Is My WordPress Website Likely to Get Hacked?

I recently had a client that insisted her WordPress install was to be made completely and utterly hack-proof. She wasn’t very pleased with me when I said that it wasn’t possible to do that.

I have heard people argue that WordPress isn’t the best platform for security because it is open source which means that hackers can easily access the full software and look for the holes in its security.

In other words if you build a WordPress website then you are asking for trouble.

I don’t think that’s the case or ever has been the case.

Let’s start with the “total security aspect”. What’s the worst that can happen to your WordPress website? Here are some of the most common problems that can either take your site down completely or cause a whole heap of problems that you’d rather avoid.

Issue #1: Hacked Website

Getting your website hacked is definitely the most feared of all potential WordPress website issues. You don’t want someone inside your site messing around and breaking things. It’s a lot like letting a teen hold a party in your house when you are on holiday… I bet you are cringing at the thought of someone vomiting in your plants and smashing your ornaments

A hacker can do any number of things to your website:

Add unwanted links that you can’t see.
Add unwanted links that you can see.
Add viruses that attack your visitors’ computers.
Delete your site completely (and even replace it with a nice “You’ve been hacked by XXX” message complete with a skull and cross bones image).
Delete website and content files.
Take control of your site and lock you out.
Insert malware
Add rogue code

Issue #2: Hosting Company Issues

Every website is hosted on a computer. And we all know that a computer, as a piece of man-made technology, can sometimes go wrong. Please don’t make the mistake of totally relying on your hosting company to protect your site and expect that they’ll never have any technical issues. .

The vulnerable part of your hosting company is the server where they host your website. It could crash, get hacked or even be required to shut down. When my hosting has upgrades they let us know in advance of any potential outages. Technical issues can happen when servers are moved and new software is installed.

Recently I had a client lose her site during “routine maintenance”. Her hosting was based in the US where it was 3am. In the UK where my client was based, it was 11am… her hosting thought it was acceptable and reasonable to do maintenance work at 3am when everyone was asleep… it was my clients peak period and her website wasn’t working.

The hosting company knew it was coming, and once they were able to complete their work within a few hours and things went back to normal. However, if a company has an unexpected server problem, the damage could get much more unpredictable — and longer-lasting. You could end up losing valuable data or even your whole website if you don’t have a recent backup.

Additional reading: Backing up your WordPress site

It’s not unheard for a server to overheat or catch fire. This could happen for various reasons, but as far as you’re concerned, it’s once again an unexpected issue that can lead to total disaster if you’re not prepared. If you’re prepared (that means having back-ups) it can be just an inconvenience. You’re in charge of whether it will be a disaster or inconvenience, starting right now.

Other potential hosting issues include poor customer service. Your needs may outgrow their capabilities, or they may be not providing the kind of quality you expect. It’s a good idea to have your backups ready and handy so that you can make a quick switch of hosts, should the need arise.

Issue #3: Someone or Something Messes Up Your Website

It could be you, or it could be your webmaster, but it’s also quite possible that your website could get inadvertently screwed up while you’re adding a plugin, upgrading a theme, or updating to the latest version of WordPress.

If you’re not prepared, you could lose your whole website. You should always back up your site before doing any kind of updates! I know it’s boring and the grown up thing to do and you want to install a shiny new plugin right now, but back up first.

Issue #4: A Disgruntled or Clumsy Employee

This may not be an obvious issue, but it can be a real threat. Whether you work with a virtual assistant, or you have an employee in your office who works on your WordPress website, you hopefully know that it’s important to limit their capabilities within WordPress to match their responsibilities (and the level of trust you have in them).

For example, there is no real reason one of your regular contributing authors should have admin rights and be able to change your site’s theme or install new plugins.

Okay, we’ve looked at the potential issues that your WordPress website might have. Let’s unpick them a bit more.

Yes, WordPress is free and hackers have easy access to it, but who are we kidding? Hackers love a challenge and they can just as easily download pirated / cloned copies of ANY website design software they want. The fact that WordPress is a free, open source platform makes it actually more secure.

Most website software programs are designed by just one company with a limited number of employees. WordPress has one creator as well, but the community that works on the program to various degrees is huge.

Thousands of people are involved in doing things like updating the software, creating plugins and making easy-to-use templates. It’s a tremendous community effort.

This means that as soon as there is a problem, someone finds it almost immediately. And when they do, the creators of WordPress work hard and fast to solve the issue, and each time, they also release a brand new Security Update.

Just compare that dedication to other companies whose updates are much less frequent, and whose community is much, much smaller, and you’ll see the advantage and value of WordPress Website.

As Bob shares here – Don’t use Admin as your login name

Hosting. For me hosting isn’t something that should be “cheap” but something that should have excellent support and communication. Where possible it’s service hours and maintenance hours should be compatible with your business requirements. Things like “routine work” that happens in your peak traffic time is something you should be aware of but is likely to be tucked away in the small print.

