You may want to bookmark this post, because I’m going to come back to it every few months and update anything that’s changed. In it, I’m going to talk about all the ways that hackers can get control of your WordPress blog, and then about many things you can do to secure WordPress blogs. And I’m going to keep it as short as I can, but it’s a lengthy topic.
How hackers get in
First, you want to understand the ways that hackers get into your site. There are 4 main methods:
- Malicious Code. Theme and plug-in developers can insert malicious code into their software. From the moment you install one of these, that code is creating back doors to let the developer into your website.
- Lack of security updates. A good, safe plug-in or theme can suddenly become insecure because hackers have learned something new. Responsible developers will quickly roll out an update to correct that problem, but you must install it.
- Compromised logins. A hacker can infiltrate your blog if he or she has your WordPress login or the login for your host/server. You may know that second one better as your cPanel login or your FTP login.
- Malvertising. Some hackers inject malware into ads and then run the ads through legitimate ad networks. Ad networks try to screen these out, but nobody’s perfect. While this won’t give a hacker control over your website, it will cause Google to label you as a hacked site and show visitors a big, ugly warning about your site.
- Insecure hosts. Some hosts are fantastic at security. My beloved Tiger Tech, for example, not only keeps their shared servers secure, but also looks out for potential problems caused by customers failing to keep things secure. Unfortunately, some hosts don’t have enough security measures in place. Which is just wrong, because you can’t expect the average website owner to know as much about security as the host should.
How to secure WordPress blogs
1. Malicious Code
This is the easiest threat to deal with – sort of. Basically, you need to make sure you only get themes and plug-ins from trustworthy sites.
- The WordPress repository is a reliable source for free plug-ins and themes. They manually review themes and plug-ins before uploading them to the repository, and if a later version of the theme or plug-in develops a security issue, they make sure it gets fixed or pulled from the repository.
- Paid plug-ins and themes are trickier because they don’t necessarily have anyone vetting them for security issues. I use Genesis Themes by StudioPress and highly recommend it, partly because the team seems to be very security-conscious. If you’re thinking about buying a plug-in or theme, I would suggest doing a web search along the lines of “[plugin name] security issues” in order to make your evaluation. Make sure plugins are being actively maintained.
- Do you have other CMS software installed on your server, such as a forum or bulletin board? You’ve got to keep those up-to-date as well because if someone can get in through them, they could conceivably take over your whole site. Delete any installations you’re not using.
2. Lack of Security Updates
This one is also fairly easy to handle, now that WordPress does most of it for you automatically. Auto-updates do introduce the possibility of a conflict if, say, a plugin isn’t ready for the new WordPress version. But that’s far more rare than hacks via out-of-date plugins, and usually gets fixed within a day (if not, you need to find a more actively developed plugin).
- Update themes and plug-ins as soon as updates become available. This prevents hackers from exploiting known security issues.
- Allow WordPress to default to auto-updating its security updates. For about 7 months, I’ve used and loved the WP Plugins&Themes Auto Update plugin to auto-update my plugins and themes. This is especially helpful on installations you don’t log into regularly: look for test blogs you may have installed in a subdirectory, or that blog you installed on a domain you aren’t using right now. I know I forget to update those installations.
- Note that an auto-update plugin may not work on paid themes or plugins. Also, WordPress doesn’t automatically install the major updates, like where it’s jumping from 4.2.x to 4.3, because those updates are more likely to break stuff. You’ll have to update those on your own.
- I suggest creating a spreadsheet that lists every WordPress installation on any of your domains, along with any themes and plugins need manual updates. I’ve created a sample Blog Update Spreadsheet that you can download to get started. I put it in Excel format, but you can open it in LibreOffice (my choice) and other free alternatives to Office. Be sure to add any other software, such as forums, to the spreadsheet. This includes software that only you can access, like an installation of a private CMS where you keep notes.
3. Compromised Logins
You need to protect both your WordPress login and your server/host/FTP/cPanel login(s). If your domain registrar is different from your host, you also need to protect that, too. So you need to understand how hackers can get these logins.
- Brute force. Hackers use software that can try tons of different logins in a short time. If the username and password are very common, they’ll get them. If you have an older WordPress installation that still uses “admin” as the login username, change it ASAP using these instructions. I use a totally made-up word that’s at least 12 letters long, and my passwords are so strong they look like cussing in a comic strip. Make sure the password for your host is equally strong. Do not save these logins to your browser. We’ll talk in a minute about a great way to store really strong logins so you don’t have to remember them all.
- Compromised computer. If you use any of these logins on a malware infested computer, they could be sent straight back to a hacker. So you need to keep your PC clean, and be very careful about logging in on other people’s PCs.
- Fake phone calls/emails. If someone calls or emails you claiming your computer is sending out viruses, this is a scam to get control of your computer. Be very aware of anyone who contacts you claiming to be from your host or someone like that. Never give our your passwords. But also, if you get a call or email you weren’t expecting, I would suggest you hang up/don’t respond, and then go contact your host the way you normally do. Describe the call or the email to them (especially whatever name the person gave), and find out if that was legitimate.
