It’s hard to believe that a hacker is hacked but according to what they say, “there is nothing funnier than hacking another hacker to see who is better.” It is a kind of tennis tournament, “let’s see who wins Roland Garros in a six-hour Grand Slam final”, so in order to stay safe from being hacked, hackers use a series of Plugins that help them enormously to safeguard the integrity of their WordPress Sites.
How Have I Been Hacked?
There are many possible reasons why a WordPress site can be hacked. It can be as simple as having a weak password that hackers can easily guess or something more complex, like, for example, not having installed a plugin that acts as a security firewall.
However, it inevitably raises the question of why, someone might want to dig into your website. This can be confusing, especially if our website does not generate as much traffic as, say, Twitter or Instagram, or it has no relevance whatsoever.
According to WordPress.org, 26% of all the websites in the world are built with the WordPress CMS. So, being WordPress the most popular CMS, it is not difficult to guess that it is a very attractive target for hackers, especially when all its code is available to the public, and for free.
Is this counterproductive? Why not use other CMS like Drupal or Joomla? Well, because they are not free from hacking either, since their code is also open and public, although it is used on a smaller scale than WordPress.
WordPress Security. Facts and Figures.
Unlike other CMS, WordPress security updates are automatically made when a major security vulnerability is detected, so choosing WordPress to create your website is a relatively safe option. Even so, you are still the main responsible for the security of your site and you must implement a series of measures to maintain its security, from NOW!
While there are about 4653 security vulnerabilities found in the core of WordPress, such vulnerabilities do not present a real system kernel threat, since only 5.5-6% of the total vulnerabilities are really serious.
Even so, this is still a problem, as approximately 18% of sites built in WordPress are not updated, meaning that the owners of these websites completely ignore recent security patches and their sites are open to attacks.
Luckily for those of us who are up to date with WordPress security patches, many of the vulnerabilities do not come from the platform, not from its core, but from ourselves.
Why I was Hacked, (Continued)
Taking a previous post from our Blog, about the security of VPS servers, you can be hacked, because your site hosted in a VPS was not updated regularly, and this is a case that has actually happened.
In the real case, no special security precautions were taken, and no security plugin was installed, access to the login page was not limited by IP address and the site was not regularly backed up. In fact, the only things that were done right were to choose a username other than “admin” and create a strong password.
All of this is especially dangerous and although the threat was supposed to have been eliminated, it eventually affected several websites hosted on the same VPS, since the Hacker used a single vulnerability to enter the rest of the websites, which meant a real headache.
Fortunately, some of the security plugins were active on the other websites and the vulnerability was quickly detected, otherwise the hacker would have done what he had wanted and the worst thing is that maybe nobody would have known until it had been too late.
Shared hosting also comes with the same danger, as many people share the same server. The only exception is Dedicated Servers, although, it is true that if you do not pay enough attention to the security of the server, the Dedicated Server, even if you are the only administrator, can affect all pages that are hosted on that server.
What We Should Have Done to Avoid Being Hacked
Here are some of the best things you can do to help keep the security of your wordpress site:
- Keep the scripts, themes and plugins of your WordPress updated.
- Download themes and plugins from a trusted source.
- Host your site in a trusted Hosting with the relevant security measures.
- When possible, choose either a VPS or a Dedicated Server. Obviously if you only have one website, it does not make sense, but it does if you manage multiple sites or manage websites of other people or companies.
- Use a strong password with a username other than “admin”.
- Back up your site regularly.
These measures should always be taken, but you can also improve security by installing security plugins to increase it.
The 7 Pests to Appease Hackers
As if it were a biblical story, below is a list of the 7 best plugins to keep hackers at bay, or at least to make life as difficult as possible for cyber-crooks.
Wordfence is the first choice when it comes to security plugins. Both the free and Premium versions do a fantastic job of detecting and protecting your site, virtually from almost any existing threat. The database is periodically updated so that when new threats are invented, it is quickly updated to eliminate the threat.
Some of the best features of Wordfence include its ability to detect when files have been modified or created, and it gives us the option to restore them to their original version or delete them with a single click.
When the “anonymous” official website was hacked, they noticed that many things were not right, when Wordfence sent them the alert. Luckily, Wordfence has the ability to scan files outside of your WordPress installation and that’s the feature that ended up saving them. Wordfence was also able to detect the other unprotected sites, preventing them from being finally hacked.
Finally they could remove most of the files with problems and restore the rest. As if that were not enough, any surplus files that were not related to WordPress could be deleted, just to be sure there were no hidden backdoors.
Wordfence also comes with a firewall along with many other very good features.
VaultPress is an all-in-one security and backup plugin. It is a plugin created by Automattic that are the same responsible for WordPress.com, making it a safe bet.
Backing up regularly, ensures that in case of being hacked or attacked, we have backed up our site and be able to get it back online quickly and securely.
The paid version allows daily scans of suspicious codes, viruses, malware, trojans, etc., it is almost like an antivirus but specialized in our WordPress page.
In the hypothetical case of being hacked, with this plugin it is very easy to clean our website and restore it again.
Another good plugin is Ithemes Security as it is up to date with all the hacks that hackers usually do, so it is very up to date, especially with regards to “exploits”, “backdoors” and other similar vulnerabilities.
This plugin is fine if you know that your website is clean, but the paid version is the one that will really protect you, as it scans your site online and sees if any files have been changed on your site. In its paid version you can also back up your site.
Another plugin ideal for the same needs. Sucuri Security is free and analyzes your site of malware and similar threats and even scans if your site has been blocked and it performs cleaning functions if it detects that you have been hacked and warn you if it notices something suspicious occurring in your WordPress system.
5.Acunetix Secure WordPress
Acunetix Secure WordPress is a good plugin to keep your site safe, but it’s no use if you’ve already been hacked. Some of the things it does are, for example, hide your WordPress version, secure the permissions of the files, change the database prefixes and disable error reports and many other features that a hacker uses to enter your site.
It is a very good plugin as long as the site is 100% clean from the beginning.
Another fantastic tool is Plugin Check that you should always have active on your WordPress, as it checks the codes developed and determines the incomplete PHP routines, which are not working properly or are suspicious.
This plugin is useful, especially for developers but also end users, as it gives you the possibility to detect these errors and correct them, and in any case, if you are not programmer, be aware of what happens and be able to put it in your programmer’s hands or in someone else’s who can help you.
It works in much the same way as Plugin Check. Theme Check scans your theme or WordPress template and determines if it meets all standards and generally all requirements and good practices of WordPress. It is a plugin aimed at the developers but it will also serve us, especially if we manage several websites, to know if the topic we have uploaded is “legitimate” in terms of its use.
If you use WordPress you are in the lottery roller and at any time you could be the target of some hacker or some robot that tries to hack your page, for whatever reason, and this is reason enough to take action in the matter and protect you in case it happens when the time comes.
Take note, both the tips from the beginning of this post and the plugins that can pull your chestnuts out of the fire or even avoid the flames. All that remains to be said is that you should make every effort to protect what so much time, effort and money has cost you to build.