Cleaning up a hacked WordPress site is no fun. At best, it’s an involved and time-consuming process that most of us would rather avoid. In this article, I’ll tell you about several things that you can do today to make your WordPress website more secure. Putting in a little time and effort now can prevent a hack from happening and keep your data safe.
The methods we’re going to cover to prevent a hacked WordPress site are steps that you can take to ensure the security of your WordPress installation. But in addition to making sure you’re doing everything right, you should also make sure you’re using WordPress hosting that takes WordPress security—and security in general—seriously.
How Bad Is the Hacking Problem?
More than 125,000 websites are hacked every day. That’s more than one site every second. 45 million a year, actually. With 235 million active websites, almost 1 in 5 are likely to be compromised this year.
While there are more than one and a half billion registered domain names, most of those domains are “parked.” That’s why the number of active sites is much smaller.
Those are pretty bad odds against us. Any steps we can take to strengthen our websites against attack are worthwhile.
Prevent a Hacked WordPress Website
The following tips are not presented in order of importance because they are all equally important. As with any security measure, each additional action that you take increases your overall protection.
If you make it your goal to implement everything we talk about here, you will create the ultimate safe and secure environment for your WordPress website.
1. Refresh, Renew and Revitalize Your WordPress Password
Let’s start with something that isn’t necessarily specific to WordPress: passwords. It may not be an exaggeration to say that most of our lives revolve around passwords. But keeping track of dozens of passwords can be a pain, so it’s easy to become complacent.
We make passwords weaker so they are easier to remember, we reuse them and generally thumb our noses at password security “rules.”
But here’s the thing: there are a lot of ways to hack a WordPress installation, but the second most commonly used method is getting in the same way that you do: with your username and password.
The way hackers get your login credentials varies, but one method is called a “brute force” attack. That means trying to log in using automated programs that attempt dozens of logins every second.
So while it may be tempting to become lax with our passwords, remember that there are forces out there working around the clock to take advantage of weak password practices.
Using Password Managers
The good news is creating and maintaining virtually uncrackable passwords is easier than you might think. A password manager can not only store login credentials for you, but most of them can also generate secure passwords. This is in addition to automatically logging you into websites.
While it may be feel strange the first time you go to your bank website and are automatically logged in, password managers can make your life a lot easier.
And a lot more secure.
There are many choices when it comes to password managers. I use LastPass, which has a very useful free tier, and a reasonable “premium” pay platform. I wouldn’t be without it now, but all of the password managers serve primarily the same purpose. They just go about it in different ways.
Using Passphrases
If you’re not into the idea of storing all of your passwords in an app, you might consider transitioning to passphrases. A passphrase is just what it sounds like, a short phrase using words that you can easily remember, but that a brute force password attack would take years (or even centuries) to crack.
It seems counterintuitive at first glance, but the passphrase “ireallyhatepasswords” is more secure than “dU~a[Tz3(?jX7j.” That is, according to one password strength checker.
Both would theoretically take billions of years to crack. The accuracy of password checkers aside, they’re both excellent passwords, and in the world we currently live in, virtually uncrackable.
If you can add a character or number to a passphrase, it becomes even stronger. Simply capitalizing the words in your passphrase makes it exponentially more difficult to crack. For instance, “ireallyhatepasswords” = 16 billion years as opposed to “IReallyHatePasswords” = 17 quadrillion years.
Whatever tool or approach you use to manage your passwords, the key things to remember are:
- Make your passwords strong
- Don’t use passwords for more than one site
- Don’t re-use old passwords
Okay, on to the WordPress tips.
2. Update Plugins and Themes
We know that weak passwords are the second most common way to hack a WordPress site. However, plugins are far and away the number one way that WordPress sites are hacked. Make sure all of your WordPress themes and plugins are up to date. That’s all you have to do to decrease your chances of a plugin or theme-related hack.
Of course, that’s easier said than done.
Manual Updates
If you are posting new material to your WordPress website often, manually keeping plugins and themes up to date is relatively easy. Every time you log in to your WordPress admin panel, you will see a notice if a plugin or theme has a pending update.
Make it a habit to apply the updates before you do anything else and you will always be ahead of the game.
Automatic Updates
If you don’t log in to your WordPress site very often, you should use automatic updating. There are a couple of ways to go about implementing automatic updates.
If you installed WordPress using Softaculous, you’re in luck. Softaculous has options to keep plugins and themes updated. We have an article that shows you how to configure automatic plugin updates. The article details several non-Softaculous options as well, so however you installed WordPress, we have you covered.
3. Update WordPress Itself
Staying on top of plugin and theme updates is crucial, but it’s also essential to keep your WordPress version up to date.
