Website getting hacked is a real threat for every website owner, especially if the site is in WordPress. One minute your site is working fine – bringing in traffic and generating revenue. And then the next thing you find – your WordPress site has been hacked.

“Approximately 30,000 sites get hacked every day.”

Common WordPress Hacks And How To Prevent Them

The most common WordPress hacks and entry points for hackers into WordPress sites are:

• Weak passwords – 8%.
• Hosting vulnerabilities – 41%
• Themes – 29%
• Plugins – 22%

Weak passwords

Passwords are the keys to your WordPress site. Weak passwords make it easier for hackers to crack passwords with the help of some basic hacking tools. You can protect your site by setting unique and strong passwords for your account.

However, if your site’s password gets hacked, hackers get complete access to:
• WordPress admin account
• FTP accounts
• Web hosting control panel account
• MySQL database used for your WordPress site
• Email accounts used to create WordPress admin or hosting account
All these accounts are protected by passwords.

“You can add extra protection to your site by enabling WordPress two-factor authentication. “

Hosting vulnerabilities

Just like every other site, WordPress sites are also hosted on web servers. Well, there are some hosting companies that do not offer proper security. This makes all the sites hosted on their servers prone to hacking. You can avoid this situation by choosing the best hosting provider for your site.
Pick a host that has a proven reputation with WordPress sites. Check online reviews to be sure that you’re choosing the right hosting company. Properly secured servers can prevent your site from getting hacked.

If you want to take extra precaution, then we recommend using:
• WPEngine
• SiteGround
• Bluehost
• GoDaddy

Plugin vulnerabilities

Faulty plugins are the most common culprits when it comes to WordPress hacks. Outdated plugins can make your site vulnerable to – file inclusion attacks, SQL injection, cross-site scripting (XSS), backdoor attacks, and more. Make sure that you update plugins from time to time to keep your site secure. However, if any plugin is not compatible with your theme, wait for a version update or look for the alternative.

Unsafe themes

Many people use free themes found via random Google searches which make their website more prone to hacking. The best way to protect yourself from any theme-related vulnerabilities is to get or buy your themes from reputable sources and theme stores. Download themes from wordpress.org or any other premium theme site that has a good reputation. Using a treacherous code is risky.

“Uninstall and delete unused plugins or themes. Unused plugins and themes can increase the risk of security, just get rid of unused or outdated plugins.”

Using Plain FTP instead of SFTP/SSH

An FTP account is used to upload files to your web server via an FTP client. Most hosting providers support FTP connections using different protocols. You can connect using plain FTP, SFTP, or SSH. When you connect to your site using plain FTP, your password is sent to the server in the unencrypted format. The unencrypted password can be spied upon and stolen easily. It’s recommended to use SFTP or SSH instead of using FTP.
You wouldn’t need to change your FTP client. Most FTP clients can connect to your website on SFTP as well as SSH. You just need to change the protocol to ‘SFTP – SSH’ when connecting to your website.

Using Admin as WordPress Username

It’s not recommended to use ‘admin’ as your WordPress username. WordPress assigns ‘admin’ as the default user name for every account created. Hackers know this very well and it’s better to change your username to something unique.
WordPress configuration file ‘wp-config.php’ contains complete information about WordPress database login credentials. Its compromise means hackers can access your website. Protect your site by denying access to wp-config file using ‘.htaccess’. You can secure your website simply by adding this code to your .htaccess file.

<files wp-config.php>
order allow,deny
deny from all
</files>

These are some of the points you must consider if you’re planning to create a WordPress site or have already built it. Need assistance with WordPress maintenance, you can contact us here!