I know you’ve heard it before, but it bears repeating: cyber-crime is one of the fastest real growth industries around today – both in volume and sophistication.
But here’s the most common response I get when I talk to new or small website owners about this:
“Why would anyone want to hack my little website?”
And the answer:
It doesn’t matter how small your website is. The hackers want control of as many websites as possible because they add them to the range of tools they need in order to carry out their criminal acts
You see, with rare exceptions, criminal hacks on a website are no longer about the website itself. Defacing hacked websites went out with the ark (figuratively speaking!)
The purpose is to get control of that website, so the hackers can add it to their assets.
An example of why the hackers want control of websites:
A Denial of Service attack on a website is not actually an attack on the website itself.
It’s an attack on the server on which the site sits.
The target website is simply flooded with so many requests (thousands per second) that it brings down the server, which crashes the site.
But in order to carry out the Denial of Service attack the hackers need tools.
And hacked websites are one of those tools.
What do hackers do with websites they’ve hacked?
As I said – hacking a website is not generally an attack on the website itself, or its owner. It’s just an attempt to gather another tool.
Here are some of the things hacked websites are used for:
- To redirect visitors to other websites
- To steal the SEO reputation of the hacked site and so benefit their own
- To infect the computers of site visitors (this enables them to be added to a botnet, which can be used to participate in denial of service attacks – another tool)
- To use your web server to mine crypto currencies
- To use your server to send spam emails (which will have the effect of getting your server blacklisted by the spam houses)
- To harvest user personal data that they can sell
- To harvest credit card details that they can sell
There are probably other uses as well and, if not yet, I’ve no doubt they won’t be long in coming..!
This leads to another point I make on a regular basis:
If you’re not keeping your website as safe as possible you are aiding and abetting criminal behaviour.
To be sure: no website will ever be 100% secure against hackers.
But 98% (or more) of website hacks are perpetrated by bots (computer programs) that scan the net looking for websites running software that has known vulnerabilities, are configured poorly, or where weak passwords have been used.
These sites can be hacked.
Mitigating all of those things is within the control of any webmaster, irrespective of their technical skill level and I’ve listed some pointers below.
Again: if you’re not keeping your website as secure as possible, you’re aiding and abetting the criminal behaviour of the hackers.
14 simple ways you can strengthen your website against hackers
Here, then are 14 non-technical ways, that anyone can follow (irrespective of their technical knowledge), to strengthen the defences of their WordPress website:
- Use a strong username that bears no relation to your or your site’s name
- Use a strong, unique password of at least 10 characters (upper- and lower-case letters, numbers and symbols)
- Use a password manager to ensure you can keep all your passwords strong, long and unique
- Make sure all your software (plugins, themes and WordPress itself) is always up to date
- Do not give out your login details to anyone. If someone needs to work on your site (from a support team, for example) create a user account for them and delete it when they’ve finished
- If the original user account named ‘admin’ exists, create and test a new administrator level account and then delete the original ‘admin’ account
- Make sure users on your site have only the access privileges they need
- Ideally restrict the administrator level user accounts to one
- Sign up with a CDN and/or a Web Application Firewall provider to protect your site
- Put in place a regular, scheduled full-site backup process
- Delete any plugins that are not being used (deactivated plugins can still be hacked)
- Take great care when installing new plugins (see the safety checks on this page – scroll down to ‘Trusted sources of plugins’)
- Check all your plugins (and themes) at least once a quarter to make sure they are still being properly maintained and updated. Just because a plugin on your site does not indicate there’s an update available, that does not mean that it’s still safe. It may have been abandoned.
- Don’t use free hosting
There are other technical things that can (and should) be done to further strengthen your site, and I can discuss those with you in detail, if you’re interested – contact me here.
So please: check your websites and implement any of those steps I’ve set out above if they’re not already in place! If I need to clarify anything get in touch 🙂
Owner – WP Security Basics