Even with all of the security improvements to personal computers, servers, and web browsers in recent years, websites can still be hacked. A hacked website can spell disaster for a company. It can result in the loss of personal data of customers, stolen credit cards, hurt reputation, getting a website and/or email address blacklisted, visitor’s computers infected, and more. These catastrophes can result in quite the blow to profits.
Preventing a website from getting hacked isn’t glamorous or the most enjoyable task, but it is very important. Thankfully, it’s quite easy.
Keep WordPress and WordPress Plugins up to Date
Probably the most common point of entry for a hacker is known exploits of old plugins or versions of WordPress. The Automattic team does a great job of patching WordPress, and most popular plugins are also very on the ball. However, that means nothing if your version of WordPress hasn’t been updated in two years. Not only are you missing out on many new amazing features and improvements, but your site is very vulnerable to attack.
There’s little excuse for having an out of date WordPress install or plugins. Updating is all done in one place with a single click. Just make sure to get a backup before updating and check the site’s important functions after the update. These days updates breaking websites are few and far between, but they do happen.
Strong Passwords, for both WordPress and Your Computer
Another common entry point for hackers is poor passwords. Using a common password, or a short password, or even a password without special characters, numbers, or uppercase and lowercase characters greatly increases the chances of getting hacked. According to a study from WP Engine, “using the top 10 passwords, a hacker could, on average, guess 16 out of 1,000 passwords.”
Not only is important for your WordPress account password to be secure, but your computer’s password to be a good one as well. A strong account password means nothing if a hacker is able to get onto your computer and use a keylogger.
Security Plugins
However, without preventing “brute force attacks,” a strong password means nothing. Brute force attacks are when hackers use a script to try logging in with thousands of password combinations until one works. Plugins like Lockdown WP Admin, Brute Force Login Protection, and Acunetix WP Security are three excellent plugins that address this and other vulnerabilities. Since they’re free turnkey solutions, there’s no reason to not use them.
Quality Web Host
A quality web host is very important, especially when on a shared hosting environment. If your server is out of date, poorly monitored, or hosts out of date websites, it is possible for hackers to gain access to the server, and then gain access to your website. Some web hosts, like WP Engine will force update WordPress and plugins (with advance notice) that have critical security flaws. Not only does this directly keep your site more secure, but it indirectly keeps your site secure by keeping the server secure. On top of that, quality web hosts often offer additional security measures like constant server monitoring, site scans, brute force attack protection, file permission management, and other services – all dependent on the web host though.
HTTPS
Having HTTPS is extremely easy, and quite cheap these days. HTTPS is simply a requirement if your website handles credit card information. Even if it doesn’t, HTTPS is very useful to have. It even provides a boost to your Google search engine rankings!
2 Factor Authentication
“2 Factor Authentication” is one of the best ways to keep a website secure. This technique involves sending users an email or text message with an authentication code in order to login. That way in order to gain access to an account, a hacker would have to obtain the account password, and access to your email address or physical phone.
ManageWP offers both email and text message 2 Factor Authentication. There are also many WordPress plugins that offer 2 Factor Authentication if MangeWP isn’t a service you need.
Security Scans
There are a variety of subscription based services that provide regular security scans to uncover vulnerabilities and malicious injections. VaultPress and Sucuri are two fantastic services with many excellent preventative and recovery features. If you deal with hacking attempts on a regular basis, or your website is the cornerstone of your business, a security service like this is all but a must.
Secure wp-config.php and .htaccess
Only modify .htaccess and wp-config.php if you are comfortable editing code. If you do modify these two files, ALWAYS make a backup. Incorrectly modifying .htaccess or wp-config.php can break your entire website.
Adding the following to .htaccess is a quick and easy way to add additional security and levels of protection.
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
as well as:
order allow,deny
deny from all
Just be sure to make all .htaccess modifications outside of the “# BEGIN WordPress” and “# End WordPress.”
Adding the following to wp-config.php will prevent the editing of files from within the WordPress dashboard.
define('DISALLOW_FILE_EDIT', true);
Regular Backups
No preventative measure is foolproof. Sometimes things get through the cracks. Should this happen, backups are critical. They are often the only way to confidently clean out malicious code.
There are many WordPress plugins for backing up websites. Most web hosts, especially the quality ones, also offer automatic backups. However, make sure that the backups are stored in a different location. Backups stored on the same server as your website are almost completely useless. Similarly, security scanning services like the previously mentioned VaultPress and Sucuri include backups.