WordPress hacks: 5 ways to protect WordPress from hacking

6 min read
Selina Bieber

Editor’s note: This article originally published by Dutch Hill on the Sucuri Blog.

WordPress is one of the most popular content management systems (CMS) out there. That’s why it is vital to prevent WordPress hacking.

Statistically, over 33% of websites currently run on WordPress.

This post is not a “one size fits all” overview, as there are many other ways to protect WordPress from hacking. Here at Sucuri, we certainly advocate researching and expanding core security values.

Here are some tips on protecting your site against WordPress hacks.

1 – Use strong passwords & management

Many WordPress websites are hacked because hackers find a way to discover the website credentials, which is called brute force attacks. The risks of suffering from brute force attacks significantly decrease when you use strong passwords.

Creating complex and difficult passwords is a great way to prevent this from occurring. Multiple services and applications require a username and password , for example, wp-admin logins, databases, FTP/sFTP, etc. It can be daunting to even think of how to remember dozens of passwords without either writing them down or using the same password across the board (neither of which is recommended).

Fortunately, you can use a password manager to store and encrypt passwords safely. Though there are several, one password manager we recommend is LastPass.

LastPass - Password Generator
LastPass – Password Generator

LastPass is an app/extension that both creates and remembers your passwords so you don’t have to. It will even alert you if some of your passwords are too weak.

You can watch this short video on how to create a strong password:

2 – Use the Principle of Least Privilege

Don’t delegate access to users/developers you don’t 100% trust. If you absolutely have to give access, be sure to restrict it. Grant the lowest set of privileges allowable for each user’s tasks.  And once their task is complete, we highly recommended that you remove their access immediately. These are the actions behind the principle of least privilege.

Here’s a simple quote that sums it up best:

“There is only two people I can trust; you and me – and I’m not so sure about you”. ― Shon Harris, CISSP Boxed Set, Second Edition

3 – Keep WordPress plugins secure & updated

WordPress at its core is secure, with developers who constantly update the CMS, as well as a broad community who help further secure it by publishing plugins to assist in these efforts. Installing too many plugins without being certain they are secure can lead to WordPress vulnerabilities or your WordPress site being hacked.

The community built around WordPress is entirely open source, meaning anyone and everyone has access to the code/content of plugins and themes. If you are interested in plugin security, we have hosted a webinar on how to know for sure if a WordPress plugin is secure.

Think of each plugin you install as an extra door into your WordPress site. If you have the best security methods only deployed on the front and back door but forget about securing the ‘side entrances’, you are essentially inviting hackers to exploit these areas too.

Though installing certain plugins can help alleviate the load of some tasks and even add cool and snazzy functionality to your WordPress site, ultimately these plugins can be used against you. Here’s a recent exploit we found within a WordPress Live Chat Plugin.

In this video, we explain the importance of keeping everything in your website updated:

4 – Use a WordPress hardening method

You can use hardening methods to prevent WordPress from hacking, such as:

  • Adding additional allow/deny rules via your .htaccess file,
  • Restricting login URLs to specific IP range(s),
  • Protecting your wp-config file,
  • Blocking includes,
  • Preventing image hotlinking, as well as preventing directory browsing,
  • Not logging in on public WiFi or not using VPN on public WiFi,
  • Deleting unused WordPress plugins and files,
  • Keeping your server clean.

Most website firewalls apply these methods for you by default.

5 – Prevent a WordPress hack with a website firewall

In 2018, among all hacked websites that Sucuri worked with, WordPress accounted for over 90% of all CMSs hacked.

Infected Websites Platform Distribution
Infected Websites Platform Distribution

A common issue we stumble upon often, is that users sometimes cannot update their WordPress version due to incapabilities with plugins or themes. This can leave a WordPress site vulnerable to hacks.

In these instances, we recommend enabling a WordPress firewall to virtually patch the site for you.

A great option to prevent your WordPress website from hacks is enabling a Web Application Firewall (WAF).

A WAF is essentially a pass through for traffic that visits your site, filtering out bad requests (hack attempts, exploits, DoS, etc.) and allowing the good ones to go through.

How a WAF Works
How a Website Application Firewall (WAF) Works

A WordPress firewall:

  • Prevents a future hack by detecting and stopping known hacking methods and behaviors to keep your WordPress site protected against infection in the first place.
  • Adds a virtual security update. Hackers quickly exploit vulnerabilities in WordPress plugins and themes. A good website firewall will patch holes in your WordPress website software even without security updates.
  • Blocks brute force attacks. A WordPress firewall should stop any unwanted visitors from accessing your wp-admin or wp-login page and using brute force automation to guess your password.
  • Mitigates Distributed Denial of Service (DDoS) attacks which attempt to overload a server or an application resources. By detecting and blocking DDoS attacks, a WAF makes sure the WordPress site is available even if attacked with a high volume of fake visits.
  • Optimizes WordPress performance. Most website firewalls will offer to cache for faster global page speed in order to keep your visitors happy and to lower bounce rates while improving website engagement, conversions, and search engine rankings.

The WordPress firewall Sucuri offers is a cloud-based WAF that both stops and prevents website hacks and attacks. Simultaneously, it speeds up your site by using our Content Delivery Network (CDN). No installation is needed—with a simple switch of your DNS A Record, it is enabled.

In the video below, we explain how to protect your website with a website firewall.

WordPress hacks in conclusion

Implementing these 5 ways listed above will not perfectly secure and make an impenetrable system from hacks—nothing can. Consider them useful tips on risk reduction/elimination.

Remembering these basic concepts when creating or working on your WordPress website can help you prevent WordPress hacks from occurring. If you are looking for peace of mind and professional help, sign up for our website security platform and let us take care of your website security for you.