In this edition of WordPress Wednesday, I want to talk about something that unfortunately many bloggers overlook until it’s too late. WordPress security is just one of those things that we put off or never even think about until the day our site actually gets hacked and we’re scrambling to figure out what happened.
In order to help you avoid going crazy trying to figure out why your blog is redirecting to a site selling diet pills, I’ve written up this guide about WordPress Security. This WordPress Wednesday will be broken up into two parts. Part 1 will go over how WordPress blogs get hacked, different types of hacks, and how to prevent them.
How Do WordPress Blogs Get Hacked?
First and foremost, I have to address some of the different ways that blogs running on WordPress even get hacked in the first place. I don’t want to scare you or make you worry unnecessarily, but because of WordPress’ popularity, it’s a huge target for hackers. This section will help shed some light on how blogs running WordPress get hacked as well as what you can do to prevent it.
Outdated and poorly coded plugins are probably the most frequent problems that lead to hacked blogs. Does that little update notification in your WP dashboard show 10 updates pending? That could very well be your blog’s downfall. Since hackers are always finding new exploits and ways to get into your blog’s files, plugin developers constantly have to update their products to be protected.
When plugins aren’t getting updated, they’re vulnerable to new hacks and loopholes used by hackers. And of course if the plugin wasn’t coded very well to begin with, it’s going to be susceptible to exploits right out the gate.
The fix: In order to prevent your blog from getting hacked because of plugins, make sure you’re constantly updating them. You should be logging into your WP Admin Dashboard regularly, even if you don’t make new posts frequently. Also, avoid downloading plugins that haven’t been updated since 2001. Well, it doesn’t have to necessarily be that long ago, but you get the point.
Do you get all of your premium WP themes from torrents or “Free Premium Themes” sites? If so, then you’re exposing your blog to every hack there is. Often times the people that upload these pirated themes insert code into the theme’s files without you ever knowing. This could lead to:
- Backlinks from your blog to their sites
- Redirect scripts
- Trading out your Adsense code for their own
And just like with plugins, you want to make sure your themes aren’t outdated so that they’re well defended against any new hacks or exploits.
The Fix: Don’t use pirated themes or plugins! Saving $30 or so isn’t worth the potential damage you’re doing to your blog. Having thousands of links going from your site to an X-Rated or pharmaceutical site could absolutely ruin your rankings. And as you’ll see later when I talk about different types of hacks, it could decrease your traffic tremendously.
How easy is it for people to gain access to your site’s files? Do multiple people have your FTP information? Does your blog have multiple users with admin access? Some WP blogs get hacked simply because it’s so easy for hackers to get access to places that only you should be able to get to.
The Fix: Basically, don’t make it easy for hackers. As the blog owner, you’re the only person who should have the Admin user role. Any other users should be contributors, editors, or another role. Also, make sure you’re setting strong passwords for your WP login and FTP access. If your site is wordpressrules.com, don’t make your password wordpressrules. You might laugh, but at least one person reading this is about to change their password!
Something that some bloggers don’t think about is the security of their web host. Most major web hosts like Hostgator, Dream Host, HostMonster, and Blue Host, typically put security at the forefront. But there is always a chance that their servers could get hacked, which would put your blog in danger.
A lot of first time bloggers go with shared hosting when starting out. It’s the cheapest hosting option available and is more than sufficient enough for most bloggers starting out. However, being on a shared server means that you not only have to worry about your own site’s security, but the security of the other sites hosted on the same server.
The Fix: Make sure you’re using a highly rated web host like the ones mentioned above. If you ever have any security breaches on your site, contact your host as soon as possible because the cause could be something on their end that will affect other users as well. As your site gets more traffic and your needs change, you might want to consider switching to a VPS where your site has its own server. This will mean you don’t have to worry about other webmasters who might not be a conscious about security as they should be.
Your computer itself could be the cause of your WP blog getting hacked. If you get infected with a keylogger and a hacker figures out your login info, you’re going to have a big headache on your hands. Hopefully you’ll detect any virus or spyware on your computer before the damage is done.
If your computer ever gets hacked, chances are you probably never even considered the fact that your blog could have been compromised. But hey, that’s the point of this post, to help you become aware of the threats to WP security.
The Fix: Use virus software and make sure you’re running security checks regularly on your computer. If your computer does get infected, make sure you don’t log in to WP with the same device until it’s been it’s been cleaned.
Now that I’ve touched on some of the common ways that WordPress blogs get hacked, I want to talk a little bit about the more technical aspects of it. Specifically, I’m talking about the actual hacks or exploits used on WordPress sites.
Here are some of the most frequent types of hacks that WP blogs experience:
Redirects: These infections cause your site to redirect visitors to another website upon visiting your URL. Remember when I said not to download pirated themes? This is a very common effect of using pirated themes that have redirect scripts hidden within the theme’s code.
Pharma Hacks: This infection is actually a form of SPAM. Pharma hacks involve inserting code into your site that is visible to search engines or conditional based on criteria made by the hacker. The links generally go to pharmacy sites that sell Viagra, Cialis, and other drugs; hints the name “Pharma”. Pharma hacks are extremely harmful to your blog’s SEO because the anchor text has nothing to do with your blog (assuming your blog isn’t about prescription drugs). You can run a check of your site using Sucuri SiteCheck, but since Pharma Hacks aren’t classified as malicious, it may not detect it.
Backdoors: Backdoors are something that every webmaster should be aware of. They allow hackers to access your site’s files using your Admin dashboard, FTP, and other methods they shouldn’t have access to. This is where the accessibility issues I mentioned earlier come into play. For shared servers, a backdoor can be extremely damaging. Backdoor attacks are usually a result of plugins and themes that don’t get updated. You may remember the Timthumb issue that occurred a while ago that made it possible for hackers to get backdoor access to tons of blogs. I’ll leave it to your imagination to think of all of the damage a hacker can do to your site if they have access to your WP-Admin and FTP.