This guide focuses on WordPress websites as they account for 45% of all websites, but the practices mentioned can easily be adapted to work on most sites.
Why would someone want to hack me?
“I only run a small online shop. We don’t make much money, and there are plenty of other websites out there that would be more worthwhile to hack”.
We hear this a lot, but you’d be surprised at how valuable your website is to a smart hacker. Aside from being a source of income, it has plenty of other uses.
- They might use your website as a simple redirect platform. This would allow them to point the traffic that comes into your website to their website. This can be especially devastating when their website looks and works the same as yours; the only difference is that any customer data sent to their website will be stolen.
- Your website hosts a lot of data. If you have an online shop, you will have a database full of old orders, names, email addresses, purchases, phone numbers, addresses, user accounts, and passwords. In the wrong hands, any combination of these datasets has the potential to be devastating for the people whose data has been stolen.
- It won’t always be obvious that you’ve been hacked. A clever hacker could subtly modify or add some page links pointing your customers to malicious software.
- They might recruit your site into their army of bots. A bot network is an army of thousands of computers that can all be called upon at the same time to wreak havoc on an unsuspecting website via a DDoS attack.
- If you run a business that is in some way controversial or you’re unpopular amongst the masses, then an activist (or hacktivist) might set their sights on taking down your website one way or another.
- Practice makes perfect. Believe it or not, many hackers will just target a site, or sites, just for the fun of it. More often than not, they’ll stumble upon you rather than target you directly.
A key point to take away from this is that most hacks aren’t targeted. Your site will likely be on a list of thousands of other sites, obtained by a hacker and attacked with the use of a bot.
Rather than a hacker digging around your site, the bot will look for an easy entry point and move on to the next website if it doesn’t find one, so the question is – are you easy?
Is my website easy to hack?
There are countless ways a hacker might try to get into your website. Below are some of the most popular methods that hackers use and some simple ways to tighten your security.
1. Weak passwords
The easiest way to get into any account is to exploit a weak password. Too many small businesses use weak or easy-to-guess passwords for their accounts.
If your password has your business name in it, change it. If it has the current year in it, change it. In fact, do yourself a favour and change your password right now. Whatever it is currently set to, changing your passwords on a regular basis can – and will – improve your security.
Go on, I’ll wait…
… back? So, what did you change it to? Would I be impressed? If it’s over 15 characters and completely random, using upper and lower case, numbers and symbols, then I’m impressed. If not, then you should go and change it right now.
How to keep track of your passwords
If you’re worried about forgetting a string of 15 random characters, or better yet, hundreds of unique strings of random characters for all of your accounts, you need a password manager. Pretty much all of them come with a free tier, but I highly recommend paying a couple £s every month for a premium account.
This will give you access to some more advanced tools like dark web monitoring. This is a useful function that alerts you if it finds your usernames and passwords on the dark web.
Be smart. GET A PASSWORD MANAGER. Be smarter. PAY FOR A PASSWORD MANAGER!
Two-factor authentication (2FA)
Okay, you’ve set a really secure password, but what if a hacker somehow got hold of it? You need two-factor authentication (2FA) – it’s easy to set up and adds another level of security to your site.
Two-factor authentication is a simple service that will send you a unique code every time you log in to your site. Meaning a hacker will have to intercept that code somehow if they have any hope of getting into your account.
Now is probably a good time to mention that your email account will likely have a weak password too. And where do all of your password reset emails get sent to? So, it’s better if you don’t set up 2FA to use your email or, if you must, be sure to tighten up the security there too.
The best part about 2FA is it’s not just for your website(s). Most online accounts nowadays have some form of 2FA that can be used while signing in.
2. Your username
Your new, secure password only accounts for half of your login credentials (or a ⅓ since you’re using 2FA now, right?). Securing your username is just as important as securing your password – it’s another important piece of the puzzle that the hacker is trying to solve.
If your username is easy to guess, you’re putting your account at risk! The same applies to logging in with email addresses! If your email address is posted on your contact page, a bot can visit that page and take note of it. They can then use it in their attack to enter your login page.
The same can apply to names on your site, although this would require a far more sophisticated bot. That being said, it’s not always bots that try to hack you. If you’re being targeted, your attacker will likely have done their research.
Using simple usernames, like the name of the business, poses a risk because it’s easy to guess. Using default usernames like root, admin or administrator is also a big no-no! These are literally the first usernames to be tried.
