How To Protect Your WordPress Website

Against Hackers

Because it's the most popular content

management system in use on the Internet, WordPress

websites are a common target for hackers and

spammers. That is why it is vital to take measures to

make your WordPress website as secure as

possible.

Whilst most people would assume that a hacked website would simply be defaced and

the site replaced with a message to visitors such as "Your Website

Has Been Hacked by SOMESILLYNAME!", in reality, the

aim of most hacks is to infect your website with malware

without you or anyone else knowing! Some of the common malware threats

include:

Pharma Hacks – Injects spam into the website database or filesBackdoors – Allows hackers to gain access to the website at any time via FTP or the WordPress admin areaDrive by Downloads – A script downloads a file to the users computer, either without their knowledge or by misleading the visitor and saying the software does something usefulFile and Database Injections – Inserts code into the files or database that lets the hackers do a number of different thingsMalicious Redirects – Redirects website visitors to a page of theirs that misleads people into downloading an infected filePhishing – Used to acquire usernames, passwords, email addresses and other sensitive information

The reason that hackers generally want their hack not to be noticed is because the longer you don't know your website is infected, the longer they can use it to send spam emails and

infect your visitor's computers.

In order to keep a WordPress installation secure, you need to

ensure that you keep plugins to a minimum and update them as soon as new versions are released! It can be very tempting to add dozens and dozens of plugins to your WordPress

site and give it loads of bells and whistles, but the more plugins you

have, the more chance there is that one of them could have a

vulnerability. Only install the plugins you need and remove any you aren't

using........you can always install them again later if need be.

If a plugin hasn't been updated for a long time, then it's possible that the

developer has stopped supporting it and you should consider whether it's safe to

keep using. You can find out what plugins have known issues by visiting the WPScan Vulnerability Database.

Alternatively there are plugins(!!) that utilise the database to tell you whether any of the plugins you have installed

have issues. A scan of this very site with Plugin Vulnerabilities revealed that none

of my current plugins have vulnerabilities, but earlier versions did

have:

Google Analytics by Yoast4.2-5.3.2 - persistent cross-site scripting (XSS)

Page Builder by SiteOrigin2.0-2.0.4 - reflected cross-site scripting (XSS)

Wordfence Security3.6.1-5.1.2 - reflected cross-site scripting (XSS)

Wordfence Security1.1-5.2.2 - persistent cross-site scripting (XSS)

Yoast SEO1.5.0-1.5.6 - cross-site request forgery (CSRF)/SQL injection

Yoast SEO1.6-1.6.3 - cross-site request forgery (CSRF)/SQL injection

Yoast SEO1.7-1.7.3.3 - cross-site request forgery (CSRF)/SQL injection

This shows the importance of updating plugins as soon as a new version is released!

Further to this, it is recommended that you install a security plugin, which can walk you through all the steps required to

make your site more secure. We use iThemes Security (formerly Better WP Security) and it is best to install this as

the first plugin you use, as some of the recommended changes cannot be made after you start to build your site and add content. However, even installing and implementing the basic changes on an established WordPress site WILL make

it more secure.

As even a secure WordPress website can be hacked without

the owner knowing, it is important that you also scan your website regularly to detect if any

hidden malware has been injected into your site! As a web host, we shut down sites as soon

as we realise they are compromised, but by then it

might be too late. Your site is lost and your domain might even be

blacklisted!

Our web hosting plans allow you to carry out a full back-up of your website and database, but this involves

manually running the back-up. There are automated ways to back-up your website, plus we will tell you about

the various services and plugin solutions that will help you detect if malicious malware has been injected into your WordPress website, so you can take immediate

action!

For more information please visit

http://www.freshwebz.co.uk/