Your website could fall victim to hacking! And here’s why.
Most (if not all) WordPress websites come under “brute force attack” – day in and day out, one-after-another attempts to break into your website. You may not have known this, but YOUR site is probably being attacked right now as you read this! Yikes!
Let’s look at the who, what, why, where, and when of this issue.
Attacks come from all over the world, including the good ‘ol USA. And it’s virtually impossible to know exactly who is doing it. I can tell you that these attacks are mostly coming from compromised computers and websites. When a computer or website is compromised it becomes a “bot” (think robot). When hackers get many bots they then have a network called a “botnet.” It all sounds so Battle Star Galactica. Many times people are not even aware that their WordPress website has been compromised. If you have not taken proper precautions for your WordPress website’s security, it could be doing nasty things to others’ websites.
So ultimately… YOU could be the unwitting attacker.
A bot or botnet goes to your login page for your WordPress website many times a day – even hundreds of times a day. Using hacking programs, it tries constantly to figure out your login and password. Once it gains access to the back end (the administrative area) of your website, it can do as little as add some code to the top of your template files, but it could also change your password and lock you out. Again once your website is breached, it becomes part of the botnet. Okay, now I’m thinking of the Borg from Star Trek: The Next Generation (“Assimilate.”)
There are many reasons why hackers want your website, ranging from collecting personal information, redirecting viewers to fake websites to capture logins and passwords, and creating automated large-scale attacks on security systems (check out this fascinating graphic of major corporations whose security has been breached). So you may wonder, “why would anyone want to hack my little ‘ol website?” The answer is your website could become a cog in a very large machine. Or… a bot in a botnet.
These attacks can come from all over the world. Wordfence Security shows a real-time map of attacks happening around the world to websites that are using their security plugin. It’s fascinating to watch. As of the time I am writing this, there are 6,579 attacks per minute happening to WordPress websites that have the Wordfence plugin. Just imagine how many more attacks are happening to websites that are not using this security plugin! Wordfence says they can only display 7% of the attacks at any given time because to show them all would overload your browser.
These attacks are happening all day and all night. And every day. Since the attacks are actually happening by these botnets, they don’t need to sleep or take breaks; they are insidious.
There Are Steps You Can Take
The User Name for Your Website
Do not use “admin” or “Administrator” for your user name. These are the most tested user names by the bots. Keep in mind that if they get your user name, you are half way to hacksville. Another popular username is your domain name; so don’t use that either. Use combined words that only have meaning to you; not phrases, but combine words that may not normally go together.
The Password for Your Website
There is a LOT of information out there about the do’s and don’ts of passwords for WordPress websites (or any account for that matter). I also addressed this in a previous article called “Passwords and Hacking Prevention.” Take a look at that article for ideas on how to create a strong password.
My clients know that when I make their passwords, they will be unhappy. Why?
Because it’s not going to be one they can memorize; and the passwords I create are a pain in the posterior to type given all the special characters, numbers, etc. that I incorporate. But this is how it must be. Gone are the days when we could use one easy-to-remember password for every account we have. If you’re breaking out in a sweat as you type in your password, you’re on the right track!
There is a bit of variance in rankings of the WORST passwords, meaning most easily hacked, but this list from SplashData, a password security service, is most comprehensive. The top three worst are:
But check out SplashData for the full list.
In a nutshell:
- Do use 8 or more characters
- Do use all of these: special characters, numbers, upper and lower case letters
- My own secret: most characters typed on the keyboard are done with the left hand. So try to work more right-handed characters into the password. Think about it. Why is the keyboard referred to as QERTY? Those are left-handed letters (except for the Y). That, and it’s easier to say than YUIOP.
- Do NOT use the same password as you have in other accounts. Every password should be unique.
I have one other pain-in-the-tukhus thing to add. Put yourself on a regular schedule to change your password about every 3 months. The new password should be as equally hard to remember as the previous one. Sorry.
There are some really good security plugins out there that can help stave off the botnets from your WordPress website. My two favs are Sucuri and Wordfence.
Sucuri provides website antivirus and firewall protection, malware detection, cleanup and prevention. Install it and keep it up-to-date as part of your arsenal against hacking. Not only does it protect you against code exploitation, but if you didn’t have it installed previously and got hacked, Sucuri offers tools to clean up your website.
Wordfence does many of the same things that Sucuri does, but their tack is a bit different. I use both of these in tandem on all my clients’ websites. Wordfence allows you to set how many times someone can attempt to log into the site with incorrect information before they are blocked either forever or for some amount of time. You don’t want to be too strict on some of that because if you’re like me, it’s easy to mistype a hairy password more than once.
And one other…
IQ Country Block allows you to block out entire countries from the front and the back ends of your website, and view countries/IP addresses that are accessing your website in real time . If you do business in other countries, you’ll want to be careful with this one, but if you work solely with U.S. clients, then you can set this plugin to block all other countries from your site. This isn’t 100% proficient, but it really does put a dent in the nefarious activity.
All of these have very good features for free; Sucuri and Wordfence also offer more premium options. I have been using the free versions for a long time now and have been very happy. It just depends on your needs for your site.
There are many other security plugins out there, but when I talk with other WordPress website developers, these always get a mention.
To Sum Up
- Just assume your WordPress website is being attacked regularly.
- Create a difficult user name and password.
- Schedule yourself every 3 months to change your password to something equally hairy.
- Add security plugins to help protect your website from infiltration.
- Keep all plugins, WordPress versions, themes and anything else associated with your site up to date. Don’t let those updates slide for a while because when an update is issued, there’s usually a good reason for it. Nudge nudge.
Unsafe Websites by Google
Google’s Safe Browsing technology examines billions of URLs per day looking for unsafe websites. Every day, we discover thousands of new unsafe sites, many of which are legitimate websites that have been compromised. When we detect unsafe sites, we show warnings on Google Search and in web browsers.
These unsafe sites fall into two categories, both of which threaten users’ privacy and security:
Malware sites contain code to install malicious software onto users’ computers. Hackers can use this software to capture and transmit users’ private or sensitive information.
Phishing sites pretend to be legitimate while trying to trick users into typing in their username and password or sharing other private information. Common examples are web pages that impersonate legitimate bank websites or online stores.
Google Transparency Report
Have you ever been hacked? Share your thoughts below!
If you have any questions on any of this information or are concerned about your own site, please give me a call at 630.254.2301 and we can talk about your situation.