Hacked website example

This is how you can protect your WordPress website from attacks

This is how you can protect your WordPress website from attacks

December 2016 was a month with an exceptionally high number of attacks. In this article, we summarise the steps you can, and should, undertake to protect your WordPress website (Hi mom!).

Don’t underestimate the threat on your WordPress site.

Cyberattacks on your WordPress website are not reserved to big companies and big websites. Everyone gets attacked, even you. On each of our client’s websites, we get about 50 login attempts per day. These login attemps are known as brute force attacks : robots that connect to your /wp-admin/ page and tries to login with common usernames and passwords : admin/admin, admin/1234, user/WordPressPsswd, test/test are common login attemps. These robots will try different passwords over and over again hoping to find the correct one.

brute force attack on your WordPress website

50 login attempts per day, that’s 18.000 user and password combinations that are tested on your admin login page per year. If you have a guessable password, it will be found out.

Steps to undertake to protect your WordPress website

  • update regularly wordpress AND your server
  • set extremely strong passwords for server, WP and DB (above 30 characters with symbols)
  • force everyone of your wordpress users to have extremely strong passwords on your /wp-admin/ page
  • use SSH keys and avoid FTP
  • use Wordfence or iTheme
  • setup 2-factor authentification
  • block through wordfence all eastern europe traffic, unless you do business there
  • block access to your server for all foreign IP addresses. Careful if you’re travelling!
  • If possible only allow access to yr server from your IP
  • Setup snapshots of the entire server, if possible remotely.
  • Setup remote backup of the website itself.
  • Setup wordfence so that it block multiple attempts of login.
  • Do not use “admin” or smth similar as username.
  • use a random username for the DB
  • log in yrself with a non-elevated user, have a separate admin user and super admin user.
  • setup auto-updates of plugins you trust. Disable updates from shady plugins (they can sometimes inadvertely open backdoors or install malware with an update).
  • do a virus scan of your own PC

Be advised that attacks to your website will continue. It’s just necessary to keep the wolves out of the house.

 

What to do if you have been hacked ?

Call us or send us an email, or anyone that knows about WordPress security. And do it quickly. Keeping a hacked website too long will result in your domain named being marked for spam or illegal activity.