This is a question I’ve been asked before in the past, usually it’s meant more like “why would someone be interested in hacking or messing with my website?” I’m not a big fish, no one cares what I do, or has any interest in my site.
The thing is, oftentimes it’s the same thing that happens when a thief randomly walks a street in a neighborhood, and checks random cars to see what door may be unlocked. Once they find an unlocked door they go through what they can, and often times they may not strike it big, but it’s a hassle for you. With malicious hacking with a website it’s a step further. First of all, they don’t have to personally wander around your neighborhood and look up your website, there are bots that stroll through hundreds or thousands of sites, just “checking” to see if “the door is locked”. And when they find one, that’s unlocked. Sometimes they can use the resources of that site for other nefarious things such as sending spam email out using your domain name, and server resources, or using your server hardware to attack someone else’s website. Or maybe your website gets loaded with malicious code and so when a client of yours, or maybe a friend visits your site to see your latest article, suddenly their computer or mobile phone becomes infected or compromised and now the original attacker continues the cycle.
I’ve also heard it said that my website should be deflecting all of these types of malicious attacks on my website, and YES there are firewalls and server hardening that they should configure and continually monitor to help protect the Servers, and monitor malicious behavior, (basically locking all the doors and turning on the alarm), but if you never update and patch your WordPress instance, and fix security issues with it, then all the secured doors, in the world, can’t prevent the open window your website may provide to a hacker.
So what should I do to protect my site?
- Don’t use plugins that are NOT up to date or haven’t been maintained by developers. Most WordPress plugins will get frequent maintenance as well as get tested with current versions of WordPress. This means the developer of that plugin is most likely staying current with security updates and as long as you’re updating those plugins you can help keep those “windows” shut.
- Use secure passwords. Brute force attacks are where a tool or a bot just randomly tries a bunch of passwords against your website. You may be thinking, I’d get bored trying a bunch of random passwords on a website, but you have to remember, simple programs don’t get tired, can try hundreds and thousands of password combinations, and the more resources they have the faster they can do it.
- Keep your WordPress instance up to date. This gets tougher because we all know we can just simply hit the upgrade plugin or WordPress button and be good to go, but sometimes those upgrades can break your page, site, custom development etc… So you’re going to want to “Test” out those upgrades before your commit fully to them. Oftentimes having a “Staging” site or another environment where you can upgrade your WordPress instance and then see how it performs is a great way to not bring down your main website in case there are any gotchas.
These are just a few tips on how to protect your WordPress website on the web. If you don’t have the time to do these, let us do it for you! Reach out to us today and we can help!