Kenyan WordPress Websites Are Constantly Hacked - This is How To Improve Your WordPress Security

10 WordPress Security Tricks to Keep Hackers Off Your Site

Is WordPress Security That Important?

WordPress Security is something that has been taken for granted by most website developers and owners. Most people think that so long as they have a beautiful website that converts that’s it. That is not the case. A hacker can destroy an online business/brand in seconds and one will have to start all over again from scratch.

In January 16th 2021, while I watching my movie, my phone buzzed and some email notifications started popping. A hacker was trying to to do a brute force attack in one of my websites – https://silomasays.com.

A Bruteforce attack involves an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly.

This is part of the log.

Event: Bruteforce Attack
Website: http://silomasays.com
IP Address: 192.185.83.15
Reverse IP: africaolympic.org
Date/Time: January 16, 2021 5:28 pm

Message:
Username: mwateni
Password:
IP Address: 192.185.83.15
Attempt Timestamp: 1610818128
Attempt Date/Time: January 16, 2021 5:28 pm

Username: admin
Password:
IP Address: 88.241.47.207
Attempt Timestamp: 1610818029
Attempt Date/Time: January 16, 2021 5:27 pm

Username: admin
Password:
IP Address: 84.3.254.20
Attempt Timestamp: 1610818025
Attempt Date/Time: January 16, 2021 5:27 pm

Username: silomasays
Password:
IP Address: 41.105.61.45
Attempt Timestamp: 1610818021
Attempt Date/Time: January 16, 2021 5:27 pm

I scrolled through, I saw the attempted username logins, the timestamps and the IP addresses. I realized that the hacker had sniffed usernames I created years ago when I had guest bloggers.

I sat relaxed, watching my movies and decided that I will handle it later. Why? Because I knew I was well secured.

Weeks later, emails started popping notifying me of users locked out of my company’s website – https://braitconsulting.com when they were trying to log in.

User 1

A user with IP addr 51.223.168.127 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
The duration of the lockout is 4 hours.
User IP: 51.223.168.127
User hostname: 51.223.168.127
User location: Al Hufuf, Saudi Arabia

User 2

A user with IP addr 101.109.84.139 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
The duration of the lockout is 4 hours.
User IP: 101.109.84.139
User hostname: node-gp7.pool-101-109.dynamic.totinternet.net
User location: Kantang, Thailand

As per the above, we could see that the hacker was randomizing their location around the world and was using the default WordPress admin username. Most people ignore hardening their WordPress installation claiming that they have nothing to lose but WordPress Security is a key thing to consider.

According to W3Techs, 64.4% of all websites in the world use WordPress. Joomla comes next at 2.6%. Because hackers are aware of this information, they have concentrated their outmost energy in hacking these sites. Between 2018 and 2019 alone, there was a 4% increase of WordPress hacks from 90%-94%. This data alone should tell one that WordPress Security is a key factor to consider.

Sucuri Platform Distribution
Source: Sucuri – Hacked Websites Trend Report 2019

So how exactly do you optimize your WordPress Security?

1. Use a Good Hosting Company

Having a state of the art WordPress Security and a less secure hosting server is like having a well secure house in a crazy neighbourhood full of gangs. It is expecting to be safe in a lawless society where everyone does as they wish.

There are many server-level security precautions that one should consider before selecting a good host. The host should have the latest server software should it be Apache on NGINX. It should also be configured to use secure networking and file transfer encryption protocols (such as SFTP instead of FTP) to hide away sensitive content from malicious intruders. The web server should also have the latest updates of installed software e.g. cPanel, PHP etc.

When choosing a hosting server, you should consider things like, SSL availability and support, backup & restore, DDoS attack mitigation, malware, scanning, detection and removal, network monitoring, server availability and uptime, firewall protection, operating system, password and user access etc.

2. Install SSL on Your Site

In the past, people thought that SSL (Secure Socket Layer) is only for e-commerce websites specifically for people who use credit cards as mode of payments on their sites. This was and still is a great misconception. SSL is used is to secure information sent from your webserver (Your Host) to the client’s browser.

When you install SSL on your website will now run on HTTPS (Hyper Text Transfer Protocol Secure). Most hosting companies provide a free SSL mostly from Let’s Encrypt. Make sure you install SSL to every domain on your cPanel.

3. Change the Default “admin” Username

When you do a fresh WordPress installation, the default username is set to ‘admin’. Most hackers, like the one who tried to hack this website, use this username. For maximum WordPress Security, you need to change it.

WordPress doesn’t allow you to change usernames. You need to go to your Users menu and create a new user with admin privileges. Log out of the current user and log into the new user you just created. Delete the old ‘admin’ user and attribute all content to the new user you just created.

4. Use a Strong Password

Would you use a fake or a basic lock to secure your mansion? I guess no. The same applies to your website. Your website is your mansion. It is where your treasure is and you would not want anybody to interfere with your investment.