Some other common usernames are:
- test
- guest
- info
- adm
- Mysql (for databases)
- user
- Ftp (for remote file management)
You may not be that worried about your username. After all, they still need your password, right? Not necessarily. If your site is not protected against SQL injection, logging in to it can be as easy as knowing the username or email address of an admin user.
3. SQL Injection
An SQL injection uses SQL code to break into your site. It looks something like this:
Username: “admin”
Password: “‘ OR ‘1’=’1’”
Without getting too technical, this says, log in to the account where the username is equal to “admin” and the password is equal to “ ” (i.e. nothing) or ‘1’=’1’. That last bit simply logs you in if the password is equal to nothing (which it is not) or if 1 is equal to 1, and of course… 1 does equal 1.
That being said, most modern systems protect against SQL injection. But what about the sketchy FREE form plugin you installed?
It’s unlikely that you’re going to be the person responsible for messing up an SQL query and leaving your site vulnerable to SQL injection, but it may be due to an outdated plugin or poorly written code from a 3rd party.
4. Brute force
Brute force is also a popular method for hacking websites. If an attacker has access to your username or email address, they can set up a bot to go to your site and enter the username and a password… any password… and then another, and another, and… you get the point. The bot has all the time in the world. This is literally its life purpose, and eventually, it will fulfil its purpose.
Brute force attacks can be limited by setting up a restriction on your login page, allowing x number of failed login attempts before being locked out for a period of time. This time period can be ever-increasing with more and more failed login attempts.
5. Password cracking
Password cracking is similar to brute forcing, but it requires the attacker to already have access to one of your password hashes (an encrypted version of your password).
The basic idea is that the attacker will have a list of common passwords and a password hash that they’ve acquired from somewhere. They can then start encrypting this common password list, one by one and checking whether the hashes match. If they do, they’ve just found out what your password is, and they can go to your site and log straight in.
This process happens offline and makes it far harder to notice since you will not be alerted to failed login attempts.
For defence against brute force attacks and password cracking, it’s best to set up failed-login lockouts and alerts. We’d also recommend IP monitoring, as this will allow you to be alerted to or block, any login attempts from IP addresses out of your whitelist. This is quite an extreme measure, and it’s far simpler to just use randomly generated passwords and refresh them regularly.
6. /admin
Are you using WordPress? In fact, don’t answer that. I’ll just input your website into whatruns.com or whatcms.org. That will tell me lots of information I need to know about your website. Once I know what CMS (content management system) you use, I can work out the default login URL.
You’re using wordpress, right? So, I’ll take a guess that I can log in at <www.yourwebsiteaddress.co.uk/wp-admin>. Not on WordPress? How about </magento/admin> or simply </admin> for Shopify?
Even less well-known CMS default login URLs are only a quick Google away.
We recommend you update your default login URL to something unique and hard to guess. Not “BusinessName” or “BusinessNameAdmin”.
7. 404 Monitoring
Considering how easy it is to set up a bot to crawl websites, you should think about setting up 404 monitoring. This alerts you whenever a user hits multiple 404 pages (error pages, i.e. file or page not found) and lets you know what these pages are as well as blocking the user.
Why is this important? Because a large amount of 404 requests usually means the user is a bot snooping around your site looking for vulnerable files. These are usually vulnerable theme or plugin files that can be accessed from the web or simply point out the fact that if a particularly vulnerable file exists, the attacker knows that that website is vulnerable to being exploited.
8. File permissions
While on the topic of files and folders that can be browsed from the web, it’s worth mentioning that incorrectly set up file permissions pose a major security risk!
Your database login credentials live on your server (in plain text, not encrypted) in a wp-config.php file. If this file is browsable by the public, your entire database is at risk, including user accounts, orders, page content, site settings… you name it.
Ensuring your file permissions are set correctly is very important. You should only ever modify them if you know what you’re doing.
What activity is your website logging?
Did you know that your server, site, theme, and plugins could all be keeping logs of activity?
These logs are usually harmless if set up correctly, but in some cases, the log file could be accessible from the web. If your file permissions are not set correctly, an attacker could find a log file and, depending on what’s on it, would gain a very deep understanding of how your site functions.
Logging should be limited wherever possible. If not, then the log files should be checked for permissions.
