If your website or blog uses WordPress to manage its content, then it is important you take steps to protect it from unauthorized access. WordPress hacking has become more and more common due to its popularity. Here are answers to some common questions about hacking:
1. What is hacking?
Hacking is when someone gains unauthorized access to your website. They gain access by using programs that can exploit known security vulnerabilities in your website code. Once they gain access to your site, they can add links to your webpages that link to shady websites (drugs, gambling, porn, etc.), or use your mail server to send spam, or collect personal information stored in your database. This can result in your site being banned from Google, your website incurring bandwidth or mail server charges, or even lawsuits if your website visitors’ personal information or credit card data is stolen.
2. Why would they hack my site?
While hacking can be personal (by someone that knows you and means you harm), most often it is completely impersonal. The hacker writes a program that searches the web looking for websites that meet certain parameters (such as having a certain version of WordPress, or that use a particular WordPress plugin). They don’t know or care who you are or what your business is. Profit is generally the goal of the hack. They are paid to add links, send spam, collect personal information, etc.
3. What can I do to keep my WordPress site safe?
The two most important things you can do are:
- Keep your WordPress installation updated. The folks at WordPress issue updates whenever security issues are identified and fixed. Whenever you get a notice in your admin area that a new version of WordPress is available, immediately click ‘update automatically.’
- Keep your computers free from viruses and malware. Any computer that you access your WordPress site from may store usernames, passwords, FTP login information and other sensitive data that can be stolen and used to gain access to your site. We recommend using a program like Microsoft Security Essentials.
4. If I do those two things, is my site secure?
Not entirely. If a hacker is determined, they can still get in. There are basically two methods:
- Brute Force Hacking – This means that they use a programming script to guess your password. The program guesses many passwords per second, until they get to yours. To see how this is done, check out this video on Brute Force Hacking.
- SQL Code Injections – SQL is the standard database that contains the data for a WordPress website. There are certain vulnerabilities that a hacker can exploit in order to get into your site. This video on SQL Injection shows how easily it can be done.
5. Can anything be done to prevent the above hacking methods mentioned above?
Yes. If you plug all the security holes in your site, hackers will not be able to gain access. To check how vulnerable your site is, please take the following steps:
- Login to your WordPress admin area
- Go to Plugins > Add New
- In the search box, type “Ultimate Security Checker” and click ‘Search’
- The search will bring up the Ultimate Security Checker plugin. Click ‘Install Now’
- Once installed, click “Activate Plugin”
- After the plugin is activated, go to Tools > Ultimate Security Checker
- The plugin will check how secure your WordPress site is. Anything less than 114 / 114 provides security vulnerabilities for hackers.
6. It says my site isn’t secure. What can I do?
Xmanonline can secure your site for you (to bring it up to 115/115) through a range of code / permission / database changes. We will also install several additional security plugins, so that the security of your site can be monitored at all times and you can be quickly alerted to any future vulnerabilities. The procedure takes about three hours, therefore the cost is $300 +GST. Just contact xmanonline support if you would like to arrange this service.
7. But I backup my site regularly, isn’t that enough?
Probably not. We can re-install a WordPress backup for you, but you will lose all of the information collected and/or changes made to your site since the backup was taken. Not to mention the business that might be lost while your site is down while the backup restoration is in progress. If your site is banned from Google as a result of the hack, it will take even more time before you start showing up in the search engines again. And the point is, restoring from backup doesn’t fix the security holes, therefore you can be hacked again at any time.