This short series has looked at both how and why a WordPress website may have been hacked, so in this last part we will look at what can be done to prevent a hack occurring in the first place, or a reoccurrence. If your site has recently been hacked, the first thing is to get the hack cleaned up, but what measures can you put into place to prevent this occurring again?
Nothing is watertight
The first thing to understand about website security is that there is no such thing as a totally secure website. For proof look at any one of the many high profile hacks that have taken place. In many instances, the companies that are the victims of these attacks have multiple layers of security in place on their sites. If these sites are vulnerable, just about any website on the internet is. Ultimately, website security is a balancing act: a site needs to allow enough access to perform the functionality needed to make the site useful to its users, whilst not leaving security holes that can be exploited.
Security through obscurity
One of the most common approaches to website security, particularly when using a common CMS platform such as WordPress, is security through obscurity. It’s a fairly easy concept to grasp and essentially involves moving/hiding some of the more common aspects of a website that can reveal information useful to a hacker or provide access to the site. Good examples of this principle would be:
- Removing a default ‘about’ page that is accessible to the public and reveals the version number of the CMS being used
- Moving the default login page to another location
- Not using default login credentials (such as a username of ‘admin’)
It’s fairly obvious from the list that avoiding defaults, be that username or any other setting, is one decent method of deterring hackers. An example of how the above might work in a real-world scenario could play out in one of two ways:
- Site A hasn’t removed any of the default settings and the site’s owner logs in with the username ‘admin’. A hacker’s script lands on the site and discovers the default ‘about’ page, which reveals the CMS and platform that the site is using. It logs this and later returns, instantly trying to default login page (i.e. /wp-login.php) with the username ‘admin’. After several unsuccessful attempts, the hacker finally gains access with a common password.
- Site B has implemented all three tactics. A script visits the site and somehow determines the CMS the site is using via another method, but does not know which version of the CMS is being used and therefore attempt to break into the site via a vulnerability that exists only on certain versions. Another script is programmed to try and login through brute force guessing of admin credentials, but cannot find the login page and would now have to work out the username and password even if it did.
Clearly, Site B is much more resilient to an automated attack simply through the fact it has not relied upon default settings.
A multi-faceted approach
The above example is the most basic approach to security on the front-end but it is not a complete approach to security. The best solution is tackle security on multiple fronts: having strong user credentials but outdated software will not prevent the site becoming vulnerable through an unpatched plugin and vice versa. The specific approach required varies depending on the site and functionality needed, but a decent starting point for most sites would include:
- Setting the WordPress core, theme and plugins to auto-update. Some users fear that this will break their site, but it is often much easier to fix a broken visual element than a hacked site!
- Use plugins such as Wordfence to detect file changes to core/plugin files and immediately alert the site owner
- Harden the site against common vulnerabilities
- Hide/change default settings
- Keep your computer virus free
- Consider two-step authentication and/or a password manager
- Make sure the site’s host is reputable (and not just cheap!)
- Remove old WordPress installations from the same account
- Choose a unique username and strong password
- Consider using a service such as Cloudflare for additional security
The worst case scenario
These suggestions are just a starting point, but should help to make your site quite an unattractive target for most hackers and automated tools. That said, it’s possible that all of these tactics could be deployed yet the site still fall victim to a hack of some sort. To only way to be truly prepared for this scenario is to have an automated regular backup schedule in place that will allow you to roll back your site should the worst happen.
SSL certificates have been a bit of a hot topic recently as Google started marking non-https sites as ‘insecure’. However, it’s worth pointing out that SSL certificates are in no way a solution to the security issues discussed in these three posts. These certificates only protect the data as it’s in transit between your website and server – they do not provide any security benefit against a hack. For more information, this blog discusses SSL certificates including what they are/are not and why you might want to acquire one for your site.
Want to secure your site? Need help? Been hacked?
If you’re looking to secure your WordPress site or have any questions about the techniques discussed and how to implement them, get in touch to find out how I might be able to help.