WordPress Hackers Can Hurt You With Google
WordPress is one of the best tools to come along for helping Internet marketers make money online. In the past, you had to learn how to code HTML or learn how to use expensive WYSIWYG editors to build a Website. With WordPress, you just upload it, add a few plugins, and your site is ready to go. It’s fast, and easy and pretty much anyone with a pulse can get a WordPress site online in an afternoon. Of course, the software is not without its vulnerabilities, and WordPress hackers have been quite successful in making money from other people’s sites.
In recent news, Google has announced that they’re going to take a close look at sites containing what they call “hacking spam” and these are sites that have been compromised by WordPress hackers. Once you are able to break into someone’s site, you can upload any content that you like, often without the knowledge of the owner of the site. Since a lot of this content can be harmful, Google has decided to start removing such sites from their search results. While they say that this will likely affect only 5% of search results, 5% is a lot, and we’re talking about hundreds of thousands of sites here. In this post, I’ll talk about how WordPress hackers can hurt you and what you can do to prevent it.
What WordPress Hackers Do
WordPress hackers are looking for ways to access sites hosted with that software, so they can create posts or pages offering illegal or dubious products for sale. While the search engines have finally caught on to this, a few years back, a search for “buy Viagra” in any search engine usually brought up page after page of hacked WordPress sites, many of them on government or educational domains. It doesn’t end there, however, as many WordPress hackers also use compromised domains to upload phishing scripts. A few years ago, one of my own sites was hacked, and someone was sending out millions of email messages purporting to be from a major bank, but the links in the messages were actually redirecting people to my site.
How do WordPress hackers break in? The easiest way to get in is to simply guess your password. While current versions of WordPress generate complex passwords by default, older ones did not. Furthermore, since passwords that WordPress creates, such as D8*_m!J#@e3W, are difficult to remember, a lot of people change the password to something they can remember. Worse, many people choose passwords that are inherently secure.
Studies show year after year that the five most common passwords that people choose are:
These are going to be the first things that WordPress hackers will try when they attempt to log in to your site. If you’re using one of those passwords (or one of several dozen others that are easy to crack) you’re going to have your site hacked in short order. After that, it’s just a matter of time before these WordPress hackers add whatever content they like to your site, and it’s possible that they’ll do it in ways that you’re unlikely to discover in a hurry. When my site was hacked a few years ago, the WordPress hackers created a new folder on the site and added their content there. They didn’t create any posts or pages, and I wouldn’t have found the folder without using an FTP tool and looking for one.
Since Google has announced that they’re basically going to deindex sites that have been compromised by WordPress hackers, it’s essential that you take steps now to prevent your sites from being compromised. Below are a few suggestions that can help you keep your site secure:
1. Keep WordPress up to date. The WordPress development team adds and improves the software’s security all the time. It’s important to keep the software up to date. You’ll see messages in your dashboard when a new version is available. Be aware that updating the software may cause some plugins not to work correctly, so keep an eye out for that.
2. Make sure that your password is secure. If you’re not going to use the password that WordPress offers you, be sure to use one that’s difficult to guess. Longer passwords are better, and adding a mixture of upper and lower case characters or special characters won’t hurt.
3. Add a security plugin. Limit Login Attempts is one of many security plugins for WordPress. This one locks out a user after three failed attempts to log into a site. There are other plugins that offer additional security features.
4. Block access to your wp-login.php file or your wp-admin folder. I have a script installed on my server that blocks access to the WordPress login screen to anyone attempting to access the site from an IP address that I have not whitelisted. Anyone attempting to log in from a non-approved IP address will be redirected to the site’s home page. Doing this isn’t difficult, but it’s a bit long and technical for this blog post. You can do a quick Web search or ask your Web hosting company about how to do it.
5. Pick a Web host that has good security. The company I use scans my sites on a daily basis. If any script or software that looks malicious is uploaded to one of my sites, I’ll receive an email message from the hosting company about it.
6. Keep an eye on your files. It wouldn’t hurt to connect via FTP every now and again and look over your site’s file structure to see if there’s anything there that you don’t recognize.
WordPress Hackers Summary
WordPress hackers aren’t going to go away, just because Google isn’t going to index compromised sites anymore. There are other search engines, and the reason that WordPress hackers keep breaking into other people’s sites is because it’s profitable for them to do so. That means that sooner or later, someone will try to hack your WordPress site. That being the case, you should be careful about choosing your passwords and you should treat your site like the valuable asset it is. Keep it secure, and keep the WordPress hackers out.