WordPress is one of the most popular website platforms out there. It is very easy to see why: it is really easy to administer, it has a strong community behind it, and updating things could not be more hassle-free. Put simply, it’s the apple of modern CMS’s. This is why we chose to build webtemple on top of WordPress, combining the well known and loved features, on top of our own magic.
Since CMS’s are like operating systems (IE Windows, Linux, macOS) for websites, one basic rule will always apply: The more popular the platform, the more people will try to hack it. This is especially true with WordPress. Through my career, I gained a lot of clients, by helping them recover from a hacked website.
Why Does WordPress and Website Hacking Happen?
Simply put, there are lots of reasons a WordPress site gets hacked: To gain access to the data stored, to use that website to spread malware, to use server resources in attacks on other sites and so on. What all these hacks have in common though, is that they use your website to harm someone else. And to that someone, it will look like you are trying to harm them. Unfortunately, similarly to getting your identity stolen, you have to pay the price. Often that means a blacklisted domain, a poor spam rating, and can go as bad as legal repercussions.
How to prevent WordPress Hacking?
Comparing to windows, a strong antivirus will only protect you against known threats, but good practices and common sense will go a lot further. That being said, there are no guarantees, and there will always be one person out there that may get through and even hack websites with an insane amount of security.
But for the rest of us, here are some best practices:
You would be surprised how many login attempts using real usernames I have seen on a relatively inactive site over the span of an hour. The easiest way into a site is through a username and password combination. Knowing the username is already half the work.
Hackers find out usernames, by checking out your user archives. If your website has a blog, the author is, by default, published on that website in several spots. In order to keep things a little more secure, make sure you display the authors in First Name Last Name format, instead of a username.
It is very important to change your password every so often, to ensure that if someone is trying a very elaborate means of brute-forcing your password, they won’t get in. Another thing you should do is using a secure password. If your password is in the list below, your password is probably not as clever as you thought:
If your password is or resembles one of the above, your site is an easy target. Make sure to change your password asap. If possible, use a password management app, such as 1Password, to generate and remember a strong password. When you sign in on your own computer, just hit remember the password and you should be good to go. Just make sure you remember the password to your password manager 🙂
How Webtemple keeps websites secure
I’m not about to spill the beans and invalidate all our hard work, but we use a combination of best practices and industry-leading technology to thwart hacking attempts. We start by filtering out known bad users against internationally maintained hacking lists. This cuts down the number of threats by 70% (no it’s not a typo). After that, we put them through an application firewall, browser integrity test to make sure they are actual people and not bots, sent out to cause spam or try to automatically hack our system.
For the persevering types, who pass all the previous tests, we monitor behaviours on the site and lock out users who try to do funny business and then ban them from all of our sites. We have other methods in place, but I will not get too much into those, for obvious reasons.