I've been seeing questions all over online forums and social media about WordPress websites being hacked. These hacks, while mostly benign, can leak through servers and steal valuable information from others. For example, you may have an old or unused WordPress install currently on your server, not getting any updates or love. This is a security threat. Even your fully updated website, if not secured properly initially, can cause you money and time in malware removal and security upgrades. The problem is the default WordPress security isn't enough - and WordPress has already acknowledged this and offered up several solutions.
Why am I Writing This?
This post is to help WordPress users understand the importance in using recommended security convention when setting up your websites. One-click installations via your website host or a cheap website setup are often the culprit when you've found yourself victim of a random WordPress attack.
Why Were You Targeted?
A hack is rarely about your information or what the hackers think you have. It's about the fact that your website isn't secure, and they know it. Moreover, they will assume that you share a server with another website that does host sensitive information, which the hackers then hope to cross-contaminate.
Reasons they know your site is vulnerable can be numerous - though it's mostly due to the popularity of WordPress itself. As an open-source system, WordPress and the free plugins can be downloaded by anyone and have their vulnerabilities exposed.
Why Isn't the Default WordPress Security Stronger?
Any default is going to be just as weak - because certain conditions can be assumed by hackers. For example, if you don't change your admin username from 'Admin,' your website will be easier to hack. If you or your web developer neglect to create a better password or instigate a stronger setup, your website will be easier to hack. And so on...
WordPress Isn't to Blame
WordPress is a great system - which is why it's being hacked. Think Windows in the 90's and 2000's (I know, Windows is tough to deal with, but it was popular). Microsoft was a massive target because businesses with money used the system. WordPress has gained popularity - and with it, has become a target of cyber criminals.
Let's be clear here: I'm not saying that WordPress is any more vulnerable than any other website CMS in the way it's built or maintained. It's how your site was setup - probably using default tools in your hosting panel, which don't increase security from the default options.
How to Prevent Attacks
One of the main ways that hackers can breach a site's security is with either outdated or poorly coded FREE plugins and themes. Many premium themes and plugins are also known to have vulnerabilities that allow a hacker to create an admin user on your website, after which they can alter or break your site easily. Removing any plugins that you aren't currently using or minimizing the amount that you require are great first steps in lowering your chances of being hacked.
How to Clean a Site After a Hack
Going through your site manually is a pain. WordPress has thousands of files comprising its core - which is why I would suggest performing a re-install after simply going through your theme folders (parent and child) as well as your uploads folder. This means looking through all of the files and checking for code that is usually completely illegible (letters and numbers garbled in PHP).
If you aren't handy with programming and still have access to your WordPress admin panel, download Sucuri free security plugin and do a malware scan.
How to Secure a WordPress Website After an Attack
Use My Most Trusted Security Plugin: Sucuri
I've used Sucuri both in the free and premium versions and have found that both offer excellent - though not quite complete - options and advice for security. All of the options that are available in Sucuri can be implemented manually by your website developer and are outlined in the WordPress Codex. If you have been hacked, removal of the malware is your first priority, then securing your server.
Sucuri's premium version offers caching and a firewall through their server. Not necessary, but it's an extra layer of security for your site at a price that's affordable (no I don't work for them OR get a commission...maybe I should...)
If Your Developer Doesn't Know What the WordPress Codex Is
If you ask your developer to configure your website's security as per the WordPress Codex's guidelines and they respond with anything close to "What's that?", they are not a WordPress developer and they will likely not be able to fix your problem with being hacked. They may be able to clear the malware from your website with plugins, but they likely have no idea how to secure a WordPress site properly.