For a WordPress site owner, there are few things more gut wrenching than discovering that your website has been hacked. The feelings range from that of being disturbingly violated to outright panic. How will your business suffer, and how will your audience / customers view you now that you have let this happen? While there things you can do after the fact to rectify the situation, your best bet (and a lesson many have learned the hard way) is to take preemptive measures to prevent your site from being hacked or otherwise damaged beyond repair.
Keep your site updated
Hmm, it seems you haven't updated in a while.
With all the recent security vulnerabilities that have been brought to light as of late, the first step to take is to be as vigilant as possible in keeping your site up to date. It's easy to ignore the email in your inbox, dismiss the message on your dashboard, or otherwise put off the chore of going through the update process, whether you handle it on your own or hire a developer to take care of it for you. The better approach would be to realize that procrastinating on these small jobs could turn into a nightmare scenario, and being proactive about it will save you a lot of unnecessary trouble down the road.
Backup your site regularly
All that stuff looks important, probably don't want to lose it...
If you have a WordPress site, there are many plugins available that can make regular backups of your site, should the unthinkable happen. The one we have been most fond of recently is called UpdraftPlus. Other free plugins had turned out to be unreliable, or didn't offer the same awesome features that UpdraftPlus does. With UpdraftPlus, you can control what files are backed up, where they get stored, how frequently the backup takes place, and how many versions are retained. You can also designate a remote storage option for your backups, which is highly recommended in the case of a disk failure on your web host's server (if your disk fails you couldn't retrieve the backups). Dropbox and Google Drive are great places to store your backups, and likely won't cost you any extra. You can even restore your site from these remote storage locations!
Use a security platform
In addition to the two steps already mentioned, having a security platform installed on your site would be a great step towards boosting your site's security. Two of the most popular security platforms for WordPress are Sucuri and Wordfence. While both of these offer some great benefits out of the box, there are a great number of more advanced settings that would necessitate the hiring of a developer or an IT security expert to configure correctly. Each also offers a number of premium features that you can opt for, for a fee. Both serve as an extensive checklist of factors to consider, either in preventing a hack or cleaning up a site, post-hack.
- Security Activity Audit Logging - Sucuri will monitor your site for, and report to you, anything that could be considered a potential security concern. You will likely be notified of things that are not an actual concern to you. Examples would be a login attempt or a change made to your site. This includes authorized logins and changes, which can be tweaked in the settings. These logs are stored remotely so they cannot be wiped in the case a hacker successfully breaks in, from which point they would likely be able to cover their tracks by wiping logs that were stored within the same system.
- File Integrity Monitoring - Sucuri will check the state of your files against a known good copy of the file, and alert you if there is a cause for concern.
- Remote Malware Scanning - Sucuri will scan your site for malicious content or infected files. They do not guarantee 100% accuracy, which is not possible anyway, and a passing score just means they were not able to identify anything on your site.
- Blacklist Monitoring - Sucuri references your site with the major blacklist organizations and notifies you if your site is flagged on any of their lists. If you have been flagged, options are given for how to correct the situation.
- Sucuri offers a host of options that can reduce your vulnerability to a variety of attacks. Many of them may be already enabled, while others you may not be able to take advantage of, depending on your setup.
- Website Firewall Protection - A WAF (web application firewall) can block many common hack attempts and keep your site safe from outside threats. Some examples include brute force break-in attempts, DDoS attacks, SQL injections etc. Sucuri requires a subscription plan to take advantage of this feature.
- Verify WordPress Version - If you don't have the latest version of WordPress installed, you'll be alerted that an update is recommended.
- Verify PHP Version - If you are using a version of PHP that is out of date or not recommended, you'll be advised that you should make the change. This may be something you need to talk to your hosting provider about.
- Remove WordPress Version - If there is a vulnerability to a particular version of WordPress, hackers may be able to take advantage of that fact if your site is advertising which version of WordPress is currently installed. Sucuri will check if the version of WordPress is being properly hidden.
- Protect Uploads Directory, Restrict wp-content Access, and Restrict wp-includes Access - These are more advanced features and it is recommended to thoroughly test your site if you enable these. Depending on what themes and plugins your are using, you may not be able to use various features of these themes and plugins if you have this enabled.
- Security Keys - This checks that your security keys (normally found in your wp-congif.php file) have been properly set up. If you follow the typical WordPress installation procedure, these should be done automatically.
- Information Leakage - The readme.html file that comes with the WordPress installation will also include the WordPress version, which can be exploited by hackers (see above). Sucuri will remove the readme.html file for you.
- Default Admin Account - Sucuri recommends to create a new administrator account and remove the default administrator account. They also recommend that you use a more unique name than "admin".
- Plugin & Theme Editor - You can disable the editor so that those users without the technical know-how cannot accidentally break your site, or in the chance that your site is compromised, a hacker doesn't have the ability to cause damage by editing theme or plugin files.
- Database Table Prefix - If your database tables have the default 'wp_' prefix, it is a signal that you are running WordPress and may incite hackers to try to break into your site. By changing this, you simply hide the fact that your site is built with WordPress, and those hackers looking for an easy target may be dissuaded.
- Post-hack Security Actions - If you have been the victim of a hack, there are certain steps that need to be taken to mitigate any potential further trouble. These include changing your login passwords, resetting your security keys, re-installing plugins, and performing any available updates.
- Security Notifications - Sucuri offers an extensive array of settings for you to customize the notification emails that it sends you in the case there is a "security event". You may not wish to receive an email every time a user logs in to your site, which could get old fast and perhaps cause you to ignore other, more important notifications.
Wordfence has, in my opinion, a more appealing interface design than Sucuri, and gets you started with a useful tour of some of the most important features.
- Scan - Once you install the plugin, your site is scanned and any problems are reported to you with options to fix the problem. Henceforth, the scan runs on a daily basis to keep you safe and informed of any problems that have arisen since the last scan.
- Free Web Application Firewall - The WAF helps filter out hack attempts before they have a chance to damage your site. Be aware that the free version is updated about 30 days after the threats are reported to Wordfence. Subscribe to the premium service for a real-time update of reported threats.
- View traffic from hack-attempts, crawlers and bots - These traffic sources don't show up in Google Analytics and you may be surprised at who is hitting your site. You can easily filter the type of traffic to distinguish the different sources (humans, crawlers, etc).
- IP Blocking - Notice suspicious activity or patterns coming from a certain IP or network? You can easily block them, temporarily or permanently.
- Login security - You can customize your settings for failed login attempts, which is useful to prevent password guessing. You usually don't need to be super restrictive with this, since it usually takes many attempts to guess a password, and it is annoying for real users to get locked out if they forgot their passwords and took to many attempts to try logging in.
In summary, there are a wide range of actions you can take to protect and secure your WordPress website. While it will be a good deal of work upfront, it will save you tons of trouble down the road once your site has inevitably been compromised. As the old proverb goes, an ounce of prevention is worth a pound of cure.