WordPress is frequently targeted by hackers who aim at the theme, core WordPress files, plugins, and even the login page.
Here are steps to reduce the likelihood of getting hacked and to recover more easily if it happens.
How Hackers Attack WordPress
All websites, whether a phpBB forum or a WordPress site, are under constant attack from hackers. It’s not unusual for a hacker to scan thousands of pages or attempt hundreds of logins daily. And that’s just one hacker; multiple hackers often attack sites simultaneously.
Typically, it’s automated software, not a person, trying to hack you. Hackers use automated bots to probe the web for specific weaknesses.
These automated software programs are called bots. To distinguish them from content-scraping bots, I refer to them as hacker bots.
Secure Your WordPress Site With a Firewall
A firewall is a software program that blocks intruders. One highly recommended WordPress firewall is a plugin called Wordfence.
Wordfence checks if a website visitor’s behavior matches that of an abusive bot. If the bot breaks certain rules, like requesting too many web pages within a short time, Wordfence will automatically block it.
Wordfence is also programmed to allow legitimate bots like Google and Bing.
Advanced features let a publisher see which bots are attacking a site and identify where they are coming from. Wordfence allows blocking bots by their IP addresses, entire IP address ranges, or even by fake browser user agents.
About User Agents (UA)
A user agent is identifying information a browser sends to a website, indicating what browser (e.g., Chrome, Firefox) and operating system (e.g., Windows 10, Mac OS X) it is using.
For example, this is a user agent string for a Safari 11 browser on a Mac OS X computer:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15
Bots use various user agents to fool websites and sneak in. Some even pretend to be browsers on outdated systems like Windows XP.
The actual number of real users on Windows XP is close to zero. With Wordfence, you can create a rule to block all user agents with Windows XP, effectively blocking thousands of bad bots.
Bad bots might respond by changing their user agents, but combining different rules increases the chances of blocking a wide range of bad hacker bots.
This is all possible with the free version of Wordfence. The paid version can block entire countries, which is useful if you don’t have legitimate visitors from certain places.
WordPress Defense Against Exploits
The paid version of Wordfence protects against many compromised themes and plugins before they are fixed. Once Wordfence researchers identify an exploit, they update the premium firewall to protect subscribers, potentially weeks before the theme or plugin developers fix the issue.
Website Security Hardening
Another free plugin that adds an extra layer of protection is Sucuri Security, owned by GoDaddy. Sucuri helps harden WordPress security and has a malware scanning feature that checks if files have been altered.
Sucuri will alert you every time someone logs into your site, helping identify if a hacker is present. It can also notify you if a file has been changed, which is a common hacker activity.
Features of the free Sucuri plugin include:
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blacklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
The paid version includes a website firewall.
Limit Logins to Your Site
Wordfence can block bots repeatedly attempting to log in. To specifically limit logins, the Limit Login Attempts Reloaded plugin can automatically block hackers after a set number of failed login attempts.
For example, you can set it to block after three failed attempts to guess the password. Features include:
- Customizable retry limits
- Informing users of remaining retries or lockout time
- Optional logging and email notifications
- Whitelisting/blacklisting IPs and usernames
- Compatibility with Woocommerce login page and multi-site setups
- GDPR compliance
- Support for custom IP origins
The plugin provides a fast way to shut down bots trying to guess passwords.
Backup Your WordPress Site
Creating a daily backup of your website is crucial. Solutions like UpdraftPlus WordPress Backup Plugin, trusted by over two million users, can automatically email or send backups to cloud storage like Dropbox.
With a backup, even if you accidentally delete critical files, you can restore your site to its previous state.
Update All Themes and Plugins
Updating all themes and plugins is essential. WordPress has an auto-update feature for plugins that ensures your software is up-to-date, reducing the risk of hacking due to outdated plugins.
Beware of Abandoned Plugins
Be cautious of plugins that work years after being abandoned by their developers. These may contain vulnerabilities that won’t ever be fixed. Hackers sometimes buy old plugins and update them with malware. Regularly check that your plugins are actively maintained and updated.
Protect Your WordPress Site from Hackers
By taking these steps, many sites can remain secure. Free versions of security plugins like Wordfence and Sucuri provide substantial protection, with premium versions offering even more.
There are many security-type plugins, and some of them have vulnerabilities themselves. Wordfence and Sucuri are top choices for WordPress security.
Citations
WordFence Security
Sucuri Security
Limit Login Attempts Reloaded
UpdraftPlus
Image Credits: Paulo Bobita
