WordPress is one of the most popular applications on the web with over 74 million installations – that’s a staggering 35% of all the active websites! Unfortunately, with its massive install base, it is natural for hackers to focus a lot of attention on hacking WordPress sites.
In this post, I’ll describe the most common attacks and what you can do about it to lessen the probability of being a victim.
In general, we have found that hackers compromise WordPress installations mostly by one of the two following methods:
- Brute Force dictionary attack
Hackers operate many bots that worm through sites and test random login and passwords in the WordPress Admin page.
To get an idea of the scale of attempted logins we’ll take a look at some stats from our own infrastructure. At Winhost, we deploy an Intrusion Prevention System (IPS) on the network edge to detect many malicious activities and try to stop hackers before requests hit our servers. We have rules deployed on the IPS system to thwart Brute Force attacks. However, we cannot make the rules too aggressive because then it can block legitimate requests. It’s a delicate balancing game which we tweak constantly.
Based on the statistics of our IPS system, we typically track 9-10 million WordPress login attempts a month (both malicious and legitimate attempts). Check out the plot below.
About 20% of these attempts are blocked by our IPS system.
2. Outdated Plugins / Themes
Many WordPress sites use various plugins and themes to enhance their sites. The problem is that many plugins and themes have security holes that allow hackers to upload malicious files to the server without the need to log in as an administrator. As a result, we constantly see malicious bots testing for these plugins.
What does Winhost recommend to protect your WordPress site from getting hacked?
Credential Security
- Don’t use “Admin” as your administrator login username. Most customers with hacked WordPress sites continue to use the default administrator user as “Admin”. We highly recommend that you change the administrator username to something else.
- Use strong passwords. We recommend using passwords with at least 12 characters with upper and lower case letters, digits and symbols.
- We know it’s a pain, but change your password frequently. We recommend you change your password every month. If you use a service like LastPass, it can make managing and changing passwords easier.
- Lock down access to your wp-admin section by IP address
- You can limit access to the WordPress Admin site from a set of allowed IPs (e.g, your home or office IP).
- You can create an IP whitelist by adding the following code to the web.config file in the /wp-admin directory
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="1.2.3.4" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</configuration> PHP Version
Set your site’s PHP version to 7.1 or above
Update WordPress Frequently
- Update WordPress to latest version regularly. See http://codex.wordpress.org/Updating_WordPress
- Update all themes and plugin regularly.
- We recommend that you set WordPress to update itself automatically
- If you choose to update WordPress manually, then update it at least once a month
Backup Site and Database
We recommend that you backup your site and MySQL database. We recommend you keep at least 2 weeks worth of backup because you may not realize your site is hacked immediately. Don’t rely on Winhost’s nightly backups because it will only store about 3 days worth of backups. You can automate the backups by using our SiteBackup service.
SiteLock Security service
Consider subscribing to SiteLock Premium or Enterprise Service and enable SmartScan. SmartScan will check your site daily for malicious files and also report on newly created files.
What we do at Winhost to protect your WordPress site
- As described above, our IPS system provides some protection against attacks.
- If you suspect your site has been hacked, we can run a website scan at no cost. All you have to do is ask!
- If you want to offload the WordPress management work, we offer a Fully Managed WordPress Hosting Package – which includes:
- Updating your existing WordPress installation
- Securing and hardening your WordPress site
- A monthly site check
- Performing any upgrades
Visit Winhost to learn more about our WordPress Hosting solution