It’s a word no one likes to hear. It sends chills down the spines of developers and sends site users and owners alike into a frenzy.
What are we talking about?
Website hacks come in all shapes and sizes, and they happen regularly. Worldwide, 64% of companies have experienced at least one form of cyberattack. Some cause minimal damage, while others can bring entire industries to their knees.
Regardless of their severity, hacks are a big deal. You will definitely want someone in your corner who knows what to do if your WordPress site gets hacked.
While site security should be top of mind for every website owner, your host should also do its own due diligence in protecting your site and your users. How does Pressable handle hacks when they occur, and what do we do to keep your data safe from the beginning? This post explains.
How Do Vulnerabilities Occur in WordPress?
When it comes to WordPress, hacks can occur for many reasons, whether it’s a vulnerable plugin, a WordPress core mishap, or even an insecure username or password. Usually, a security researcher finds a vulnerability and reports it to the developer. The developers fix the issue and push out an update. A few weeks after the researcher reports the issue, they publish it online to gain notoriety.
Unfortunately, that’s not always how it goes. Some developers don’t update their plugins after they discover vulnerabilities. When hackers send robots to take advantage of the new-found hole in your defenses, your information gets compromised. But there is good news. With proper defenses and a team of experts behind you, you can keep the hackers at bay and your data secure.
What are Website Vulnerabilities?
WordPress is a popular content management system because it allows users to create functional, good-looking websites. But because website builders favor it, it’s also popular with hackers.
Website vulnerabilities can come in all shapes and sizes. Someone at your business could click on a phishing link in an email and expose your company’s website. A member of your website admin team may not have a strong password which a hacker can easily guess. Your version of WordPress or plugins may be out of date.
No matter the source, your company’s and customer’s data is at risk when your site is vulnerable.
The Main Causes of WordPress Website Vulnerabilities
You can easily combat many common attacks on WordPress by following WordPress security best practices.
Common attacks to watch out for include:
- SQL Injections. In this type of attack, a hacker gets into your database and inserts new data such as spam links or new admin login credentials.
- Denial of Service Attacks (DDoS). Attackers program computers to repeatedly load your website to crash it under the weight of so much traffic.
- File Inclusion Exploits. In file inclusion exploits, attackers manage to load and execute PHP files that allow them to modify system files, such as your wp-config.php file.
- Cross-Site Scripting. Attackers insert client-side scripts into your website to change how your site acts for visitors and even steal user data.
- Malware. WordPress sites can face malware infections such as pharma hacks, drive-by downloads, backdoors, and malicious redirects.
- Outdated Core. Hackers can use vulnerabilities in older versions of WordPress to access sites that haven’t been updated.
- Unsecure Themes or Plugins. Third-party themes and plugins could carry malware, so choosing plugins and themes from reputable sources is important.
- SSL Issues. If a shady source provides your SSL, you could find your certificate is fake or that your site has been hijacked.
- Brute Force Attacks. When a bot tries to guess the correct login for your site. The bot repeatedly enters different usernames and passwords until it gains access.
- Low-Quality Hosting. If a hosting company doesn’t offer security monitoring, you’re on the hook for monitoring for potential attacks, and you likely don’t have the tools or time to do so.
With so many ways hackers can harm your site, you may wonder, “How do I secure my hosted WordPress website?” How can companies protect themselves from hackers? A well-managed host can help.
How a Good Host Keeps Your Site Safe
Your web host should be a trusted ally in the fight to protect your site. A good web hosting company takes many measures to ensure your site is safe and secure.
A good host keeps your site safe through:
- Server-Level Security. If the server where your site and all its data are stored is secure, your site likely will be too. That’s why you need a host with secure servers.
- Secure Data Centers. When the physical locations that hold the servers are secure, the security of these data centers keeps the servers secure.
- Automatic Updates. Managed hosting allows your hosting company to update the important things on your site, so you don’t have to worry about it. These automatic updates help eliminate vulnerabilities immediately.
- Malware Scanning and Removal. When a hosting company detects malware, they can remove it quickly and efficiently, likely before any damage is done.
- DDoS Mitigation. Hosts can protect your site at the server level from DDoS attacks, preventing the threat from impacting your site.
- Web Application Firewall (WAF). A WAF prevents your site from being impacted by attacks like SQL injections and cross-site scripting.
- Secure File Transfer Protocol (SFTP). SFTP allows for the access and transfer of large, sensitive files through encryption, which prevents them from being accessed.
- Backup and Restore. Many hosting companies offer regular website backups as part of their service. Those backups can restore your website to a previous version in the event of a hack.
- Expert Support. Good web hosts have experts on staff to support site owners when they need help with navigating hacks, updates, or any other issue they encounter.
Consider these items to be like a web hosting security checklist. If your host doesn’t provide these, it’s probably time to start looking for a new host who can help keep your site safe.
Consider Using a WordPress Vulnerability Scanner
If you feel bombarded with potential threats that could harm your site, know that you don’t have to wait until you suspect an attack has occurred to do something. Knowing how to protect your WordPress site from SQL injection cyber attacks, DDoS attacks, or even phishing scams can help put your mind at ease and help you prepare in the event of a hack.