Please don’t use passwords like, Iloveyou, 123456, password1, princess etc. You can find a list of Worst Passwords of 2018 here. Use a combination of lowercase and uppercase letters, numbers and symbols. I would also recommend that you use password generators or even choose the WordPress generated password.

These days you don’t have to constantly remember passwords, you can use a password managers like LastPass or Dashlane.

5. Add Two Factor Authentication

Two factor authentication (2FA) is basically an extra security measure added whenever you log into your WordPress site with your normal username and password. 2FA adds an extra layer of security to your login.

You can use authenticators like Google Authenticator, Authy, Microsoft Authenticator etc or you can also use SMS and email platforms where you can receive login authorization codes commonly known as OTP (One Time Password) to log you in. There are several WordPress plugins that offer 2FA but I will strongly recommend Wordfence Login Security.

6. Hash Your Passwords

Hashing is the act of converting passwords into unreadable strings of characters that are designed to be impossible to convert back. Some hashing schemes are more easily cracked than others.

For the longest time WordPress has been using MD5 algorithm to hash their passwords. Today, WordPress uses a combination of MD5 and PHPass to hash their passwords.

MD5 encryption is amongst the most basic hash functions. Although, PHPass is not perfect either. It is important to hash your passwords for optimal WordPress security. There are many plugins that provide more secure hash algorithms on the WordPress plugin repository but I would recommend one that hashes existing passwords like PHP Native Password Hash.

7. Limit Login Attempts

Basic hackers use password hacking dictionaries to hack simple websites. In fact there are sites that sell password dictionaries and others give it for free. You need to limit login attempts in your website to ensure your WordPress site security is optimal.

It is recommended that you limit login attempts made to your site to three and lock out the hacker for a specific duration of time. You can see from the above, the hacker trying to log into my account was locked out for 4 hours.

I would highly recommend Wordfence Login Security because in case you are an administrator of the website and you have forgotten your password, you can request a login link to your email.

8. Install a WordPress Backup Solution

There is no system in the world that is hackproof. The same way we can say that there is no house in the world that cannot be broken into. But this doesn’t mean that we should not take our security security seriously.

Even after hardening, hackers can still hack. This is why a WordPress Backup solution is imminent. I recommend both a local, offsite and an offline backup.

A local backup would be on your own cPanel account, an offsite backup would be on your Google Drive or One Drive and an offline backup would be your compressed website files downloaded to your local machine.

Our clients’ data are prime and important and that’s why at BraIT Consulting Limited, we have backup solutions in our packages. We do daily incremental backups that deletes the oldest backup so our clients do not need to worry about their cloud server filling up.

9. Don’t Use Nulled/Cracked Themes and Plugins

Nulled/Cracked themes are actually the pirated copies of an original premium theme. Some are given freely on ad-stuffed websites and some are sold illegally on the internet at a lower price. More than ten thousand nulled themes are downloaded every day for WordPress sites.

Unfortunately, most web developers who charge less for web development use cracked themes and plugins for their clients’ websites.

Most nulled themes and plugins have malicious codes injected in them and they mostly steal clients’ data or act as backdoors for hackers to access the client’s website.

The infographics below illustrates how WordPress Sites were compromised.

How Hacked WordPress Websites Were Compromised

I recommend that you don’t use any cracked/nulled theme or plugin. ALWAYS buy your themes or plugins from their original sources or authorized online markets.

10. Use the Latest PHP Version & Update Your WordPress Core, Themes & Plugins

ALWAYS use the latest PHP version. Did you know that 77.5% WordPress users use PHP versions that are unsupported? PHP says that “Each release branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases.”

As of 30th November 2020 PHP 7.2 and below reached the end of life. The irony is that most WordPress sites are using lower versions of PHP. Using the latest PHP version means that you are also improving your WordPress Security.

ALWAYS update your WordPress core files. These are the “foundational” files that are required for WordPress to work. In your WordPress dashboard (if you have not disabled the function), there is always a notification whenever a new update is available. New updates always means new security updates and bug fixes.

ALWAYS update your WordPress themes and plugins. Every update means that the developer of the theme and/or plugin has fixed reported bugs and vulnerabilities.

Conclusion

I just listed you 10 tricks to secure your WordPress site. Do you have more that you can add, please add in the comment section below. We get a lot of clients with hacked websites who come to us for help and we mostly found outdated software most of which were plugins and themes. Others had their domains hacked and were re-listed for sale. They also could no longer access their cPanel and they had to start afresh.

WordPress security is important and that’s why we have created an outstanding WordPress Hardening package to secure your existing site. Do you also need a website developer who is also an expert in website security? Contact us today!

Do you want to learn more with our educative and informative articles? Kindly subscribe below. We publish once a week. Make sure you tell your friends about us.

Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on email

Say Something...

Subscribe To Our Newsletter

Learn something new from our informative articles!