Table of Contents
If you are the owner of a website, in all probability, you would have thought that your website is not ‘important’ enough to be targeted by hackers, and may not have paid much attention to the security aspect. I’m sorry to tell you, that you couldn’t be further from the truth. Shocked? Don’t be – you’re not the only one. If you’re wondering why you first need to understand the reasoning behind a hacking.
Why Would a Hacker Want to Target Your Site?
You may think that your site is a small one, meant to represent your brick and mortar store online, visited mostly by your couple of hundred or thousand customers – why would a hacker want to do anything with it?
Hacking is just another online crime – a means to earn money through fraud. Once a website is hacked, it can be used as a platform to distribute malware; in most cases, the site owner is blissfully unaware of this too. Frameworks which are sold in the dark web, make malware distribution through hacked sites a breeze. This means that if you’re not careful, your website could be used for criminal activity! Other repercussions that could happen:
- Your site can be used to spam internet users
- Your brand reputation can take a beating – imagine if your customers started receiving rude messages supposedly from your site!
- The site that is hacked usually overwhelms the host server, and the site usually shuts down; for you, this means loss of revenue.
- Recovering and restoring a hacked site can also set you back, both monetarily and with regard to time. It may even happen that the site is so completely hacked that you lose a lot of data irrecoverably.
Still, think that your site is not important or big enough to warrant a hacker’s attention? You need to seriously think once more.
How Can a Hacker Get to your Site?
Most website owners think that as there are millions of websites online, the chances of their site getting found and hacked is next to nothing. Sounds logical, doesn’t it? Well, don’t kid yourself. Did you really think hackers actually sit at their computers and browse thousands of sites every day looking for the weakest link? Nope. They use bots to pick out the vulnerable websites.
These bots or programs generally run on cheap cloud servers, where they are set up and taken down in minutes, leaving no tracks, and they are capable of discovering hundreds of websites in a single hour. These scripts are sold dirt cheap on online black markets.
The moment the bots identify a potential site, they check it for numerous known vulnerabilities. And if your site is not completely secure, you can bet your bottom dollar that it is going to be hacked.
Several features of WordPress frameworks and its plugins have displayed flaws that are capable of being exploited by hackers – making it absolutely crucial, that you secure your WP site.
To keep the risk of your site getting hacked to the barest minimum, follow this checklist:
- It is hosted on a dedicated server
- If the hosting is shared, the sites are kept in isolation
- Your website is ‘https only’
2. User Management
- You grant strictly the level of access to users that is necessary – nothing more
- Your review your user list regularly, and update it; delete obsolete users and downgrade where appropriate
3. WordPress Core, Themes and Plugins
- Enable auto-updating wherever you can
- Check regularly for updates and install them immediately
- Download plugins and themes from sites that are absolutely trustworthy
- Delete unused plugins and themes, and any unused or obsolete installations ASAP
- Employ a two-step authentication process
- Force users to create strong alphanumeric passwords that also use special characters
- Check that your login page always runs on an https page
- Specify a limit for login tries
5. Server Administration
- Ensure all communication with the server uses encryption like sFTP or SSH
- Install a virtual private network for connecting to public networks
- Protect access to the original and copies of the wp-config.php file
- Protect access to PHP applications like log files, backups, temp files, text files etc.
- Ensure that you back up your WP database and files once a week
- Create a robust password for the MySQL database user
- Implement a WordPress plugin for security
6. WordPress Security Plugin Features
- Scans malware
- Protects from brute force login attempts
- Protects against hacker recons
- Insists on two two-factor authentication
- Audits passwords
- Blocks country-wise
- Throttling and blocking that is rate based
- Ordered updates
- Advanced techniques of blocking
7. Securing Your Work Environment
- Using a VPN when browsing on public networks
- Downloading software from trusted sites, for your work computer and mobile device
- Install a robust anti-virus program
- Encrypt all devices with strong passwords
- Keep an eye out for cyber attacks like phishing
8. Detecting hacks Early
- Visit your site frequently
- Use a malware scanner, and set alerts
- Search often for your website in Google
- Configure email alerts in Google’s search console
- Look into customer reports ASAP
- Check for site integrity using a source code scanner
- Notice site changes immediately with the help of a site monitoring service
- Look out for sudden and drastic changes in site traffic
9. Coding issues
- Poor code formatting
- Code typos
- Poor handling of user data
- Insufficient protection of data and logging issues
- Sufficient knowledge in handling errors
10. Attain scheduled backups
- Local WordPress backup
- Office WordPress backup
11. Prevent SQL injection
- use .htaccess rules
I hope the above checklist would help you in checking the vulnerabilities in your plugin, thereby, helping you solve the issues if any. If you have any thoughts about something more to be added to the checklist, your views are most welcome in the comments below.