Secure Computing

Secure Computing Resources to ensure your Technology Environment stays secure, increasing reliability, stability, and brand confidence.

How to Protect a WordPress Site from Hackers

Tips on how to protect a WordPress site from getting hacked, including recommended security plugins.

How to Protect your wordpress Website from Hackers

WordPress is a frequent target for hacking. Hackers are targeting the theme, the core WordPress files, plugins and even the login page. These are the steps to take to make it less likely to be hacked and to be able to recover easier if it should still happen.

How Hackers Attack WordPress

All sites on the web are under constant attack, whether it’s a phpBB forum or a WordPress site, all sites are being probed by hackers. It’s not unusual for a hacker to scan thousands of pages or try to login in hundreds of times a day.

And that’s just one hacker. Sites are under attack by several hackers at the same time.

Typically it’s not a person who is trying to hack you. Hackers employ automated software to crawl the web to probe for specific weaknesses on the website.

These automated software programs crawling the web are called bots. 

Protect Your WordPress Site with a Firewall

A firewall is a software program that blocks an intruder. One of the best WordPress firewalls is a plugin called Wordfence.

What Wordfence does is to check if a website visitor’s behaviour matches that of an abusive bot. If the bot breaks certain rules, like asking for too many web pages in a short amount of time, Wordfence will then automatically block the bot.

Wordfence is also programmed to allow legitimate bots like Google and Bing on the site.

There are advanced features that let a publisher see what bots are attacking a site and to view where the bot is coming from, like if it’s a bad bot coming from Amazon Web Services or Bluehost for example and then give you the ability to block the bot by their IP address, the entire IP address range or even by the fake user agent that the bot is using.

Some bots pretend to be a person on Windows XP. So you can actually block all visitors with a user agent that displays Windows XP and stop those bots automatically. We know that most legitimate people using computers or mobile devices today are not using Windows XP.

With one rule that a publisher creates with Wordfence, they can block thousands of hackers. Wordfence is a powerful tool on its own but some of the advanced features allows you to block even more hackers. And that’s with the free version of Wordfence.

The paid version can block entire countries. So if you don’t have legitimate site visitors from certain countries, you can block every visitor that’s coming from those countries.

Additionally, the paid version of Wordfence will protect you in advance from many compromised themes and plugins before those plugins are fixed.

Once Wordfence researchers are aware of an exploit they will update their paid users to give them protection from those exploits, usually well before the exploit is patched by the compromised theme or plugin developer.

Limit Logins to Your Site

WordFence is able to block bots that are repeatedly filling in user names and passwords in the WordPress login page.

But if you want to focus on limiting those logins, there is a plugin called, Limit Login Attempts Reloaded that allows publishers to automatically block all hackers who enter a set number of failed names and password combinations. For example, you can set it to block hackers after three attempts to guess the password. This style of attack is commonly referred to as a Brute-Force attack. 

Backup Your WordPress Site

It is important to automatically create a daily backup of your website. Any catastrophic event that takes the site down can be recovered from with a backup.

There are many backup solutions but the one that I have found to be immensely useful is called UpdraftPlus WordPress Backup Plugin. UpdraftPlus is trusted by over two million users, it’s a well regarded choice.

It can be configured to email the backups every day or send them to a cloud storage location like Dropbox.

I once accidentally removed all the theme layout files from a site, completely removed the look of the site. But I was able to restore the site to exactly how it was before by using an UpdraftPlus backup. It was easy to do and I was so thankful.

Update all Themes and Plugins

It’s important to always update all themes and plugins. WordPress provides a way to update all plugins automatically, which is convenient for publishers or businesses who don’t log in and do updates often.

By enabling the auto-update feature a publisher can be assured of having the most up-to-date software. Having an out of date plugin is one of the leading causes of being hacked.

There are reasons not to enable the auto-update feature, but the negatives tend to happen rarely. For example, an updated plugin might be incompatible with other plugins.

But for sites that don’t change frequently, the auto-update feature is probably a good thing to enable.

Beware of Abandoned Plugins

A final warning about abandoned plugins. Some plugins can continue to work years after they’ve been abandoned by their developer. What can happen is that these old plugins may contain a vulnerability. But because they are abandoned, it will never get fixed, the developer is no longer working on any security or feature updates.

Another issue is that hackers sometimes buy old plugins and update them with malware and viruses.

Check all your WordPress plugins to make sure that they have not been abandoned and appear to be updated on a fairly frequent basis.

Protect Your WordPress Site from Hackers

For many sites, simply taking these small steps to secure a website is enough to keep the sites from getting hacked. The free versions of these plugins provide an extraordinary amount of protection and the premium versions give even more protection.

There are many security type plugins and some of those have actually contained vulnerabilities themselves. Wordfence and Sucuri are in my opinion top choices for WordPress security.