It happens. It’s a risk you run of having a site on the World Wide Web. And between system-wide updates and heavy reliance on plugins, WordPress is a susceptible victim of hacks.
But there’s good news – you’re not alone! Because WordPress is so widely used, there’s plenty of resources out there to prevent and clean up any hacks.
Being a custom WordPress website builder, hayWire has seen it all. Here are the three most common questions we receive regarding WordPress hacks:
You’re probably thinking, “Who would want to hack a five-person company located in small-town Nebraska? My site is not eCommerce and there’s no sensitive information that the hacker could gain from.”
Little do you know, you still have something to offer to them.
The first thing you should know: these hacks are rarely manual. It’s done through automated systems (we call them robots, or ‘bots’) that make relentless attempts at trying to gain access into your site. They’re typically after two things:
They want to collect emails through your contact form submissions and spam or sell them.
They want to install malicious software on your site that will be automatically downloaded on to the viewer’s computer.
How do I know if my site has been hacked?
The signs are there. The layout has changed and you are denied access to pages that you once had control over, making you suspicious that you’ve been the latest victim of a WordPress hacking. Start by plugging your URL into a free website malware and security scanner, like this one. If the results solidify your suspicions, the easiest and quickest way to get your site cleaned up and secure for its users is to purchase a plan with a malware removal company, such as Sucuri. They’ll remove all malicious files from your site and get you back on your way in no time.
What can I do to prevent future hacks?
1. Be picky when it comes to hosting.
Try find a host that specializes in WordPress security and that helps with malware cleanup in the unfortunate event that your site does get hacked. We recommend the well-known local company Flywheel as the malware cleanup is included in the monthly fees.
2. Do people really still use “password” as their password?!
Unfortunately, the answer is yes. A strong password should consist of at least eight characters, with these characters ranging from uppercase and lowercase to letters, numbers, and symbols (i.e. $, %, &, *). I use a strong password generator to make sure I pass the test with flying colors. And unless you’re the Rain Man, I don’t expect you to remember your unique password for every login you have. That’s where LastPass comes into play (look into this, it will save you boatloads of time and keep you organized).
3. Your username deserves some attention, too.
It’s not just about a strong password, your username should be unique as well. Whatever you do, promise me you want use any of the following: Admin, [Name of Your Company], or [Your Website URL]. These are commonly used by the bots while attempting to gain access into your site. Need some proof? Check out a screenshot pulled from the hayWire WordPress dashboard of failed login attempts.
Good try, bots, good try.
4. WordPress updates aren’t just suggestions.
Every six months or so, WordPress releases an updated version that includes security patches, bug fixes, and sweet new features that make our lives easier. Before jumping the gun on this one, be sure to check in with your developer to see if the update could cause detrimental breaks to your site. We recommend creating a duplicate of your site, updating this new version while it’s still in test mode, fix any breaks caused by the update, and then push this updated site live in replacement of your previous one. Sure, this takes extra time, but it ensures that your site is secure and is functioning to its best ability!
5. An outdated plugin is a vulnerable plugin.
There are few things that I find more overwhelming than seeing the seemingly never-ending notifications for plugin updates on a WordPress dashboard. And as much as I wish we could just ignore them, I don’t recommended doing so. Just like the WordPress update, plugin updates come with purpose, such as bug fixes and enhanced security. If it’s a plugin that your site heavily relies on (such as a WooCommerce Subscriptions plugin), we highly recommend creating a duplicate site to perform the update on before pushing it live.
Do you have more questions about WordPress hackings? We have answers.