Most people are surprised to know what an attractive target their little old WordPress website is to hackers. Hackers need resources, aka bandwidth, and they're not interested in paying for it. There are a few ways that a hacker may be able to gain access to your website. The more information you have about the bad guys, the more you can protect your website. Here are some of the most popular security vulnerabilities that we've seen:
Hack #1 - Writing Script (aka Brute Force Attacks)
The preferred method of many hackers is a Brute Force Attack, or using relentless constant attempts to break into the back of your site. These hackers write automated scripts that put hacking on autopilot. First, hackers will use these automated scripts to find WordPress websites. WordPress websites are extremely popular so the better the chances of success for hackers. The hacker will then write the script to append /wp-admin to the end of your URL. For example: https://www.examplewordpress.com/wp-admin. This gives the hacker direct access to your WordPress Administrator dashboard (uh oh!) and allow them to begin writing scripts to uncover an active username and password. Finally, the script will begin its true brute force attack. The script will begin attempting thousands of username / password combinations to get into the back-end of the site. If your username and password are not strong and you don't have the proper security in place to lock out these attempts, you could be in big trouble!
Hack #2 - Out-of-date plugins
Another way a hacker will attempt entry into your website is if you do not keep up top date on BOTH your WordPress updates AND updates to your website's plugin. When a new version of WordPress is released, you must update both the WordPress version and all of the plugins. Examine your plugins to see if they've been tested with the new version of WordPress. If they have not been tested, consider deactivating them and potentially replacing. Since WordPress is such a massive community of developers, it is up to you, the website owner or someone like us, the webmaster, to monitor and make these judgment calls.
Hack #3 - Access to Sensitive Files
So your information must be safe because your username and password are twenty characters long with twelve special characters AND your plugins are all up-to-date, right? WRONG! WordPress is a database-backed platform, meaning that your website content can be seen (and sometimes edited) by accessing a database where all of your WordPress files live (called MySQL database). Hackers can use SQL Injections to "inject" commands into a URL that will trigger malicious behaviors from the database. This type of attack can reveal sensitive information about your database files (i.e. the content on your website) and can even be used to inject malware into your site - which could be a huge problem for both you and your website visitors.
What can you do?
There are many things you can do to prevent an attack on your precious WordPress website. Many of these things have been outlined in the above hacks, including create secure usernames and passwords (and changing them regularly), keeping your WordPress version and plugins up-to-date, and adding commands to your .htaccess file to block access to sensitive private files. Other preventative measures include installing an Secure Socket Layer (SSL) Certificate on your website. An SSL is a data file that encrypts all data that gets transmitted between the web server and a browser - this helps keep all of the data coming in and out of your website secure.