As WordPress becomes more and more popular as a content management system, it also attracts undesired attention from hackers across the globe. With so many WordPress sites active on the web, it is easy for hackers to locate WordPress sites by consistencies in the way WordPress is setup. These include:
- content store in wp-content folder
- wp prefix on the WordPress database
- the same login page for all sites (wp-login.php)
- the location path of the admin area (wp-admin)
- userID for admin
- and most common is the main administrator username being set as admin
By running a few simple searches, a hacker can quickly find sites running off WordPress.
How Hackers Target WordPress Sites
Brute Force Login
A very common hack attempt is a the brute force login. This is where hackers will locate the wp-login.php page and run scripts in an attempt to login as an administrator. This usually involves using the username “admin” and then by the use of scripts, populating the password field with random dictionary based words and number combinations. This can be quite successful considering how many people these days still use admin/password123 or similar easy to crack combinations.
With thousands of free themes and plugins available and the majority no longer maintained, it can leave many sites with backdoors waiting to be exploited. Hackers can locate these backdoors and use them to install scripts or malicious code on your website. It is best practice to use paid themes and plugins that are kept updated or popular items that also have regular updates.
Incorrect permissions on files and folders can lead to hackers modifying your WordPress install. Ensure the correct file and folder permissions are setup on your installation. Folders should be set to 755 and files set to 644.
Many hackers will inject malicious code into the head of WordPress php files. This code can be hard to find and also can be injected into every single php file on your site making it near impossible to find and remove. The best solution is starting fresh with a clean install of WordPress and migrating your content over.
How to prevent your WordPress site from being hacked
There are a number of ways to assist in preventing your site from being hacked. By following a few simple rules it will give you site the best chance in avoiding a future hack.
1. Remove any generic settings associated with WordPress.
- Changing the admin userID from 1 to another number
- Not using “admin” as your administrator username
- Change the prefix of your WordPress database
- Prevent users from logging in as “admin”
- Limit the amount of failed login attempts
- Hide the location of wp-login.php and the wp-admin folder
- Change the path for wp-content
- Ensure file permissions are setup correctly
- Disable php from being executed from wp-content/uploads
The above might sound like a lot to do and it is if you do it manually. Thankfully there is a plugin that can take care of all this for you. WP Better Security is a free plugin that will greatly increase your security settings with the click of a few buttons.
2. Keep your WordPress site updated
WordPress regularly releases new versions which often contain crucial bug fixes and updates. It is essential that WordPress is kept up to date to avoid any security breaches.
3. Keep your WordPress theme updated
4. Keep plugins updated
It is recommended that you take a backup of your database and website before any major updates to avoid any data loss. Backups should be taken regularly anyway, but be sure you aren’t backing up a site that has already been compromised.
Author: Matt Ascough
Matt runs m2media, a Brisbane Web Design company specialising in WordPress Design and Development. For more information or assistance with either preventing your WordPress site from being hacked, or fixing hacked sites, please contact m2media.