On average 30,000 websites are hacked every day. Budget airline Easyjet, for example, was hacked earlier this year and hackers accessed the data of nine million customers, including the credit card details of over 2000 people. And back in 2018, 40,000 Ticketmaster customers had their details stolen too through malicious software that was sneakily inserted by hackers.
Large or small, no website is completely secure from hacking. And with people spending increasing amounts of time online during the pandemic, website hacking is on the rise and website security is now more important than ever.
Fear not though, the digital gurus at Solve are here to help. In this post, we’ll look at what hacking is and how hackers get into your site, but best of all, we’ll share the top 10 WordPress hacks to help stop you getting hacked.
What is website hacking?
Website hacking is when someone accesses your website and its data without your permission.
The most ‘popular’ hacking techniques include:
- Phishing – hackers trick users into divulging personal information or credit card details.
- Brute force – hackers try repeatedly to guess your username and password to access your site.
- Malware & viruses – hackers infect your website with data and/or files which corrupt your site.
- Cookie theft – hackers steal information-rich cookies from your website’s browser.
- Unauthorised links – hackers break into your website and add links to other sites (often adult sites or illicit products)
How do websites get hacked?
There are a number of ways hackers can gain access to your site. Sometimes your coding might be vulnerable or hackers can target weak entry points like contact forms.
According to a recent survey by Wordfence, the two most common entry points for hackers were:
1. Plugins
The survey showed that in almost 60% of website hacks, the hackers gained access through the site’s plugins. In 2020, WordPress offers a staggering 58K plugins to perform everything from security to chat features and sliders, so they can really enhance the functionality of your site. Plugins need to be updated regularly though to patch things like security vulnerabilities. And if you’re not performing the required updates, it’s easier for hackers to gain access.
Also, you need to ensure that you only download plugins from reputable sources in the first place. Look for reviews, star ratings and previous users, and choose a tried and tested version from a known developer. And using discontinued plugins is a definite no-no from a security point of view.
2. Passwords
In 16% of the surveyed website hacks, hackers used brute force to enter a site by deciphering the username and password. If you’re using an obvious, over-simplified password, you’re leaving yourself open to brute force hacks.
What happens if you get hacked?
Website hacking can negatively impact your business in a whole host of ways. Above all, hacking can be particularly damaging to your brand. For example, if your customers’ computers get infected by a virus from your site or their data is stolen, it can tarnish your reputation and their perception of your brand. And if you’ve experienced unauthorised links, your brand can be associated with the linked websites or products.
Hacking can also impact your ranking. Your website can be blacklisted by search engines like Google for malware distribution, and they can remove your site from search completely. Hacking can also get your site blocked by some internet service providers so your site won’t display for users. And even if you resolve the matter, it can take some time to rebuild trust and regain ranking.
Is WordPress vulnerable to hacking?
Every website online is at risk of hacking. WordPress is one of the most popular website systems on the internet, and its popularity and extensive use worldwide does create some vulnerabilities, making it a target for hackers.
Vulnerability 1: WordPress is the most popular target
A third of all websites online are built on WordPress, so it stands to reason that the platform would be a prime target for hackers. WordPress and the world’s top techies are aware of this though so they are constantly monitoring and updating the system to fix vulnerabilities.
Vulnerability 2: WordPress needs updating and maintenance
The second vulnerability of the WordPress system is that you need to update and maintain it regularly. Using outdated software, discontinued plugins and not doing regular updates mean your WordPress website becomes increasingly exposed to security breaches. Reuters was famously hacked this year and fake news was posted on their site. It was later revealed that the Reuters website was using an old version of WordPress which had over 20 vulnerabilities that should have been repaired through an update in 2011.
Who is responsible for being hacked?
Hacking is a criminal offence against your property. So just like you take important steps to secure your home, every website owner is responsible for the security and maintenance of their website too.
How to secure your WordPress website from hackers
1. Ensure your site is properly maintained
As we mentioned earlier, WordPress sites need regular updates to patch vulnerabilities and keep them secure. Updates can cover the CMS core, the website theme and most commonly, plugin updates.
It isn’t as easy as clicking ‘update’ though. Theme updates particularly can change the look of your site and cause unwanted conflicts with your plugins and core, sometimes even breaking the site. It’s best to let the specialists carry out any updates so they can take backups, perform updates and make any necessary tweaks to ensure the whole website works harmoniously and you stay open of business. Check out Solve’s website maintenance packages for details.
