore from Dropbox/Google Drive/Local copy?
If you would rather get on with your life and not do any of this, just sign up here.
4. Be vigilant, get to know your website and recognise unusual activity.
The most common WordPress hacks are brute force attacks often leading to an immediate defacement or removing of a site. These are generally performed by bots and infect 100’s if not 1000’s of sites everyday. Thankfully they are relatively straightforward to fix and protect against. Not least because the impact is front and centre, you can see what is going on.
Much more nefarious, are those that are not so upfront with their activities, attacks that remain hidden, in plain sight.
Are you sitting comfortably? Then we’ll begin;
Some years ago I received a referral from a business Facebook group to fix a specific WP issue. As is often the way, one job lead to many others and after some months I became more and more involved with the company and it’s SEO specifically. They were a holiday activities business and wanted help ranking for specific keywords. They had also had some bad experiences with web developers in the past and therefore were extremely cautious with giving access to properties that I would need to use to help, i.e. Google Analytics, Search Console etc.
All was going well and one day I received a call from one of the business owners to say he had noticed some referral spam in Search console, which I explained, was unlikely, he meant analytics. He insisted, I re-iterated, he sent me a screenshot.
The image showed a list of keywords that the site was receiving impressions for, keywords like casino–location, location–gambling. Yet when you visited the page itself there were no words like these on the page. So how could Google be seeing these pages as relevant when there was no indication of anything like these on the pages themselves?
After a couple of hours searching through the server I found the malicious code that was injecting the script into the meta description for the page. So these words were only for the eyes of Google.
Though it was relatively easy to find and fix, the problem could have been ongoing for months, if not years. So it helps to stay vigilant, if you notice something unusual, get in touch with your WordPress guy.