Web Development 11 min read

Coming Back from a Hack: A Guide to WordPress Security

Written on 23 Dec 2020
Overview

Hackers and other malicious parties love to attack poorly-secured WordPress sites. If you don’t want to be one of their targets, read on. 

A Guide to WordPress Security     
There’s nothing worse than coming back to your WordPress site and finding out that it has been compromised. Weeks or months of work can be undone in an instant, and all because you didn’t change the default admin username from ‘admin’. Don’t worry though, we’re here to help you lock it down with these WordPress Security tips. I’m going to break it down into three sections:
  1. Not getting hacked in the first place
  2. Knowing whether you’ve been hacked
  3. What to do if you’ve been hacked.
Let’s go. 

Not Getting Hacked (for Dummies) 

There are three pillars of security that absolutely anybody can implement, even with little to no technical background. They are: 
  1. Password Control
  2. Frequent Updates
  3. Proper vetting of third-party installations
Which is still a little intimidating, so let’s break it down further. 

Password Control

There is one very simple thing that contributes to 90% of compromised WordPress pages we see, and it’s this: you need to use better passwords. There’s something called a ‘dictionary attack’ where hackers will spam common passwords at millions and millions of accounts until they find somebody who hasn’t locked things down properly. 
This includes passwords like “password” and “password123”, and for WordPress in particular it means “admin” as the administrator password. It also means not using the names of your pets or the name of your site, or anything that it’s easy to guess. 
The second sort of common attack that can be negated by better passwords is a ‘brute force attack’, where an attacker will try thousands or hundreds of thousands of password combinations on the same site. If these come too fast they’ll often hit rate limiters and be locked out, so these days they tend to hit with a “slow brute force” where they attack the same site over a period of weeks or months, with a velocity of login attacks designed not to tip off security. Using “Password519” instead of “password123” might protect you against some dictionary attacks, but it’s still very weak and liable to fall to attackers. 
We highly recommend using a password manager, both to remember your passwords but also—crucially—to generate passwords that are harder for attackers to break. They can initially be a bit annoying to set up, but they’ll save you a lot of time and trouble in the long run.

Don’t Reuse Passwords

Compromised passwords will often be collated and placed online in “dumps” for other hackers to use. Your WordPress can be perfectly secure, but if you’re using the same password on an old forum account, then it becomes very easy for attackers to compromise the WordPress. 

Change Passwords Regularly 

If something goes wrong and your WordPress password gets compromised, it’s likely to show up in a dump at some point. If you know a password is compromised then change it immediately, but it’s good practice to change them at least once every six months anyway.      
If you’re saying “well then I’ll just forget them!” well, that’s why you use a password manager. I feel like I’m banging this drum a lot but it’s amazing how many hacks could be avoided if website owners took better care of their passwords. 

Check Your Updates

When a vulnerability gets found in a piece of software, the immediate response is to patch it—to send out fixes to the code to stop it happening again. The problem then becomes that the vulnerability is well-known and so attackers will start using it to target WordPress installations that haven’t updated recently. 
WordPress Core is, generally speaking, extremely secure, but it isn’t immune to this. New vulnerabilities are being discovered all the time, and while their team is very fast to discover and patch them, it means nothing if you’re never installing the updates. I’m often told by website owners that it’s “annoying” and they “can’t be bothered” but let me put this forward: if your car is leaking gas all over the road, it’s annoying and difficult to get out and patch it up, but it’s much better than ignoring it and keeping on driving. That’s what you’re doing by not installing updates: you’re putting your site in danger because you can’t spare ten minutes letting a patch install. 

Update your Plugins and Themes

The same rules apply to third-party vendors you’re plugging into your WordPress. Third-party installations are a major source of WordPress vulnerabilities, which leads us onto our next point: 

Properly Vett All Plugins (and Themes) 

WordPress Core is extremely secure, but one of the things that makes WordPress popular in the first place is its massive plugin ecosystem. This gives you a huge amount of flexibility and power, but it’s worth noting that third-party plugins are a very popular vector for attack. It’s much easier to compromise a plugin worked on by a team of 3 than a CMS being worked on by a massive company, and attackers will use cracked plugins to create backdoors into sites that install them. 
It’s hard to definitively say whether or not a plugin is compromised, but a good rule of thumb is to check the last time they updated: if it’s more than a year ago, it’s unlikely that they’re keeping up to date with modern threats. A lot of this is also just common sense: if something feels like a scam, don’t install it. You wouldn’t give out your house keys to absolutely anybody off the street, and you shouldn’t give permissions to any plugin (or theme) you don’t trust.

