Since WordPress now powers more than 20% of the world’s websites the platform has become an increasing target for attacks. While WordPress is still a stable and secure platform there are folks out there looking for ways to exploit the open source nature of the code and cause problems for site owners. Some common attacks are SQL injection (typically using a contact form to exploit) and the recent widespread Brute Force attack. Many of the sites I manage for my clients were built using WordPress software and I’m doing my best to be vigilant about their security. If you’re managing the security on your own site, here’s what I recommend.
Keep your WordPress version and Plug Ins Updated
One of the ways hackers can attack your site is through known vulnerabilities in the code. WordPress and plug in developers release new versions of their software to address these vulnerabilities, but those new versions won’t work if you don’t install them. Make it a habit to update your software on a regular basis, or contract with your site administrator to do so.
Keep your User Names and Passwords Secure
The recent Brute Force attack on WordPress websites targeted accounts with the user name of Admin. One of my clients’ hosting provider, Hostgator, offers an extensive blog on the Brute Force attack and how to protect your wp-login.php files. Best advice, don’t use “admin” as your user name and if you are, change it. Here’s the full techy version of their WordPress Login Brute Force attack blog post.
Install WordPress Security Plug Ins
Security is all about layers, so it’s helpful to install more than one plug in if you find your site being compromised. Wordfence comes highly recommended and gives users a real time look at log in attempts. antivirus scanning, malicious URL scanning and is multi-site compatible. BulletProof is another popular security plug in that offers .htaccess security. For the non technical, this is a first line of defense against malicious attacks.
Scan your Site for Malware
If you’re curious about whether your site is clean, the online security company Sucuri has a free scanning tool that is accurate and fast. If you do find that your site is infected they will clean it for you through their subscription service. I’ve had very good luck using them in the past and found them fast and accurate. If you don’t feel like searching for malicious code inside your site, they’ll do it for you.
If you do find that your site is infected and Google has blacklisted you or at least put an alert on your search engine results attend to the problem as soon as you can. Get your site cleaned up using any of the above resources. Then ask Google to reconsider your page and remove the block. You can request the site be inspected through your Google Webmaster Tools account.
Have you been affected by any of the recent attacks? How have you handled security on your WordPress site?