Hacked – Why Your WordPress Sites are Vulnerable

plugins wordpress security

It was only through hard learned lessons that I started to take the security of my websites seriously.  I’ve always been one of those guys that forgets to lock my car doors and often leaves my house doors open.

My outlook had always been that I didn’t want to become one of these paranoid people that were afraid to leave their house for fear of what could happen or one of these business owners that is far more preoccupied with the idea of theft than they are of growing their company.

But here is one of the things that I learned about website security and in particular WordPress security.  The threats to your websites are very real and very common.  The reason that many people don’t realize the severity of the threat is because they don’t have the tools in place to detect the attempts at hacking your site.   Once you do  – you will be blown away by how many attempts there are.

WordPress is a victim of its own popularity when it comes to hacking attacks.  Just like for years Macintosh and Apple claimed their computers had less viruses, it was only because the vast majority of computers in the world were Windows-based –  and subsequently that was the system the hackers targeted with viruses and malware.

Recently I had several of my WordPress websites attacked by what appears to be Russian hackers.  Even one of my more secure sites suddenly had three new posts and several pictures added that were in Russian.  A couple of my other site’s firewalls reported numerous attempts and attacks on various areas of the site.    These attacks work by automated scripts that looks for vulnerabilities and holes to infiltrate the WordPress code.

Most people concerned about WordPress security make the error of only focusing on the admin panel ( wp-admin ) and trying to make their password as complicated as possible.  The bad news is that the vast majority of hackers do not come in through your admin panel – but rather through script injections into your site.

One of the most common areas is what is called Tim thumb scripts in the WordPress file code.  This is a small script that allows for thumbnail pictures on your WordPress site.  In 2010, thousand thousands of WordPress sites were hacked using this vulnerability and although it is far less vulnerable today than it was – this is still a common area where hackers try to find a back door.

Also important to understand and realize is that most hacking attempts are automated and people often make the mistake of thinking that an actual person is there trying to get into your site.  When in fact it’s simply an automated bot or script that is trying to find a vulnerability on millions of different WordPress sites.   That is not to say that an individual will never try to gain access to your website – but the automated bots that are scanning WordPress sites all across the Internet are a far more serious threat.

The Solution…

I have a variety of WordPress security plug-ins that I use now to secure my sites through trial and error – of which I’ve included a list of below.
( But as this recent attack showed me, no site is 100% secure.)

One of the most plug-ins I use is called All In One WP Security and Firewall.  This is a free plug-in and will block most malicious attempts trying to find backdoors into your site.

The second important security plug-in I use is called IQ country block.  This plug-in allows me to block traffic from any country based on their IP address. Typically I block all traffic from any non-English-speaking country excluding Western Europe.  This includes China, Russia, Romania, Belarus, Turkey and Vietnam as well as the Ukraine.  These are all countries with high a rate of hackers and where most hacking attempts originate from.

I also use a plug-in called Stealth login. This simple plug-in adds a third entry box to the WP admin page and allows you to set a numerical PIN just like a bankcard that is required for logging in. If the wrong pin is entered, the user is automatically forwarded to which ever URL you choose, which in my case is the FBI cybercrime website – which I figure is a pretty effective way to deter hackers.

A plugin called Anti Malware is an effective tool to scan your site for any viruses or malware that may have already infiltrated your site. This is the first tool I use on client’s sites when I suspect a breach.

For overall security I run two security programs – Wordfence and iThemes Security ( formerly Better WP Security ). These plugins combined provide very strong protection for your sites. These are both all-in-one security applications that has some duplicate features – but in the case of WordPress security, it is a good idea to have multiple layers of protection and these two don’t cause any conflicts for the site.

Finally, I like to use a plug-in called WordPress Duplicator, that makes exact copies of your website and then puts them into a file that you can download to your computer and store in a safe spot.  If in the case your site is severely damaged or hacked – or your server is permanently compromised – you can simply move your domain to a new server and upload this version of your website and be up and running in less than 24 hours.  I have had to do this in the past when I have had determined hackers that won’t stop trying to get into my site.

The final thing that I would add is that I have learned the hard way that security is important. It is vital that you take action today – not tomorrow – but today on securing your WordPress website as you will be shocked to find out how many attempts are made in any given month on trying to get into your site.