Make a Backup

This isn’t really a prevention point but I wasn’t sure where else to put it: 
  • Make
  • A
  • Backup
When a virus took down the entire Maersk company in 2017, the only thing that saved their entire international network was that somebody in their Australian office had made a backup. Billions and billions of dollars hinged on the fact that somebody had the foresight to make a backup. You will probably not need it, but on the day you do need it, it means everything

DNS Level Security

Another thing that doesn’t quite fit, but is an important hacking prevention tool: set up Cloudflare. Cloudflare’s security protocols are a big part of the reason successful hacks have been falling, and basically every responsible website owner has it set up at this point. Cloudflare has several performance optimization features that will slash down load times, but it’s their easy-to-use WAF that we’re interested in today.
There are also a variety of third-party security plugins out there. As mentioned, you definitely need to be vigilant with your plugins, but three that we’ll sign off on are iThemes Security, Sucuri, and Wordfence. The CodeClouds team uses iThemes Security for a lot of clients, and we’ve experimented with the others and found them solid picks. 

How Do I Know If I’ve Been Hacked? 

Often you don’t. Some attackers will deface or damage the site in big and obvious ways, but often they’ll use more subtle methods. One of the more common types of attacks on WordPress sites is cross-site scripting, or XSS. What that means is they gain access to your site in order to attack your users. They’ll do this by implanting scripts and other code into your site—often invisible unless you’re reading the code itself—which will leverage the trust users have in your site in order to attack them. I sometimes run into website owners who are shocked that they’ve been hacked because they didn’t notice and they assumed attackers would leave a big screen ASCII skull to let everybody know where they’d been. 
If users are telling you they’re having unusual interactions with your site, take it very seriously: you could be acting as an asymptomatic host and hurting your customers. This is one of the reasons it’s important to have proper contact information and/or customer feedback tools on your site.
Some signs you’ve been hacked are very obvious: 
  • Passwords no longer work
  • New users have been added. Not necessarily admin users either: hackers will sometimes come in at a lower-level and then gradually escalate permissions from inside the system. If you’re running a site where users can create their own accounts this can be very hard to keep track of. 
  • Changes to the frontend such as new buttons 
  • Posts or content being published without your knowledge 
Do your due diligence and try to figure out whether there’s a more mundane answer (hey, we all forget our passwords sometimes) but generally speaking, if something has changed and you didn’t change it, (and you didn’t expect it to change) that’s a sign you’ve been hacked. 
I’ll say this though, 95% of the time this happens to me, I check with one of the other admins and it turns out it’s just them. Changes are hardly a definitive alarm, it’s just a sign that maybe something is worth investigating. Emailing the other admins takes 2 minutes, and that 5% of the time it’s not one of them, then you’re in real trouble and it’s better to know. 

It’s Too Late, I’ve Been Hacked. What Do I Do? 

There are two ways this could go
  1. I still have access to the WordPress admin
  2. I am locked out of the WordPress admin 
The second is thankfully rare: attackers don’t like to let site owners know they’ve been there if they can avoid it. It’s also much harder to deal with, and we’ll get onto it in detail in a minute. For now
  1. I Still have Access to My WordPress Admin 
  • Check for any new users, delete any you do not recognise 
  • Change all passwords (to something secure!)
  • Check all third-party plugins and themes, uninstall any you don’t trust 
    • If that doesn’t work, uninstall all of them, even the ones you trust
  • If none of that works, re-install WordPress Core. You can do this (while preserving your site’s content) with Dashboard → Updates → Re-install Now.
  • If issues persist, revert to your backup. 
    • If you do not have a backup, consider this a lesson learned.
  1. I am Locked Out of My WordPress Admin 
You can edit some things for your WordPress installation directly in the database. For this, you’re going to want something like phpMyAdmin to make it easier. If you don’t know how to use it, then you might need to hire professional wordpress developers to help. Editing the database directly is not something I recommend unless you know what you’re doing—it’s the sort of thing where you can do more harm than good. I can’t stop you from going off and learning on your own, but unless you’re an engineer or sysadmin yourself, it’s safer to just bring in a professional. From that PMA dashboard you can change passwords and/or add a new admin user to help you take control of the account again.

Where Does That Leave Us?

If you’re reading this and you’ve been hacked, you may be frustrated about the solutions—they’re too obvious, they have too many caveats, they’re not applicable in your specific case. The best way to not be in this situation is to prevent it happening in the first place. That’s why HOW TO NOT GET HACKED is first in the article. When you get hacked, there are often solutions, but there are very rarely pretty solutions; you are probably going to need to pay someone, or lose content, or break things. Practicing good password, update and plugin hygiene is absolutely free. That’s little consolation if you’re staring at a compromised page, but it’s worth remembering in future.
professional WordPress development teams     
CodeClouds started from humble beginnings in an apartment in Kolkata, but now we’ve got over 300 staff across three continents. Our professional WordPress development teams will take your site or store to the next level.

Share this article

190 reads
Contents

Similar Reads