On May 12, 2017, one of the largest cyber attacks in history halted operations for hospitals, government agencies, and businesses across the world. A Windows exploit found by the NSA allowed hackers to seize control of computers using ransomware. This attack was the result of numerous desktop computers and computer systems not having the latest security patches; the same situation can happen to your WordPress site if it is not frequently updated with the latest security fixes. To ensure that doesn’t happen to you, you can implement our 6 tips to protect your website against hacking.
First, what exactly happened?
Hackers used WannaCry ransomware (a.k.a. WannaCrypt or WCry) to gain access to Windows operating systems, allowing them to lock down all files on the computer and demand a ransom to release control. Avast, a security program, has seen more than a quarter million detections in 116 countries—and that figure is based solely on data collected from users with Avast installed on their computers.
Microsoft had already released a patch that would cover such an exploit, effectively sealing it off. But computers that hadn’t been updated were vulnerable to the hack.
Cyber attacks aren’t limited to desktop computers
Your phone, tablet, or even the web server hosting your website are potential targets for ransomware and cyber attacks. Hackers were able to take down The Saint Louis Public Library’s entire network after discovering a vulnerability in a small 4-year-old voicemail server that allowed them to access and lock every device that was on the same network.
At TPI, we see numerous attempts on a daily basis by hackers scanning WordPress sites and our server searching for exploitable weaknesses and vulnerabilities. Hackers performed a brief Denial of Service cyber attack on one of our servers last year, threatening to take it down completely unless we paid them 5 bitcoins—that’s $9,320.10.
As one of the most popular publishing platforms available, WordPress is a common target for hackers attempting to gain administrative access to a server. Any WordPress site—whether it contains valuable information or not—is a potential target.
Why would someone want to attack my site?
By gaining administrative access to your WordPress site and server, a hacker can use it as a platform to send out spam, host files that infect the devices of users that visit your site, or install a bot that attacks other sites.
Popular shared hosting providers like Nexcess, GoDaddy, and Siteground host your site on a server along with hundreds of other sites. If one website on that server is attacked, it can affect all sites that live on that server. Most hosting providers monitor and scan their servers on a regular basis. If they find evidence that your site has been hacked, they will alert you or might even shut down your site completely.
How do I protect my website from cyber attacks?
There is no end-all be-all solution, but these 6 tips can reduce your chances of getting hacked:
1. Keep WordPress, themes, and plugins up-to-date
WordPress releases frequent patches to fix any exploits discovered after a new release. Plugins and themes will frequently release new updates to ensure compatibility with the new version, so you should check your site at least once a week. (Yes, they are that frequent.)
2. Install a security plugin
Install a security plugin like Wordfence or iThemes Security. Once installed, run through the settings to configure the plugin and firewall. Wordfence and iThemes both offer free and premium versions of the plugin.
3. Audit your users and passwords
Enforce strong passwords and remove any users with default usernames like wpadmin, admin, master, administrator, etc. And remove any users that use your business name or anything similar to the URL of your site. These are the first usernames hackers will target when trying to force their way into your WordPress site.
4. Change the URL of the login page
Use a plugin like WPS Hide Login to change the URL of your default login page. Some security plugins also offer this feature. Changing the URL helps prevent hackers from brute forcing their way into your site.
5. Make offsite backups
Back up your site frequently; if you make changes on your site daily, then you should be backing it up daily. And save your backups somewhere besides your server—on your computer, in cloud storage, or on an external hard drive. Nothing’s worse than storing your only backup saved on the exact same server hackers just took down.
6. Install a recaptcha on all forms
A recaptcha helps weed out spam bots that try to post spam through your web forms. Popular plugins like Formidable Forms and Contact Form 7 offer step-by-step instructions for setting this up.
These 6 tips can help protect your site from costly and time-consuming cyber attacks, so it’s worth investing the money and time upfront. Don’t have the time? We’re happy to help! Drop us a line and we can evaluate your site’s current security vulnerabilities and implement the recommended precautions.