WordPress Security Audit
There is a huge increase in WordPress installations. WordPress has recently released that there are over 59 million in existence today. It is very easy to get a WordPress blog up and running and the learning curve is very small. But due to the increase of installations there is also an increase in WordPress hacking. In fact, left to the default settings, you are almost guaranteed to have your WordPress website hacked.
While I won't go into a complete WordPress Security Audit, I will give you some tips that can serve to reduce hackers from penetrating your website. When you make it more difficult for hackers, you increase the chances of them moving onto other websites. Hacking is about probabilities just like anything else in life.
WordPress Creates a Default Administrative User
If you have ever installed WordPress before from your hosting CPanel, it's usually a few simple steps in a wizard-based program. You enter some information in fields, press a button, and boom! You're WordPress website is good to go.
WordPress installs a default user that is called 'admin'. But guess who else knows this information? Hackers. They know that 90% of WordPress owners won't change this default user name. They are counting on you keeping that user intact. You make it easy for them to hack when you do.
Choose a Secure Password
Whether you decide to keep the 'admin' user or not, make sure you choose a secure password. This password should not contain identifiable information such as birthdays, pet names, etc. You would be surprised how easy it is for hackers to find out that information.
Your password should have a length of at least 10 characters. It should include a combination of uppercase and lowercase letters. Include at least two numbers, and a few special characters !@#$%&*, etc.)
The best idea is to use a random password generator. People don't like this option because they have to remember these passwords. However, they are the best option to ensure you are creating the most secure password possible. Consider using a password manager for help. This way, you won't have to remember passwords.
A Sneaky Trick to Play on Hackers
WordPress does allow you to create an alias for your website. This alias will appear on the posts that you create with your regular user. Here's a neat little trick you could use to thwart the efforts of hackers.
Create a user that is not the default 'admin' user. Make this user an administrator. Sign in as this new user and delete the default 'admin' user. Then, create an alias for this new user and call the alias 'admin'. This will show up as 'admin' in your posts. Hackers will think it is the actual user name. When they try to guess the password based on 'admin' as the user name, their efforts will fail.
We'd Love To Hear From You
Have You Ever Had A WordPress Security Audit Done On Your Website?
WordPress Security Flaw
There have been many successive updates to WordPress. And yet, they still insist on displaying a message, "you entered the wrong password for username admin" after you incorrectly log in. It's Security Tactics 101 to let the user know that they incorrectly typed in one or the other but don't give them one of the items as being correct. The message above tells hackers hey this installation still has the default user name.
WordPress Still Has Some Work to Do
WordPress has improved some of its security flaws. For instance, they have stopped publishing the WordPress version in the readme.html file. They updated it each time they made an update to WordPress. Hackers could tell immediately which version of WordPress you had installed. If your version was earlier than the latest, they knew exactly which hacks could work on your website. This is the biggest reason to make sure you have the latest version of WordPress installed.
While WordPress has finally stopped publishing the version, it's still relatively easy to get the information. In most cases, someone can right-click on a page of the website, select View Source, and search for the phrase "WordPress". You can try this experiment yourself. See if you can find the version of WordPress from the page source. Don't worry too much if you don't understand all of the cryptic code. Just do a search for the text "WordPress" and examine each instance. You will likely find the version somewhere in there.
See the image above for a website that is showing the version in the Page Source.
You may believe that hackers won't go through the trouble of doing this, but remember they have automated tools that do it for them. They won't manually scan a website. They will let their tools alert them to the vulnerable websites.
Have You Backed Up Your WordPress Website?
If you haven't, then this tells me you don't care about losing your website. Now, you may think that your hosting provider has a back up. You'd better check. And also check to see when they can restore it for you. Several places take days to get to it because it's often located externally and has to be delivered onsite in order for them to install. Can you wait that long? Back up your website!
The good news is it's relatively easy to back up your website these days, especially one using WordPress for its Content Management System (CMS). There are several plugins available and they can be automated for hands-free operation.
Always Update WordPress
The above video shows how to update your WordPress installation. You should do this whenever you get the message (make sure you back up first). The reason you want to make sure you do this is because WordPress is always updating to counteract hackers. So if a hacker finds out that you are using a previous version of WordPress, you have given them a foot in the door of your website. Always update to the newest version of WordPress.