3.1 Keeping your PC clean of malware
Now, if you use a Mac, your chances of getting hacked are still slim, but Mac ransomware has made its debut. You should use an antivirus program, and friends tell me the Genius Bar recommends MalwareBytes for Mac. I have used Mac a lot in the past, but I stupidly relied on the hackers’ lack of interest in Mac to protect me. Currently I use a PC, but a lot of these tips apply to Mac just as well.
- Be paranoid about clicking links or opening attachments in email. Fake emails are a huge source of computer infections. Hackers create emails that look like legitimate tracking notices from UPS, or notices from your credit card. These emails have links that will take you to download a virus, or legitimate-looking attachments that download malware.
- Use a web interface for email. If you can, use a web interface instead of a client app like Outlook or Thunderbird to read and store your mail. Some malwares can (supposedly) get downloaded just by viewing the mail. Using a web interface puts an extra layer of security in there. Gmail is most popular and has great spam detection. Zoho, Yahoo, Outlook.com, etc., also have their fans.
- Use a good antivirus program. I recommend the less well-known Emsisoft because it’s better at stopping zero-day ransomeware attacks like Cryptowall. If you can’t afford to pay, check out Comodo Internet Security. It’s not all that user-friendly, but it’s almost as effective as the best paid programs. I also use the paid version of Malwarebytes – both it and Emsisoft can run with another AV.
3.2 Block malware from coming through your browser
- Install Malwarebytes’ Anti-Exploit. The free version stops exploits that come through your browser, which is how a lot of malware gets in. The paid version also protects your PDF reader, media players and other apps.
- Dump Flash, or switch to auto-updates. Flash is so insecure that fewer and fewer sites use it. I no longer install it – Flash content renders in Chrome or Edge, anyway. If you must have Flash, switch to auto-updates. A lot of malware comes to you via what looks like a totally legitimate Flash or Reader update.
- Use AdBlock Plus. I know – I sound like a hypocrite because I’m a blogger who makes money from ads. AdBlock Plus blocks any Flash, not just ads, with the option to unblock case by case. It also lets you “whitelist” sites you trust, and this is why I’m not such a hypocrite. I whitelist small bloggers who are less likely to be the targets of “malvertising” than big websites like Disney, Facebook and the Guardian, who found themselves inadvertently distributing malware through their ads in 2014.
- I recommended WebOfTrust until they got caught selling our private information. Both Firefox and Chrome removed it, and I don’t recommend it. It was the least important of these precautions, and you can be safe without it.
- Use LastPass or another password manager. LastPass is a browser extension which stores super-complex logins for every site you use. All you have to do is memorize a single master login for LastPass, and it handles the rest. You can use it all you want on desktop for free, and it’s $12 a year for mobile access. Because you never need to type your passwords, a keylogger Trojan can’t transmit them back to a hacker. If you need to login to LastPass on, say, a library computer that might have malware, you can type in the password using a special keyboard that pops up on screen. And LastPass employees can never see your master password or your other passwords. They’re all encrypted on your computer before they get sent to LastPass.
As I mentioned above, sometimes hackers buy ads and put malware in them, and those ads can potentially appear on any website that serves ads.
- Use reputable ad networks. This is tricky, because ad networks don’t share the fact that they’ve had malware. If you get malware in your ads, it’s hard to track down. I can tell you that the vast majority of problem ads I’ve had were video ads, for some reason.
- Use DFP or a DFP manager like AdThrive. DFP is a Google product for displaying ads on websites. It’s so user-unfriendly I would call it “user hateful”, but one of these days I’m going to try to put together a basic guide. Because Google is very good at detecting malware, and they will let you know if one of your other ad networks is serving it.
- Set a price floor if you can. Some ad networks allow you set a price floor. Once they have no more ads above that price, they start sending your impressions to a passback network you’ve provided. The lower the price floor, the higher your fill rate will be, which is a good thing. But always keep a price of at least $.10-$.15. I’ve done that for years, and I believe it keeps a lot of the malware ads out. (They’re not going to spend a lot to reach people they want to steal from.)
5. Insecure Hosts
It’s so important to find a host that’s really good at security, especially in shared hosting where another client may not be so good at updating their plug-ins and all this good stuff we’ve been talking about.
- Avoid really cheap hosts. Host that only charge you a couple of bucks a month are probably not investing much in security.
- Use WebHostingTalk to read up on hosts and their security issues. That forum has a lot of great members who give detailed reviews of their hosting experiences.
- I recommend Tiger Tech. I’m sure other hosts are really good at security, but I’ve used Tiger Tech for several sites for the past five or six years. I’ve seen them ward off DDOS attacks that brought down other popular hosts. I once anxiously wrote them them about a WordPress plugin I had just learned had a security flaw, only to be told they had plugged that security hole on their own months ago. I’ve never had a site go down for more than half an hour with them, and most outages are about five minutes. Altogether, with all my sites in all those years, I’ve had maybe an hour of downtime. Their blog delivers a lot of security tips, too. Check out this entry from 2010 about WordPress security and hosting to see why I love these guys. Even if you get a million page views a month, you should be able to use their $8.95/month plan – which is actually $7.95 if you pay annually.
Security takes some effort
Feeling overwhelmed? Relax. You probably have some stuff to install now, and maybe some new habits to develop. But you’re probably already following a lot of these rules. I hope you learned something new that helps you out. And remember to bookmark this post because I will keep it updated as new nasties come along.