Security Issues With WordPress

WordPress Logo 300x300 PNG

So, you're using WordPress for your blog or other marketing website. Great! WordPress is a fantastic piece of software, and in and of itself is extremely secure.

The problems start when you begin to extend the capabilities of WordPress with custom plugins and themes. Because of this extensible nature of WordPress, it is one of the most hacked platforms on the net.

The problem is that these add-ons often have not had nearly as much security vetting as they should, certainly not as much as the core code of WordPress itself. This leads to all sorts of potential security problems, and since the only security auditing done on most plugins is that done by the authors themselves, security holes can exist for months or even years.

How WordPress Sites Usually Get Hacked

Usually this happens when hackers discover a security vulnerability in a plugin and then develop an exploit for it. If you happen to be using that plugin, you're now a target.

Generally, plugins will have identifiable "footprints" in the content that gets sent out to the web browser so that it will be fairly simple to identify whether that plugin is being used on a given site. So, would-be hackers can just pull main pages for a bunch of websites, look for the footprint, and build a list of sites to attack with their exploit.

As an example, there might be a plugin that adds social media "share" icons to your site (e.g. SexyBookmarks and such). The code that it produces and puts on the site may contain HTML comments that identify it as coming from that plugin. All the attacker has to do is look in the HTML for those comments. Properly crafted Google queries can search for sites that have the footprint; now Google is helping the hackers target their victims!

Backdoors And Other Fun

So, what usually happens when your site is hacked?

Usually, the hackers will install backdoors into your site. These are meant to provide access to the hackers on an ongoing basis, and worse, allow them to get back into your site if you try to fix it. These backdoors can be installed in many places: your htaccess file, your wordpress back-end database, and of course the PHP code files on the site.

Once the backdoors are in place, the most common things that will be done are traffic theft (by redirecting traffic from your site to theirs), using your site as a platform for attacking other sites, and simple malicious defacement of your site.

What Can You Do? Securing Your WordPress Site

Unless you're a computer security expert, you'll probably need some help with securing your site. Don't despair; help is available!

Making WordPress Secure 270x300 PNG

First, you should install a good WordPress security plugin. There are several excellent such plugins out there: "Better WP Security," "BulletProof Security," and "Ultimate Security Checker" all come to mind. If you're unfamiliar with this, the "Better WP Security" plugin is probably a good place to start.

Simply install the plugin and activate it. Right out of the box, it does a bunch of stuff to help secure your site: it locks down and protects your PHP files, hardens your htaccess files, and does automated backups of your database and of your site files. The backups are particularly important, as they will allow you to restore a clean backup if your site does get hacked.

There are other security aspects to consider that can't really be addressed by the plugin, such as the configuration of your webserver itself, the file permissions on your PHP code files, how PHP is configured to behave, and system-level security, just to name a few. Most of these things will be outside your control unless you do your own hosting. However, if you are getting your hosting through a reputable, professional provider like Bluehost or HostGator, you can be reasonably sure that those issues are being handled.

Crap! I Got Hacked Anyway! Now What?

At this point, it's probably best to call on an expert for assistance. The good news is that you can find help like this on eLance for a fairly reasonable fee. You should expect to pay roughly $100 to $200, depending upon how complex your site setup is and the extent of the damage, to fix things.

A qualified expert should be able to help you clean up all the backdoors and patch whatever holes the hacker used to get in, and as long as you've got backups, you should be OK.

Unless a particularly malicious hacker has completely deleted your site, you should be able to get recovered and back in business in fairly short order. Be sure to install the latest versions of WordPress and any plugins you have to use; get the latest version of one of those security plugins installed and configured, and you'll have done everything you can to prevent it from happening again.

More posts filed under category: General Information

Like this post? Subscribe to our RSS feed and get loads more!