Make Sure Your Plugins and Themes are Compatible with the Latest WordPress Version
Within the last several years, WordPress shows the compatibility status of WordPress plugins and themes. This is good news since you don't want updates to these plugins and themes to wreck your WordPress installation. While it is true that your hosting company should be able to fix the problem when it happens, why let it?
Be aware that a plugin could be compatible but still introduce malicious code into your WordPress installation. Hackers could pass off the plugin as legitimate and then hijack your installation. Luckily, the WordPress community will alert people when this happens. If there is a problem, your hosting provider will learn of it and check for any website that has the plugin install. They may require you to uninstall it, but you would want to do that anyway.
We'd Like To Know
When Was The Last Time You Backed Up Your WordPress Installation?
Can't We Just Install Some Plugins?
There are plugins available that can help secure your website. They can also prevent people (to some degree) from viewing your page source. However, the more plugins you use, the more it bogs down your website. This isn't mentioned to try and discourage you from using plugins. You need to use discretion when doing so. Also, not every plugin will behave properly. You may think you are safe but the plugin creator doesn't update the plugin, or it was bad code to begin with. The plugin creators don't even need to have ill intentions for this to occur. Many inexperienced coders write bad code.
If You Don't Believe It Happens...
I have had several of my WordPress websites hacked into before. It was because of this reason that I created a service called WP Auditors. We run free scans on peoples WordPress website and then give them a report of what needs to get done. Since we started doing this, we have not had any incidents of hacking on our websites or our clients.
The reason why I even wrote this Hubpage, is because someone on an online forum that I belong to was upset that her website got hacked. Luckily she really only got started in creating the blog so there wasn't any content of substance on her site. But what if there was? Without a back up her site would be toast!
Hacker-Proof Your Passwords
Use a secure password. Don't make it easy for hackers to do their jobs.
Brute Force Attack
A brute force attack is one of the most common forms of hacking. Hackers start by scanning (with software) for any WordPress website that has the default 'admin' user name. When they find websites with this, half the job is done. This means, sites with the 'admin' default are 50% less secure right from the start.
The next step for hackers is to apply a set of commonly-used passwords. These passwords are obtained from previously successful hacks, or from networking with other hackers. Again, the process is completely automated.
If you are a bit more diligent with your password where it is not contained in the commonly-used password database, then the hackers have some more work to do. The automated program will flood your site with millions of combinations for the passwords. This is where the term brute force comes into play. They keep going until they find a match on your website. This is the primary reason to make your password as long as possible. When your password is only a few characters long, it can take hackers little time to figure it out. If you had a password of length 10 or more, it will take them a lifetime using the current technologies available.
As mentioned, hackers don't mind going through this exercise because they have computer programs to do it for them.
Password Hacking Times
Longer Passwords Are Better - Much Better!
If you take a look at the chart above, you can easily see that if you make your passwords long enough, and combine uppercase, lowercase, numbers, and symbols, it will really make it very difficult for hackers to penetrate your WordPress installation. And you can also see that adding some uppercase, numbers & symbols really goes a long way in thwarting these jokers.
Reading about security is about as exciting as watching paint dry. No one wants to take the time to do it. However, if you don't, it may be too late to take steps to stop hackers. At the very least, you should be reading the WordPress.org website on a regular basis. They give tips on how to keep your website safe as well as other developments the company is working on.
You could load an RSS reader with WordPress' blog. This way, you will be alerted to updates. You could also follow them on your favorite social media channel and learn about updates from there.
Another option is to sign up for Wordfence.com. This website/plugin has become the de facto standard in WordPress security. It's not necessary to install and use the plugin for you to get information about security updates. However, when you sign up for their newsletter, be prepared to receive notifications to update along with a bit of scare tactics about what may happen if you don't use their service. Hey, they have to make money too, right? If you can bypass the pressure of upgrading, the information they send can be useful for staying informed.
Should You Have Your Website Audited?
It's not a bad idea to find someone who can scan your website for security vulnerabilities. They can then make recommendations based on their audit or make the changes if you allow them. If you are going to have someone do this, make sure you ask questions about how they will audit your site. Unfortunately, there are a lot of pretenders on the internet who will sell you audit solutions that won't do much to keep your site secure. Ask them about a guarantee before committing to any company.
You Can't Win 'Em All
Unfortunately, hackers are always hard at work trying to find ways to get through. The security tips are not complete audits and you should consider having an audit done by qualified professionals. But, if you use these tips it will give you a greater chance of keeping hackers at bay than if you just leave your installation to "factory defaults".