If you’re wary of WordPress updates because a major version once turned your site into a chaotic jumble, I feel your pain. If the developer of your theme doesn’t keep up with WordPress changes, updating can feel like rolling the dice and hoping for the best.
However – letting WordPress updates fall behind is even more dangerous than using outdated plugins or themes. So if you’re only going to take one piece of advice from this article, let it be this one. Keep WordPress up to date.
If you have reservations about an update, consider testing the update in a development environment first. That way if something does break, you can figure out how to fix it without taking down your main site.
Just like with plugins and themes, WordPress updates can be done manually or automatically. If you installed WordPress using Softaculous, here’s an article that explains how to set up automatic WordPress updates.
If you didn’t use Softaculous to install WordPress, you can still configure automatic updates for major versions releases.
4. Delete, Delete, Delete
In the “Update Plugins and Themes” section, we talked about keeping up to date with plugins and themes. But sometimes these elements are abandoned by developers and are no longer updated.
Check your plugins from time to time, and look for any that haven’t been updated recently. You also have the option of deleting your WordPress installation entirely and starting over.
To check the last time they were updated, log in to your WordPress admin panel and go to “Installed Plugins” and click the “View details” link for a plugin. In the window that opens, you can see the “Last Updated” date.
If a plugin hasn’t been updated in the past year or so, you may want to look for another tool that serves the same purpose but is more currently active.
Also, look for plugins or themes that you aren’t using and delete them. Don’t just deactivate them, remove these plugins completely. The goal is to have only the themes and plugins you use and only the latest version of each.
If you use a child theme—and you should—be careful not to delete parent files. It won’t be active, but it needs to be installed and updated.
5. Find and Remove Abandoned WordPress Installations
WordPress is easy to install, and that ease means there are a lot of unused test installations out there. Malware is often injected into old, unused WordPress sites that have been outdated for months or even years. The infection can be spread to your visitors and other websites.
You may have WordPress installations that you don’t even remember setting up, so it’s important to check for them.
If you use cPanel, you can check Softaculous and it will show you all of your WordPress installations. Delete any that you aren’t using.
If you don’t use cPanel or Softaculous, FTP into your website and look for directories that could be old, unused WordPress installations and delete them.
A test WordPress installation will also have a database somewhere, so remember to remove that, too.
It’s a good idea to keep all of your website files current, not just WordPress. It’s easy to accumulate old versions of files. If you don’t need them, delete! If deleting files from the server makes you uneasy, download a copy of your old files and save them locally, then delete them from the server.
6. Delete the Default Admin User
If you installed WordPress some time ago, it may have created a user named “admin” by default. Most brute-force WordPress hacks attempts start with the “admin” username. If it’s not there, you make the attacker’s job more difficult.
To see if you have a user named admin, go to your WordPress Users page (/wp-admin/users.php) and see if “admin” is listed.
If you do have a user named admin, create another or give an existing account the administrator role and delete the default admin profile.
7. Get Expert Help
I don’t mean hiring a security expert to stand behind you and watch over your shoulder (though if you do that, let me know what it’s like). I’m talking about expert help in the form of a plugin.
I know, we’ve been talking about plugins being a source of security problems, but some are security solutions.
Using security plugins like Wordfence can help greatly reduce the chances of getting hacked. And as this particular plugin is free, you risk nothing by adding it to WordPress.
Wordfence and other security plugins can help protect your site from all of the things we’ve been talking about. This is in addition to many other things that aren’t as easily checked. It will even send email reports of its findings.
8. Back It Up
Waking up to a hacked WordPress site can mean a long day setting everything straight. But if you have a current or recent backup of your website and database, the job can be done in a fraction of the time.
There are a lot of ways to back up your WordPress installation. You have access to both manual and automated methods. There are also commercial backup services that will connect to your site and database and download them automatically every day.
In addition to giving you peace of mind in the event of a hack, maintaining good backups also helps protect you against yourself.
I’ve been building websites since 1994, and I have to admit that sometimes, even after all these years of experience, I break them. Badly. And I’ve been saved by yesterday’s backup more times than I can remember.
A backup won’t prevent a hack or website catastrophe. However, it can make your life a lot easier if you ever fall victim either to the bad guys or your own oversight or mistake.
Security Is a Vast and Thorny Subject
It’s easy to get bogged down in details and protocols when discussing website security. But if you use WordPress, you can implement the following:
- Refreshing your password
- Updating plugins and themes
- Updating WordPress
- Deleting unused plugins and themes
- Removing unused WordPress installations
- Deleting the user named “admin”
- Installing a security plugin
- Backing up your website files and databases
It’s not all that difficult to add security methods to your website. You just need to be conscientious about what can pose a threat and how you can plug up the holes.