WordPress Website Security

Like any other type of website, WordPress websites are susceptible to hacking.  Any site can be hacked, just ask Premera Blue Cross or the State Department.  But with some normal amount of precaution, you can avoid having it happen to you.

It is important to always run the latest version of WordPress.   The same holds true for the plugins.  They should be updated at least monthly.

This past year I’ve had a small number of clients who’s websites have been hacked or completely disappeared.

Three Case Studies:

1. Outdated Plugins

Issue: One client had not updated their plugins in several years.  One of them was used as an entryway for the hackers.  They broke into his website and even added themselves as a user with administrative privileges.

Solution: We removed the infected files, removed the user’s ID’s for the hackers, strengthened our client’s admin password and added the premium Wordfence plugin at a cost of $39/year.   The Wordfence plugin has the ability to block entire countries, in addition to specific IP addresses.  We blocked all the countries in the world, except the U.S. and Canada.  Over the next few days, we noticed that several attempts were made to gain access to the site using a virtual IP address from within the United States.  We then blocked the specific IP addresses that were being used.  It has been about three months and our security system is working flawlessly.

2. Outdated WordPress Version

Issue: Another client had not updated WordPress in several years.  It was late 2015 and they were still running a 2011 version of WordPress. As a result, their site became broken and appeared as a blank white page.  It was using an outdated Thesis theme that was not mobile-friendly.  We also found lots of infected files.

Solution: We determined that it would be less costly to change hosting companies and rebuild the site in a different location, using an up-to-date theme that was mobile-friendly.  The theme we chose allowed us to have the same look and feel as the previous site.  We re-built the site and were back up and running in a few days.

3. Malware Infiltration

Issue: A non-profit client of ours had been infiltrated with malware.  We believe they gained access through outdated plugins.  This particular piece of malware was extremely sinister and difficult to fix.   If you typed the URL of their site directly into the web browser, it worked fine.  If you came across them in a google search, however, you would be re-directed to a fake Viagra site whose purpose was to get you to enter your credit card information which they would then steal and use for illegal purposes.  But, it would only happen once.  If you came across the site in a future google search, it would show the website normally.

Solution: We detected and removed all of the infected files and then installed the Premium Wordfence plugin.  We blocked all of the countries in the world except the U.S.  We have had not additional issues for the past 6 months.

Again, it is extremely important to keep your version of WordPress and all of your plugins up-to-date.  Also, make sure that you are using a strong username and password.    If you do, you will eliminate 95% of break-ins.