If you’re worried about an attack, there are WordPress vulnerability scanners, like this one from Pentest Tools, that will help you spot potential issues before they become problems. Also, we provide Jetpack Security Daily free with every hosting package. It will point out vulnerabilities before a site is hacked.
How Pressable Handles Hacks
When your site security gets compromised, it’s no time to play the blame game. You just want the problem fixed, and that’s exactly what we do. We are actively monitoring for malware threats, and our team of WordPress experts gets right on the case at the first sign of intrusion. After an instance of malware is detected, we’ll provide help to ensure that your site is restored to a safe and secure state.
We’re serious about web hosting security best practices, and our features help you proactively avoid potential hacks. Here’s how Pressable keeps your site safe:
- Actively monitors malware and keeps your WordPress core updated automatically
- Backs up your website daily
- Employs a state-of-the-art Web application firewall
- Provides free SSL certificates
- Offers free Jetpack Security Daily
- Informs you of concerns and works with you in hack recovery
How Do I Secure My WordPress Website?
Knowing how to secure websites from hackers is part of creating a security plan that works for you. There are many steps you can take to ensure your site is secure.
Keep Software, Theme, and Plugins Updated
There are tons of themes to choose from and thousands of plugins out there. That’s why it’s important to choose the right ones. What makes a good plugin or theme? Look for glowing reviews and high download numbers. If so many people use it, it must be good, right? Then make sure it’s updated regularly to avoid security vulnerabilities.
Updating anything that makes your site run properly is necessary for security. Software, themes, and plugins all update regularly to fix potential vulnerabilities. Ignoring update notifications is like leaving your front door open with all your valuables on display.
Must contain one capital letter. Must contain one special character. Must be at least eight characters long.
Did those three sentences make you cringe? We get it. Nobody likes making a different password for every service and device they use. But just like plugins and core updates, they’re a fact of life.
Strong passwords also are critical. Compromised passwords are the No. 1 reason for site hacks.
By using complex passwords, you protect yourself, your site, and, in turn, every other site on your host’s servers.
As soon as you get login credentials for your WordPress site, change your administrator password, and definitely change your username to anything but “Admin.”
SSL and HTTPS
An SSL certificate encrypts sensitive data, so people who shouldn’t see that information can’t. A site with an SSL certificate has HTTPS at the beginning of the web address, which signals to site visitors that your website is secure. Plus, many browsers won’t let you navigate to a site without an SSL, which means you could be losing customers and your reputation.
Having an SSL certificate keeps your data safe, and it keeps your customer’s data safe too. It also has the added benefit of improving SEO, meaning your site is more likely to rank well in Google search results. Pressable offers free SSL certificates, so you don’t have to worry about adding it to your hosting plan.
You can do a lot to secure your site, but it won’t matter if your host isn’t secure. Pressable knows this, which is why our managed WordPress hosting focuses on speed, security, and redundancy. It’s a fully managed WordPress hosting service that lets you focus on what matters most.
Secure File Permissions
File permissions specify who can access what and if they can change the files. Setting file permissions can be a simple way to keep unwanted changes from being made by your staff or by hackers. Securing file permissions allows you to protect your data and that of your customers. By limiting who has access to it, you’re keeping your information safe.
Of course, WordPress files are symlinked and can’t be modified. That’s a huge potential hacking point that Pressable protects you from.
We understand that your website is essential to the growth of your business. We go the extra mile for our clients with WordPress website performance monitoring. We’ll also help you activate Jetpack Security Daily, which is free with every Pressable plan. It protects your site and lets you know if there’s a concern. We give you free, unlimited access to 24/7 WordPress hosting support to ensure your websites are always running as they should.
Two-factor authentication is like adding a special layer of security to your site. Two-factor authentication is a crucial part of how to prevent your WordPress website from hacking. Instead of just putting in your password, you must also use a code from a third-party authentication app.
Two-factor authentication may seem like an extra step or like it will slow you down when you’re trying to log in, but it can be an excellent line of defense against hackers or anyone who tries to access your site.
Limit Login Attempts
If a hacker attempts to access your site by trying various password combinations until they find the right one, it may only take persistence to access your site. Limiting login attempts means they can only try a few times before they’re locked out. Plugins like Limit Login Attempts Reloaded, Loginizer, and Limit Attempts by BestWebSoft all allow you to limit the number of login attempts from users.
Most hosting companies regularly create backups of your site for a reason. With a backup, you can restore your site in the event of any sort of tech issue, including hacks. While hopefully you only ever need the backups for peace of mind, having them in the event of a hack can help you restore your site to a previous version without any malware, which means your site is secure again. Visitors won’t notice any major changes. Pressable offers daily WordPress backups for this reason.
Your database is basically your website in its purest form. If your database isn’t secure, then your site definitely isn’t. Pressable makes a back-up of your website files every 24 hours, and we back up your databases hourly. Plus, we keep those backups for 30 days. Need to restore from a previous version? You can use our automated restore tool, do it yourself using SFTP or phpMyAdmin, or our 24/7 support team can do it for you.