While on the subject, it’s also worth mentioning that logging user/admin activity is a worthwhile exercise. This would allow you to keep track of changes that are being made to your site if you’re not the only admin. It also alerts you to suspicious user activity.
Who’s in charge of your website?
How many admin accounts does your website have? Do they all need to have admin privileges? There’s a type of account for almost every kind of role that has access to your website, from shop manager to writer.
Custom account types can also be created, which can be used to restrict your users to areas of the admin panel that you decide. Don’t give anyone admin privileges to your site unless you trust them.
Is your website updated regularly?
Far too many businesses invest thousands of pounds on a website without any plans to keep that investment safe. I’m not just talking about being safe from hackers, but safe from itself.
There’s a common misconception that you can build a website and leave it to run itself. That is not the case. A website needs to be kept up to date and maintained, not just in terms of the content on the pages but the systems that run the site that you don’t see.
These are things like plugins, themes, the WordPress core system, and any custom code, as well as the server that hosts your website.
As time goes by, systems become outdated, and the code that used to work has to rely on old practices. That means your site could fall behind as the web gets more advanced. Leaving you with systems that no longer talk to one another correctly – or at all.
Keeping your site up to date and following current best practices ensures that it will continue working. We recommend maintaining the site on a monthly basis to stay on top of the latest releases of plugins and themes. This will help prevent any of your systems from getting so outdated that the process of updating them causes conflicts.
Simply put, large gaps in maintenance can cause problems for you when you do come to update things.
Old, outdated software also poses a security risk. When you’re prompted to update your devices or software, it’s usually for one of two reasons.
1. The company is giving you more or better features
2. There is a security vulnerability that needs patching
So, be smart and update everything.
And, of course, if you’re a client of Marketing Labs with a maintenance contract in place, then all of this is covered, which means you can concentrate on the important job of managing your business.
Get in touch with our friendly team today to set up a maintenance contract.
Nice code! Where’d you get it?
While on the topic of themes and plugins, it’s important to know where your third-party systems come from. Did you buy it from the developer’s website or from a shady discount store? That theme you just saved £5 on could have malware in it.
It’s important to make sure you only ever install plugins or themes from developers you trust. Look for user ratings, support forums and the number of installs before making a decision. Just because a plugin exists on the WordPress repository doesn’t mean it won’t break your site.
Custom code should also be checked thoroughly before being added to your site. Simply adding it and clicking update may result in the effect you wanted, but how long was that code? Did you read it all? Did you understand it? Could it have had malware that you missed? The answer is usually no, assuming you got it from a friendly forum, but you should always check for these things.
A quick word on DB Prefixes
It’s highly recommended that you update your database table prefixes. By default, your WordPress site will be using “wp_” as the prefix. This is very easy for a hacker to guess.
This can be changed with little effort using a security plugin.
Did I leave the backdoor open?
Remember that developer you hired a few months ago who asked you to give him FTP or SSH access to the site? He was great, right, but… what happened when he was finished? Did you leave the server available for a connection? The developer is unlikely to hack you, but, all a hacker needs is your site’s IP address to start trying SSH or FTP connections.
You should make sure your server users all have secure passwords set. It’s also worth considering some more advanced security measures if you use SSH regularly. Enforcing public key-based login for SSH and disabling root login are both good starting points!
Note: many hosting providers will ‘lock’ FTP or SSH access after a time period, assuming you choose this option when unlocking it in the first place.
What about website hosting?
Speaking of hosting providers, is yours well-established and trusted by the masses? Do they have a vast team of security experts working around the clock to keep thousands of sites safe? Or are they a budget provider that was chosen because you didn’t need all those other features and wanted to save £5 on your bill?
We recommend using a trusted host backed up with customer reviews.
Has your site got an SSL?
Hopefully, this one is obvious since search engines have literally started pointing out that sites without SSL certificates aren’t secure, but just in case… you should have an SSL installed on your website. It allows for secure, encrypted communication over a network.
Since search engines know this, they have also started penalising sites without an SSL. This means sites without an SSL are less likely to appear in search results than other sites.
Finally, install a security plugin
Last but not least, install and set up a security plugin. There are lots of FREE plugins available that will handle most of what has been discussed in this post, but in my experience, the paid ones have some very useful features that are definitely worth your consideration.
After buying your plugin, make sure it is set up correctly and that any and all scans and security measures are put in place.