Blog

How to Protect Your WordPress Website From Hacking

How to Protect Your Wordpress Website From Hacking

Security is a hot topic for anybody who uses a phone, computer, or just about any other Internet-connected device. With a slew of recent security breaches at major companies like Target, LinkedIn, and Sony, as well as well-publicized activity by major hacking groups, the public is becoming more and more aware of how important security is.

When designing a website, app or software, the question comes up: How secure is it going to be? And the answer I like to reply with is: How secure are you?  In this article, I want to explore this topic. I’ll start by debunking a few myths about security, pointing out why you might be your own worst security threat, and some things that you can do to protect your website.

Myths About Security

Myth: Something Can Be 100% Secure.

No matter what the claim, it’s best to assume that nothing is ever 100% secure. Not your website, not your phone, not your bank, and not even your government. The right hacker with the right motivation can probably break into anything. So you always need to approach security with the mindset that no matter how much effort you put into it, there’s probably something you either haven’t thought about or hasn’t been discovered yet.

A good example was the Heartbleed vulnerability that was discovered recently. This exploit was part of SSL—the technology that protects your information when you shop online—for over 3 years before it was discovered and fixed. Who knows how many websites could have been exploited using that hack while it was there?

So even if every security expert in the world agreed there’s no way to break into something, the truth is there probably is, it just hasn’t been discovered yet.

Myth: You Need to Be a Target to Be Targeted

Arguably, in the earlier days of computing, it would be reasonable to assume that to be targeted for a hack, you’d need to be a target worth hacking. A government agency like NASA or the NSA, a bank, or a major corporation. Hacking took a bit more effort then, so to do it, it made sense to pursue targets that had some kind of value (usually monetary or for major bragging rights.)

But things are different today. Computers have become much more powerful and interconnected, making it easier to automate many parts of the hacking process. The vast majority of website hacking happens through automated tools scanning the web for sites with vulnerabilities. Any potential targets are flagged for later exploitation by the hackers. In the right hands, the software can even fully automate the hack, too.

So if you’re online in any shape or form, assume you’re a target.

Myth: Hackers Always Use the Back Door

Hollywood is the worst thing that’s happened to computer security. With the possible exception of the television show Mr. Robot, the picture that Hollywood portrays of hacking is a complete farce. They make it seem like hacking is just knowing the right magic codes, opening a window of text, typing a few characters and you’re in. They also paint the picture that the hacker is always some kind of magical super-genius.

But the truth is, a lot of hacking happens because you open the front door and let them walk right in. You might even be offering them a coffee or water before they sit down!

The scenario goes like this: You get a call from “Joe in I.T.”, asking for your password so they can check your email settings. Or, you get an email from Apple or your bank asking you to verify your account information. Or you click a malicious link in Twitter and login to Twitter to reply—or at least a site you thought was Twitter.

From there, they have your password, and they just walk in through the front door. Worse yet, if you use the same password everywhere, they now control your email, and effectively, your identity. Before you know it, you’re getting parking tickets from another country, your credit cards are racked up, and somebody out there is now legally you.

How Secure Are You?

Before you ask how secure your [insert technology here] is, you need to ask yourself these questions:

  • Do you have a simple password?
  • Do you use the same password for all of your accounts?
  • Do you click on links and open email attachments from people you don’t know?
  • Do you readily divulge your password to coworkers or other people?
  • Do you email around your credit card information?
  • Do you have regular backups of your data?
  • Do you have anti-virus, anti-malware and other protective software?
  • Do you use a firewall?
  • Are your employees trained on the risks and procedures to protect your security?

If you feel guilty looking at that list, then the truth is the website is likely the least of your worries. Like I said above, many hackers simply walk through the front door, and if you don’t have good security practices at your company and personally, it’s not really going to help.

Viruses & Malware: Hidden Hackers

Even if you’re pretty diligent about the above things, it might not matter. One way you can be hacked is through viruses and malware.

Some viruses will monitor your keystrokes and record passwords and send them to some unknown hacker on the other end. Suddenly, your account is hacked and you didn’t know why. This is how some of the large retailers were compromised, through employees opening email attachments containing malware designed to infiltrate their network.

This is always a risk, even if you install every anti-virus product out there. No anti-virus software is going to be 100% accurate or aware of the latest viruses. According to an estimate on CNN.com, there are 1 million new threats released each day. That’s pretty much impossible to keep up to in any proactive way.

So, How Do I Protect My Website, Then?

There are never any guarantees. Your best defense is to:

1. Keep WordPress & It’s Plugins Up to Date

Most sites are hacked because of people running outdated software on their website.

WordPress and its plugins release security updates regularly. By the time these are published, the security flaw is well known and usually documented online—literally giving people an instruction manual on how to break into or damage any website which has the outdated software. By keeping your WordPress installation up to date, you prevent a lot of these simple hacks from happening. It’s not bullet-proof, but goes a long way.

2. Use an SSL (Secure) Hosting Plan

SSL hosting can prevent a number of attacks that revolve around impersonation, hijacking of user accounts, and man-in-the-middle attacks. It does this by encrypting all of the information sent between the visitor and the website. Without it, anything sent back and forth is delivered in plain text over the Internet—such as your password when you login to edit your website. SSL provides a good basic defense against a number of rudimentary (and some more complex) attacks, but should not be relied on as a sole solution.

3. Back Up!

The single best defense you have against hacking is making regular backups of your website and its data. There’s no such thing as “100% Secure” and even with the most up to date software, the site could be compromised. So your best defense is to have a backed up, clean copy of the website you can restore to.

What Happens if My Site Gets Hacked?

If you have a back-up, it’s easy to restore. Then we can investigate and find out how to prevent it from happening again.

Without a backup, you could be hooped. At minimum, it may mean an expensive bill to clean up the site and restore it back online. Some information may be lost forever (like pages, posts and info you entered into the website yourself – it will have to be re-created manually.) In some cases, the hack may be so extensive that the cost of cleaning it up would exceed the cost of building a new site. Or it may be so bad that it would be too risky to publish the site online again.

Website Protection Plans & SSL Hosting

If you have a website with nine10, or are planning to build one with us, ask us about our Website Protection Plan and SSL Hosting:

  • Our Website Protection Plan is an add-on to your hosting that offers automated daily security updates for WordPress, and a daily backup with a rolling archive of your website. The updates help prevent security breaches in the first place, and if something does happen, we can restore from backups and get the site going online.
  • Our SSL Hosting Plans protect your website by encrypting the information sent and received from it and a visitor. It helps protect your login information when you login to edit your site, and can prevent or impede a number of other potential threats.

Protect the investment you’ve made into your website and have more peace of mind!