Around the world and here in Australia, more and more WordPress based web sites are getting hacked and compromised. This often results in sites being defaced and/or malicious software being installed to send SPAM or distribute viruses and malware to site visitors.
For business owners, web developers and hosting companies, hacked and compromised WordPress based sites have becoming a steadily increasing problem.
Why is this?
With WordPress now being the most popular web site development and CRM platform in the world – with over 60 MILLION users – it is a highly attractive target for hackers.
Hacking an insecure WordPress site is also not very difficult, and there are many automated tools out there to find and detect insecure sites.
With the Internet being such an important part of modern business processes, web site and I.T. security is fast becoming a priority.
So how are sites “hacked”?
1) The number one reason a WordPress site gets hacked is due to site owners failing to update or maintain their WordPress software installations.
Once a security flaw is discovered in either the core WordPress software or installed “plug-ins”, it must be “patched” and upgraded to close the hole that allows a site to be compromised.
The problem here is that many WordPress site owners don’t often check their installation for upgrades, or ask for assistance if they notice an upgrade is available.
Often it is the Web Developer who is expected to maintain their site and software, though without a formal agreement or regular WordPress maintenance service provided, this “expected” maintenance is often not performed.
This type of “non-maintenance” hack is usually seen with cheap overseas or “fly by night” operators.
If you have a WordPress site, make sure you are either maintaining upgrades or have a service provider that is maintaining your site software and security.
Cyanweb provide WordPress Security Services and can monitor and maintain your WordPress installation, keeping your site backed up and secure from threats.
2) The second most often exploited hack point is directly via malicious code, backdoors, insecure themes or plug-in extensions that were installed either by a developer, by the site owner after development or by anyone who had Administrative access to the site at any point in time.
In-experienced developers or site admins will often install whatever they find online that promises to do what they want on WordPress. This is a dangerous practice as often a hack script or backdoor access is installed onto a site without the owner even knowing it.
Be sure you know and trust your developer, marketing or SEO provider, as well as the “plugin” or “theme” provider before installing. The fewer “plug-ins” your site uses, the more secure your site will be… Only suppy your site logins to a trusted third party, as once they have had admin access – they can do anything to your site with a backdoor installed, even if you change all your passwords and delete their user accounts.
Cyanweb provide maintenance and security for WordPress based sites and can inspect your WordPress installation for potential security threats as needed.
3) The third, though less common hack is simply “brute force” hacking of an insecure administrator account.
This happens when online hacker “bots” attack a WordPress login page with millions of combinations of usernames / passwords – though generally they go after the username “admin”.
Never use a simple password for administrative accounts! All passwords should have a combination of letters, numbers and symbols and be at least 9-14 characters long.
If your WordPress site has a username of “admin” or “wpadmin” on it, be sure to request your developer to change that as soon as possible!
If your developer is no longer available, Cyanweb can help you regain control of your site and services.
What WordPress security is available?
There are generally 2 levels of WordPress security – server level and installation level.
At the server level, intrusion detection and hacker activity can be detected and blocked using web application firewalls such as Mod_Security and file scanning software to detect known hacker scripts installed on the hosted site.
While effective under certain circumstances, server level security can only do so much to protect a WordPress site. If a web site is hackable at the installation level, generally there is little that can be done at the server level except to identify a hacked site after it has already been compromised.
At the installation level there are 3rd party plug-ins available that will scan and protect your site in various ways – though these should always be managed by an experienced WordPress security expert.
WordPress security plug-ins can provide varying levels of security: from blocking brute force attacks, notifying you when software updates are available, to automatically running updates.
Do keep in mind that software updates can break parts of site coding – not always visible on the front-end. It is always advised to have an experienced WordPress administrator to help manage your updates. An experienced WordPress developer can test code and fix any problems that may. Always back up your WordPress site before running any software upgrades.
NOTE: just installing a “security” plug-in won’t stop hackers and does not mean your site is secure. Experienced hackers will install back-door software on WordPress sites that can only be detected through human forensic investigation of site files.
What do I do if I’ve been hacked?
Unless you are a WordPress security expert or experienced web developer you are going to need help repairing your hacked site. Hosting companies will generally shut down a compromised site, often without any notification to the site owner, as a hacked site represents a risk to the server performance and reputation online.
Repairing a hacked WordPress installation often requires human forensic analysis of all site files in combination with automated scanning software used to “clean” a hacked site.
This can be a time consuming and expensive process, especially if your site has many customisations or plug-ins being used.
What does it cost to fix a hacked WordPress site?
Typical site clean-up fees after a WordPress hack are around $300-$500 depending on the complexity of the site theme, number of plugins and core code customisations made.
Prevention is better than cure: Cyanweb WordPress Security & Maintenance services start from $55 / year if your site is hosted on our servers.
If you have a WordPress based web site and need help or would like to enquire about our WordPress Security & Maintenance services please contact us.