I’ve bet you’ve heard in the news or from a friend that WordPress websites have a vulnerability that let hackers take over a website. Why are WordPress sites hacked more? I’m not going to sugar coat this. This is more likely true. But like any news article headline that is click bait, there’s the real story hidden in the fine print.
WordPress has 54% of the market when it comes to content management system (CMS) type websites. The next one after it is WIX with 7%. In other words, WordPress is very popular. If you know about what happens when you become popular, just think of a celebrity that’s always in the news, the more popular you are, the more the world focuses on you. This is the same way with WordPress.
It’s easy to understand why WordPress is so popular. It’s one of the easiest ways to get a site up and running. If you were looking to make a site for your business or personal project, you are more likely to be drawn to WordPress. When you look for a host provider, they usually calls out their WordPress hosting options than any other CMS out there. Web professionals usually recommend WordPress to their clients as the solution to fit their small to medium size budgets, their requirements, and the flexibility for growth.
Disclosure: Some of the links below are affiliate links, meaning, at no additional cost to you, I will earn a commission if you click through and make a purchase.
So why do hackers target WordPress?
If you were to spend hours trying to sell a product, would you try to sell a product only a couple customers want or sell a product everyone wants to buy? You would focus on the popular product to sell and get better results with limited effort. Hackers are the same way. They spend their resources going after the platform with the majority of sites – WordPress sites.
They look for any and all options to exploit a vulnerability that could happen on a WordPress site. Any backdoor server or website settings configured incorrectly, out of date software, or simply easy login credentials allows a hacker to gain access to your site and take it over.
So what can you do to keep your WordPress sites hacked less?
#1 – Keep your site up to date
A WordPress site requires some weekly or monthly maintenance unlike other website platforms like WIX or Squarespace. If you chosen WordPress as your platform, this should not be a surprised. If you didn’t, check out my “Why WordPress” blog post to understand what the difference is.
The main difference is WordPress is open to be configured how you need your website to function, design, or integrate with other services. These configurations include the theme, any plugins, or WordPress core itself. All of these will need to be updated and tuned on a regular basis.
If you read an article talking about a vulnerability, the majority of the time the article is talking about a specific plugin. They get the number of sites *possibly* infected by the number of times it was downloaded from the WordPress plugin repository. The main takeaway from an article like this is to see if the plugin they mentioned is one used on your site. However, if you are keeping your site up to date, you more likely have the fix in place.
How do you keep your site up to date?
One option is to hand over the care of your site to someone like moi and not spend your valuable time or brain power on it. I have a variety of Care Packages to fit all needs and goes more in-depth than just updating themes, plugins, and WordPress core software.
Another option is to add to your calendar to update your plugins, themes, and WordPress core on the regular. Updating at least monthly, but, ideally, weekly would keep your website in fabulous state and difficult for hackers to take advantage of your site. I have a walk through on how to best update your website. Just sign up below and I’ll send you my video to get you started.
#2 Change your login credentials
When having a WordPress website, you have a few login credentials to go along with it. You’ll have a login with the host provider account, with the administrative side of WordPress, with the connection to the database behind WordPress, and potentially to access the files on the host provider, aka, FTP credentials. There may be a few more depending how the host provider sets up their services.
As with any login credentials, set up a username and password that is uncommon and sophisticated and avoid those commonly used like “admin” as a username or “password123!” for a password. Use a password manager like LastPass to help keep track and create complex password for your credentials. It will also alert you if one of the sites you use a password on has been hacked.
By default, most WordPress security plugins check to make sure a site does not use “Admin” as an username. However, there’s no need to add one of these plugins if you just create an username that’s not “admin” and also have a great host provider for your site.
#3 Read up on your host provider and plans
You may find out why a cheap host provider is such a great bargain. More likely is because they cut corners with the service and features they provide you. Many sites get infected because of who they host with and the plan they are on.
Some providers may not lock down their network or setup as they should which leads to a lot of back doors for hackers to get into your site. Sites have been hacked or taken down through shared hosting plans, files and folders permissions configured incorrectly, server technology out of date, or simple login credentials for the host provider account easy to guess.
If you are looking for a good recommendation on host providers, I would go with Dreamhost’s VPS plan or Siteground’s StartUp plan. Both are great companies who have quick support, fast network response (i.e. your page will load faster), and very secure.
#4 Verifying a third party before hiring them to work on your site
When hiring someone to work on your website to setup a feature, a new design, a beautiful theme, the first thing you should do before handing over your host provider and website login details is to ask your fellow business owners or friends who they would recommend. And I’m talking about someone who’s business is dedicated to provide the service, not someone who wants a side project on weekends. A referral than just finding someone on a directory listing or via search engine will turn up a more reliable and professional company.
A few clients have come to me with the need to clean their hacked websites. Most hacked websites I’ve personally have come across is because they didn’t update their website and, surprisingly, how a previous company, contractor, freelancer, or friend/family member left a door open that a hacker stumbled upon.
Some of the tools used to work on websites should be removed after their usage or turned off. If left on the site or host provider account, this allows a hacker to check for those tools and use it to their advantage.
This is why hiring a web professional that is reputable and has expertise will help keep your website secure and healthy.
In the end, following these four rules will help keep your WordPress site safe, healthy, and secure.
— Mary Jo