Monitor File Changes
Your website should work like a well-oiled machine. Your theme and plugins work together to create the user experience you want. So you likely don’t want just anyone to have the ability to change any files that are a part of your site. In fact, there are probably a limited number of people with the login credentials to make those changes.
WordPress core files are symlinked and can’t be modified, which increases security.
Also, a plugin like Website File Changes Monitor can notify you when files are changed. It can also notify you about any sensitive data that may be exposed or potential malware threats. Used in conjunction with your host’s malware and security monitoring, a file monitor can let you know the minute there may be a potential issue.
A web application firewall (WAF) protects web apps by monitoring, filtering, and blocking malicious HTTP/S traffic traveling to a web application preventing unauthorized data from exiting the app. It does this through a set of policies, which are merely rules the WAF operates through. These policies help protect against application vulnerabilities by determining the malicious traffic from the safe traffic and filtering out the potentially harmful traffic.
All websites hosted by Pressable include a web application firewall, which is a Layer 7 protocol that protects against common attacks by hackers. The WAF monitors, identifies, filters, and blocks malicious activity from a web service but allows other HTTP traffic through with no problem. It protects web applications from many application-layer attacks like XSS or cross-site scripting, cross-site forgery, cookie poisoning, file inclusion, and SQL injection, among others.
Scan for Malware Regularly
With a WordPress site, hackers may not even be targeting your site directly. Instead, they may be exploiting known weaknesses in outdated plugins in hopes of finding and exploiting vulnerable sites. That’s why website malware scanning can be a critical step in preventing hacks.
In addition to regularly scanning for known threats and WordPress vulnerabilities, Pressable proactively protects your site by keeping WordPress core updated, encourages using a current version of PHP, backing up your website daily, and employing a state-of-the-art web application firewall to keep you safe.
If we identify a vulnerability, malware, or other threats to your site, we’ll inform you immediately. Our expert support team can give you advice for restoring your site to its normal functionality and secure it against further attacks. Rest assured. Our team is here to help.
What Pressable Does for Security
The easiest way to come back from a hack is to prevent it altogether. Just call us your friendly neighborhood hack prevention platform. Now, any host that tells you they can prevent 100% of hacks is pulling your leg, but there are plenty of things your host can do to help give you peace of mind. At Pressable, we provide you with tools and recommendations necessary to lock your site up tight.
WP Core Updates
Updates are part of WordPress, plain and simple. But when you host with Pressable, we take WordPress core updates off your plate and perform them for you. That way, we can ensure all our sites are secure from any core vulnerabilities. This updating not only secures your sites but all sites on our platform.
Jetpack Security Daily
Jetpack, when properly configured, provides tons of features that will keep your site locked up tighter than the Hope Diamond. That’s why we provide Jetpack Security Daily to all our customers for free. You read that right: free. If you have difficulty setting it up, our team would be glad to help. Just submit a ticket to our support team through our control panel.
Our support team works 24/7 to keep your sites secure, whether we’re updating the WordPress Core or watching for malware intrusions. We regularly check spam blacklists for Pressable IPs and domains to ensure each site on our platform is safe, secure, and locked down.
Free SSL Certificates
SSL certificates are a great way to secure both site and user data. By encrypting the signals sent between the site and its servers, SSL certificates make it much more difficult for bad actors to grab valuable data. Plus, having an SSL certificate will help your site with page ranking on search engines. We work with Let’s Encrypt to provide free SSL certificates to every site on our platform.
What to Do if Your Site Gets Hacked
Do you know what to do if your WordPress site gets hacked? Hopefully, you’ll never need this information, but if you do, here are the tips that will help you get your site back.
- Find the Hack. First, check whether you can log in using your WordPress Admin Panel and see if your web address redirects you to another website or if you find any illegal links. Then, check whether Google already considers your website unsecured.
- Contact Your Hosting Company. A reputable hosting company is there to help, and Pressable has a team to assist you.
- Hire Professionals, If Necessary. If the attack on your website is bad or if you don’t feel equipped to handle it, hiring a professional is your best choice. Cleaning it as soon as possible is in your best interest since a vulnerable website only gets more difficult to recover the longer you wait.
- Restore a Previous Website Version. Regularly backing up your website comes in handy when you’ve experienced a hack. Restore your site to a previous version, and focus on securing any vulnerabilities that may have led to the hack in the first place.
- Scan and Remove Malware. Install Jetpack and activate Jetpack Security Daily to scan your site to find how hackers accessed your site in the first place. Keep Jetpack running to detect future issues before they become a problem.
- Review User Permissions. Check your WordPress users and their permissions to ensure only you and your team members can access your admin accounts. This review will also show whether your user accounts got tampered with or new user accounts got added.
- Change Passwords and Secret Keys. Look at all your website components and change the passwords of anything that can aid in helping a hacker access it, as well as changing your secret keys. Use a password generator to create secure logins.
Is Your Site Protected?
With Pressable, we help keep your site from being hacked. And, if it ever is, you don’t have to go it alone. We’re here 24/7 to help. Sign up for Pressable managed WordPress hosting to make sure your site and its users are protected.