So a few years ago a client called first thing in the morning and said, “I think my website’s been hacked.”
“Really? What makes you think that?” I asked.
“Well, go look at the home page…”
And that, was my introduction to the world of WordPress security. Sadly, the site was so badly infiltrated that there was no choice but to complete blow it away by deleting the files, deleting the database, and rebuilding it from scratch.
I learned a lot in the those few days following the hack, and since then, hardening the security on all of my client sites has been a continual process of learning, implementing, and tweaking the security procedures and techniques I put in place.
Sometimes clients ask if the time and money spent on this security is worth it… why would anyone want to hack their website anyway? Rest assured that if your website is live, it is under attack as I write this. Even if you don’t have credit card or customer information to steal, hackers attack websites simply because they can. It’s a form of vandalism, similar to graffiti or smashing your car window, and adds to their hacker “street creds.” No one gets hurt, but the clean up is costly, time consuming, and aggravating.
Once of the security plugins I use – WordFence – provides a handy visual detailing the IP address of all brute force attacks, complete the with flag of the hacker’s country. The screen shot below display a snippet of the hack attempts on a local client’s website, over a less-than-one-hour period… Indonesia, Russia, Taiwan, Vietnam, Macedonia, Philippines, Korea, and the list goes on. Seeing is believing, and it’s pretty creepy when you see the sheer volume of global hackers spending their entire day trying to ruin yours.
Below is a brilliant infographic on WordPress security from the folks at WPTemplate.com which is eye-opening, quick read. Moral of the story:
1) If you don’t know how to keep your website secure, contract with a developer who has these skills and implements best practices.
2) Backup your website – often!