2. Choose a secure web host
Every website needs to be stored on a server somewhere and which host you choose is incredibly important. Each website host offers a different service, so you need to ensure the one you choose has substantial firewalls, regular monitoring, malware scanning, restrictions on unsecured plugins and secure file transfer connections.
Here at Solve we even offer a hacking guarantee – we’ll fix any unlikely hacks free of charge.
3. Take regular site backups
An essential step for any website owner is to ensure you take regular backups so that any hacks can be fixed quickly and effectively without losing too much data. For example, as part of Solve’s web hosting package, we backup sites daily and keep them for 30 days.
4. Move your site to HTTPs
To ensure your website’s security, ranking and user experience, you should make sure you have a valid SSL certificate for your site and that it runs on HTTPs.
HTTPs stands for Hyper Text Transfer Protocol Secure. Basically, to run on HTTPs, you need to have a valid SSL certificate which encrypts the data transfer between your server and the user’s web browser, ensuring information remains private and hackers can’t access it. If you’re not sure whether you have an HTTPs site, just look at the address in your browser. If you see a little padlock, you’re on HTTPs and your website is secured.
Not running on HTTPs not only poses a security risk, Google doesn’t like it either. HTTPs has been a ranking factor since 2014. So if you don’t have a valid security certificate, it’s impacting your ranking too.
And it can negatively affect user experience as well. Some browsers flag websites without a valid certificate as ‘unsecured’ to users – not very inviting!
At Solve, every website we design is on HTTPs with a valid SSL certificate from the get-go so you can relax – we’ve got you covered.
5. Use security plugins
There are a number of WordPress plugins that can be installed to monitor your website security and inform you of any threats. Wordfence, for example, is one of the leading security plugins with an endpoint firewall and robust malware scanner to keep your website protected from unwanted hacking attacks.
6. Avoid obvious passwords
To help protect your site from brute force hacks ensure your passwords are unique, differentiated and hard to guess. Don’t use your company name or address and definitely avoid the schoolboy error of sequential numbers! A staggering 2.5 million people have used 123456 as their password so far in 2020, leaving them desperately exposed to hacks.
If you really can’t think of anything original, there are online password generators that can help. And if you’re forgetful, tools like LastPass store your passwords safely so you don’t have to remember then all.
7. Restrict user permissions
Most websites have multiple users who legitimately access the site for different reasons e.g. web designer, marketing department and SEO team. Make sure you assign the right roles and permissions to each user. Administrative access should be given sparingly to avoid fundamental changes being made to your website either unwittingly or maliciously.
8. Add two-step login authentication
Two-step authentication is common now on social media platforms, Gmail and more because it makes brute force hacks harder. Two-step authentication is when, after entering a correct username and password, the user must verify their identity through an extra security step on another device. Typically, a one-time passcode is sent to a nominated mobile device like a phone which you need to type in. This two-layer protection means that even if hackers guess your password, they cannot get into your site (unless they have access to your other device too).
9. Limit the number of login attempts
It’s always good practice to limit the login attempts allowed on your site too to stop brute force hackers repeatedly trying different combinations of passwords. If you have a strong firewall this may be taken care of, and there are also plugins you can add to your site to limited login attempts, like Cerber Security.
10. Use virus protection on your computer
And finally, ensure you have powerful virus protection on the computer you’re using to access your website. This should help stop hackers pinching your passwords and infecting your site with viruses to name just a few offences.
Website security summary – The dos and don’ts
- Do website maintenance regularly
- Do choose a secure web host
- Do daily website backups
- Do ensure your site is HTTPs
- Do use security plugins
- Don’t use obvious passwords
- Don’t give all users administrative access
- Do add two-step login authentication
- Do limit login attempts
- Don’t forget your anti-virus protection
How do you fix a hacked WordPress site?
If your website has been hacked, it can be a messy job to clean up. It’s best to leave it to professionals to ensure all traces of the hack are removed. The security-savvy, web design wizards at Solve leave no stone unturned when investigating a hack – we’ll get to the root of the problem, restore your site to its former glory and advise on how you can better protect yourself in future.
Get protection from website hackers
And if you’re interested in beefing up your website security, consider our secure and eco-friendly web hosting and robust website maintenance packages. They’ll not only protect you from unwanted website hacks, but they can also improve your site speed, user experience and ranking too.