Additional reading: avoid WordPress Hosting hell

Messing up your WordPress website. You are more likely to mess up your WordPress website than anyone else. You are more likely to screw something up than get hacked. Yes, you are a bigger danger to your websites security than a hacker. Adding a rogue plugin or not configuring one correctly can cause all kinds of problems.

Additional reading: When plugins go nuts

Another issue I frequently see is people adding code and adjusting code to the framework of their site and not to the child theme. When the framework is upgraded, the customisation is lost and they think they have been hacked…

People. People is the toughest one to write about, like me you might want to believe that no one could or would do something to your blog. But it’s better to be safe than sorry. Limit the access that authors and contributors have, restrict what they can do and don’t let them have admin rights unless they really, really, really need it.

Additional reading : WordPress user roles

As you can see, there are many variables and a combination of hosting, site admins and people going plugin crazy can cause vulnerabilities in your WordPress website and whilst you can secure and protect your site from some of these things, you can’t protect it against all of these things.

You just have to do your best when it comes to plugins and people, and be sensible about security because it can be a combination of all these things that make your website vulnerable, and not just using WordPress.

photo credit: hojusaram

Buffer

Gilbert Homes

I really need to back up my site, after reading this you have succeeded in scaring me
- http://www.saraharrow.co.uk/ SarahArrow
  
  @Gilbert Homes Hey Gilbert, hope I didn’t scare you too much
http://makewebworld.com/ sanjeev.mohindra

Security of WordPress is really important, I have also faced this issue but handling these things with a calm mindsets help a lot. I agree if you have a good backup routine, you can fight with any issue in wordpress.
- http://www.saraharrow.co.uk/ SarahArrow
  
  @sanjeev.mohindra Hi Sanjeev, the key to WP success is a good back-up routine, I’ll quote you on that
http://www.RyanHanley.com/ Ryan Hanley

If someone deleted my WordPress site I would definitely run headfirst into a wall…

Then I would try to figure out what happened.

Great resources.

Ryan H.
- http://www.saraharrow.co.uk/ SarahArrow
  
  @Ryan Hanley can you video the running into a wall or I won’t believe you did it
  Send me your email address btw so we axn send you to get all branded up
http://www.bobwp.com/ bobWP

This is a great post and touches on the many things that can go wrong. It gives the WordPress user some really good guidelines.

The only other thing I would add is th make sure you keep your WordPress version, your theme and all plugins that are activated updated. When I read about major hacks most of the vulnerability is due to those three pieces not up to the latest version. Also any plugins or themes you have installed but aren’t using, delete them. They can still cause issues.
- http://www.saraharrow.co.uk/ SarahArrow
  
  @bobWP thanks Bob, and for supplying so many of the additional reading parts
  I find people tinkering do worse than hackers… I must drive my techy friends nuts when I break things
- http://www.ipnostudio.com/ Andrea H. | The Hypnotism Weekly
  
  @bobWP Bob, have you ever heard about a free plugin called Bulletproof Security? It seems good and, up to now, it hasn’t scrambled my test site. Just to know your opinion.
http://www.ipnostudio.com/ Andrea H. | The Hypnotism Weekly

Once a plugin scrambled all my site but given that I have a top hosting service they fixed everything in a matter of hours. Then I understood to go only with very popular plugins preferring those with the green label “It works”. But once an update of a popular security plugin broke my site too. I think WP team should prevent the core of WP to be touched by users so no one could break things, something like what happens with the new window versions. You can’t break it by chance, but being a Microsoft product it can break itself on its own.

As for backup I usually have a full cpanel backup once a month, just to be sure. Probably it’s a silly question but is there a way to change the admin thing without another plugin?

Great article Sarah.
- http://www.saraharrow.co.uk/ SarahArrow
  
  @Andrea Hypno Hi Andrea, glad your host is top notch you could have been in trouble. Once you chose Admin I believe you are stuck with it. @bobWP may know of a way to sort it out. You can always change your first and last name in the user profile, then use one of those as the display name rather than admin.
- http://www.bobwp.com/ bobWP
  
  @Andrea Hypno Are you trying to actually change the admin user name? If that’s the case you will create a new username, will have to use a different password for it temporarily, then delete the admin, but making sure you assign all posts and pages to your admin name. Here is a video I have on my site that will walk you through these steps… http://www.bobwp.com/how-to-delete-your-default-admin-user/
  - http://www.ipnostudio.com/ Andrea H. | The Hypnotism Weekly
    
    @bobWP And SarahArrow I knew I would have received a solution. Can bloggers live without FBBB and its great writers and their always sound advices? I don’t think so.
    
    Thanks a lot.
http://www.jtprattmedia.com/ JTPratt Media

there’s a lot of information missing here, like using a WordPress security plugin to harden your website (Better WP Security, it’s free), and how to remove malware or infected files if you’re compromised. We wrote an all-inclusive tutorial on how to get this done last year: http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/