How to prevent your WordPress site from being hacked

As WordPress becomes more and more popular as a content management system, it also attracts undesired attention from hackers across the globe. With so many WordPress sites active on the web, it is easy for hackers to locate WordPress sites by consistencies in the way WordPress is setup. These include:

  • content store in wp-content folder
  • wp prefix on the WordPress database
  • the same login page for all sites (wp-login.php)
  • the location path of the admin area (wp-admin)
  • userID for admin
  • and most common is the main administrator username being set as admin

By running a few simple searches, a hacker can quickly find sites running off WordPress.

How Hackers Target WordPress Sites

Brute Force Login

A very common hack attempt is a the brute force login. This is where hackers will locate the wp-login.php page and run scripts in an attempt to login as an administrator. This usually involves using the username “admin” and then by the use of scripts, populating the password field with random dictionary based words and number combinations. This can be quite successful considering how many people these days still use admin/password123 or similar easy to crack combinations.

Exploits

With thousands of free themes and plugins available and the majority no longer maintained, it can leave many sites with backdoors waiting to be exploited. Hackers can locate these backdoors and use them to install scripts or malicious code on your website. It is best practice to use paid themes and plugins that are kept updated or popular items that also have regular updates.

File Permissions

Incorrect permissions on files and folders on your WordPress hosting can lead to hackers modifying your WordPress install. Ensure the correct file and folder permissions are setup on your installation. Folders should be set to 755 and files set to 644.

Code Injections

Many hackers will inject malicious code into the head of WordPress php files. This code can be hard to find and also can be injected into every single php file on your site making it near impossible to find and remove. The best solution is starting fresh with a clean install of WordPress and migrating your content over.

How to prevent your WordPress site from being hacked

There are a number of ways to assist in preventing your site from being hacked. By following a few simple rules it will give you site the best chance in avoiding a future hack.

1. Remove any generic settings associated with WordPress.

This includes:

  • Changing the admin userID from 1 to another number
  • Not using “admin” as your administrator username
  • Change the prefix of your WordPress database
  • Prevent users from logging in as “admin”
  • Limit the amount of failed login attempts
  • Hide the location of wp-login.php and the wp-admin folder
  • Change the path for wp-content
  • Ensure file permissions are setup correctly
  • Disable php from being executed from wp-content/uploads

The above might sound like a lot to do and it is if you do it manually. Thankfully there is a plugin that can take care of all this for you. WP Better Security is a free plugin that will greatly increase your security settings with the click of a few buttons.

2. Keep your WordPress site updated

WordPress regularly releases new versions which often contain crucial bug fixes and updates. It is essential that WordPress is kept up to date to avoid any security breaches.

3. Keep your WordPress theme updated

4. Keep plugins updated

It is recommended that you take a backup of your database and website before any major updates to avoid any data loss. Backups should be taken regularly anyway, but be sure you aren’t backing up a site that has already been compromised.

Author: Matt Ascough

Matt runs m2media, a Brisbane Web Design company specialising in WordPress Design and Development. For more information or assistance with either preventing your WordPress site from being hacked, or fixing hacked sites, please contact m2media.

How much does a WordPress site cost?

How much does a WordPress site cost?

This is a question we get at m2media all the time, and there is no real set answer. It is much like asking “how long is a piece of string?”. We like to compare building a WordPress site to building a house. Both have many variables that influence the final cost. Do you want 2 or 4 bedrooms can be compared to whether you want 10 pages or 100 pages.

Our basic WordPress websites start at around $2,400 and increase depending on additional features. Ecommerce WordPress sites for example average around $5.000

All packages include the following as standard:

  • initial consulting
  • multiple layout designs with revisions based on an existing theme
  • conversion of design into a working WordPress theme
  • responsive layout viewable of mobiles and tablets
  • installation and setup of plugins for contact forms, Google Maps, SEO
  • setup of menu structures
  • setup of all pages and addition of content (within reason)
  • testing
  • launch

Full custom sites will attract a higher cost due to the additional consulting, design and development time required.

Extras

There are a lot of extras available that can be included with any WordPress site development. These include

Before asking how much does a WordPress site cost, first work out your website requirements. Here are some simple steps to build your website development brief.

Preparing a website brief

  1. What is the main purpose of the website?
  2. Do you require a full custom design, or happy to use a prebuilt them and modify it?
  3. Do you have your content ready?
  4. Do you have a sitemap of all pages planned out?
  5. What special features are required? These could be an online store, document management, members only area
  6. Does your site require any online forms? If so, have the fields you wish to include ready
  7. Have all your hosting/domain information ready. There is nothing worse than having your site ready to go live, but you can’t find your hosting or domain name information available.
  8. Are there websites that you like the look and feel of?
  9. Have you got any existing marketing material/branding that the website should match?
  10. Are you able to provide logos and other graphics/photos

As you can see the is a lot involved in the initial preparation of your website. The more you can do and supply initially will save a lot of time and costs, and your project will run smoother.

FREE CONSULTATION!

Contact us today to talk about your WordPress website. We have a variety of packages to suit most budgets! Click here to fill out our contact form and you will receive a response, typically within hours!

WordPress 3.8 out now

WordPress has released version 3.8 which sees a major upgrade to the admin area including new skins, typography, enhanced mobile experience. Instantly users will notice the new black menu bar and flat colours which provide a great contrast between the menu and editor areas.

What we find to be a great new feature is the sidebars in the widgets area now split into 2 columns, making it much easier to allocate widgets to sidebars. No longer do you have to drag widgets down to the very last sidebar at the bottom of the page. This is great for sites who have more than about 5 sidebars.

Installed plugins are now colour coded, allowing users to instantly differentiate between active and inactive plugins.

A new theme is also included titled Twenty Fourteen, which aims at allowing users to create a responsive magazine style blog which will sure to be a big hit amongst up and coming bloggers.

Overall we are very impressed with the new update and it seems to be quite a lot faster when navigating between pages, posts, and other sections of the admin area. If you are running an old outdated version of WordPress, then it’s best we have a look first at your theme to make sure it wont be corrupted when upgrading to WordPress 3.8.

If you wish to have us upgrade your old site to the new 3.8 WordPress then please contact us.