WordPress hacking – 3 easy steps to security

Since the start of 2017, we have noticed an increased number of attempted website hacks and a small number of these cases have, unfortunately, been successful. We actually had this blog post drafted early last week, awaiting approval, and our good old friends at the BBC went and posted the following on Friday :

WordPress blogs defaced in hack attacks

So, here is our take on the latest round of website hacking attempts and what you can do to protect yourself, and what we can do to help you.

Firstly, how and why are websites being hacked?

As the above BBC story outlines, this is a global issue. At Cargo we (as do the majority of other agencies) use WordPress as the ‘engine’ behind many of our web projects. WordPress – by their own admission – power 27% of the internet as a whole, so it is a popular choice for web users because of the simplicity of set up and ‘out-of-the-box’ functionality.

So, why?

WordPress’ popularity does make it a target for those who want to use the domains for spam campaigns. This is where unscrupulous groups want to send out the same message indiscriminately to a large number of Internet users. They do this by attempting to hack as many sites as possible. The most common method of hacking we encounter is repeatedly trying different passwords until one works.

OK, so how do they do it?

Automation. Advances in technology mean it is possible to repeat this process millions of times in a short space of time. A bot (an application that performs an automated task) if successful, gains access to the CMS and adds spam content and links to Pages and Posts across the site or uploads files via the website uploader.

In our experience most websites aren’t targeted in a directly nefarious way, they are hacked because the bot crawling the web knows the website login methods and exploits it.

In the cases of WordPress websites, the login URL can be tested for (the default login URL for WordPress is /wp-admin/ or /wp-login.php) and then the bot runs a number of Username and Password combinations to gain entry to the CMS. So, the easier your username is to guess, the easier it is to hack. Simples.

So, what can we do to prevent hacks?

Three simple steps…

One – strengthen your password

The easiest way to stop this type of hack is to have a strong password and reset it every month or two. If you have a password along the lines of ‘password’ or ‘password123’ we would strongly recommend changing it as soon as you can!

In short, the longer and more random is, the more secure it is likely to be. We recommend using a password generator like: http://passwordsgenerator.net/which will generate a one for you. If you are worried about forgetting a randomly generated password, all modern browsers have the option to automatically remember the password for you, or you can always use the reset password option via your content management system (CMS) which will email you instructions how to reset your password.

Two – remove old users

Anyone who historically had access to your company website and may have moved on to pastures new, remove them from the user list – their password may have been the weak one!

Three – review your log-in URL and hosting

Not all of our websites were targeted in January. Those that were, were all hosted on a shared server. At Cargo we offer a range of hosting options, so another way to secure your website would be to change the login URL, move to a Hybrid server and add an SSL (Secure Sockets Layer) certificate. Hold on, this sounds like a sales pitch! What are the cost implications?

Yes, there are additional costs incurred with a higher level of hosting – at the end of the day, you can’t get fully comp car insurance if you only pay for third party right? If you are keen to review this, let us know and we will look at how we can minimise the cost implications of updating your situation. The bottom line here is safety and security. There are some small steps we can take together to make sure everyone is happy in the long run!