WordPress website security is key to your organization’s online presence. WordPress is one of the most widely used web content management systems, and for this reason, hackers are always interested in trying to find ways in. That is why you need to take your WordPress website security seriously. But what if your site is currently under attack or has been attacked?
WordPress website security: The Good News
- You’re probably being attacked by a bot or botnet, not a human.
What are they? Bots are machines running scripts that are programmed to find websites with vulnerabilities and exploit them. Bot nets are networks of these types of machines.
Why is that good news? If you were being attacked by a human, the attack would be more targeted and fine-tuned. Bots go after the “low-hanging fruit” of websites that are using software with known security holes that they have not patched or updated. That means it’s feasible to prevent them from breaking through by keeping your website up to date and secure. Or if you’ve already been hacked, by thoroughly cleaning up the hack and then updating your website, your site can once again become secure.
- If you’ve got Red Earth Design, Inc. protecting your website, we receive alerts about hack attempts, and other means to keep the hackers out. We keep an eye on the latest trends in hack attempts, can see what’s going around, and we can confirm that these protective measures are keeping them out of your site. We are always educating ourselves on the latest methods to keep your WordPress website security top-notch.
- WordPress website security is also a priority for the WordPress community.
WordPress is open source software. This means the code is available for anyone to see, modify, and use as they see fit – and it’s not hidden from hackers, either. But it also means there is a large community supporting work on the code, always trying to make it better and more secure.
- Maybe the hackers got through, but the hack is invisible on the client side.
It’s virtually impossible to block every single hacking attempt. If anyone claims to be able to do it, don’t trust them. Hackers are always looking for new ways in. So maybe your site did get hacked despite your best efforts, but you can’t tell from the front end. This is a good thing, because while it means you do need to fix your site and up your game, there is less damage to your reputation than if a hacker had defaced your site or your clients were seeing spam on your site directly.
Why are they hacking my site?
If you run a small business, non-profit, or personal website, you might wonder what these hackers stand to gain. Here are some of the reasons they are trying to hack your website:
- Because they can.
“Script kiddies” are the kids fiddling around with computers at home after school, and seeing what they can do. They rarely do any real damage, but they might just change out your home page, to let you (and everyone) know they hacked your website. They’re showing off – but they’re also doing you a favor by showing you you need to up your security game before someone else breaks in and does worse.
- To send spam.
If a spammer can run a program through your website to send out his spam email, that disguises his IP address, making it look like the spam comes from you. If your IP gets blocked, he can move on to another hacked site.
- Spam advertising.
Hackers can take advantage of your website to insert links to websites selling all sorts of undesirable or unethical things. This gets them free hosting and free advertising, since they are using your website for both.
- To steal data.
It’s important that you treat every piece of information you request from your customers with the highest security, and you should only request necessary information. Why waste your resources protecting information you don’t actually need in the first place? We recommend off-site credit card processing so that you take on less of that liability yourself. If you do store credit card numbers on your own website, we can’t emphasize enough how important it is to make sure your website is read more about PCI Compliance.
- Because they can.
What are the consequences to me?
- Your reputation.
Obviously if your clients’ data is stolen, and the theft is traced back to your website, you’ll be facing a hard blow to your reputation as far as keeping your clients’ information safe. Large companies can bounce back from this, but will you be able to? Best to keep things like credit card numbers safe with a credit card processing company instead of taking on that responsibility yourself.
- Drop in your Google rankings.
If Google sees that your site has been hacked – and Google can see things like spam advertising or phishing attempts even if they aren’t obvious to your front-end users – your rankings will drop quickly.
- Potential visitors warned to keep away from your website.
If your website has been hacked, a user might be alerted that your website is potentially dangerous. Modern browsers like Firefox, Chrome, and Edge include this feature without requiring the use of a browser add-on. Don’t let your visitors be scared off; keep your site secure.
- Your reputation.
If your site has been hacked, or you fear it might be – and let’s be clear: any site on the internet is a target – it’s important to follow these basic rules:
- Keep your software up-to-date. Your WordPress website security depends very much on your keeping it and any plugins or themes up-to-date.
- Let someone else be responsible for the most sensitive data, like credit card information. Process cards off-site through PayPal or another service.
- Use safe, long passwords, and don’t use obvious usernames (like “admin”) or have those usernames displayed on your website.
- Protect your website with a firewall.
- Remove any old or outdated files from your server. Keep backups off-site, particularly if they include outdated versions of your website software.