WordPress Hacks Can Hurt You
In just a few short years, WordPress has become the Web’s leading Website creation tool. It’s free, it’s versatile, it’s easy to configure, and there are tens of thousands of third-party addons to help make your site more useful to both you and your site’s visitors. One of the other great benefits is documentation; I’ve never had a problem with WordPress for which I couldn’t quickly find a solution online. But with popularity comes risks, and WordPress hacks represent a huge threat to affiliate marketers.
Why would someone engage in WordPress hacks? Simple – money. If you can find a site that gets a lot of traffic and somehow install some code on that site that works to your benefit, you can easily make a lot of money without having to do much work. One of the more clever WordPress hacks I’ve read about was a case where an affiliate marketer had their site hacked. The hacker changed every single affiliate link on the site to their own link. When people visited the site and bought something through the affiliate link, the hacker got paid for the sale instead of the site owner. Thee are affiliate sites that earn more than a thousand dollars per day, so WordPress hacks like that one can do a lot of damage.
WordPress Hacks – Threats and Fixes
Perhaps the most common of WordPress hacks is the “phishing” exploit. The hacker installs some code on the site that creates a Web page that looks like something legitimate, like a PayPal login screen. Then the hacker sends out millions of spam email messages that tell people their account at that legitimate site has been compromised and that they have to log in to correct some problem listed in the message. The link in the message will say it’s to PayPal or whatever site is being used, but the link actually goes to the code installed on a hacked WordPress site. With this type of exploit, the hackers can harvest tens of thousands of logins and passwords for all kinds of sites such as PayPal, or banks, or Amazon.
Phishing exploits are a huge problem for Website owners. If Google discovers them, they’ll deindex your site or put a malware warning on it. These are hard to get removed, and they’ll cause your traffic to drop to almost nothing overnight. It’s also possible that your ISP will discontinue service to your site and may simply cancel your account.
Sometimes, hackers break into WordPress sites to destroy them or deface them. Regardless of the motive, the potential for damage from WordPress hacks is huge, and the more common WordPress becomes, the more likely that you’re going to become a victim of WordPress hacks sooner or later. Fortunately, a few simple steps can help prevent these sorts of problems from happening in the future.
Here are a few things you can do to help prevent WordPress hacks:
Use a strong password – By default, WordPress will assign very strong passwords, but they’re often hard to remember. Most people change them to something simple. It’s best to keep the password as complex as possible. Longer passwords are also better, as they’re more difficult to crack.
Change the name of the admin user – By default, WordPress creates a user called “admin.” It’s best to log in as admin and create a new user with administrative privileges. Then log out of the admin account and log in as the new user. From there, you can delete the admin account. Use the new account from now on. Most WordPress installations use admin for the login; that means that the hackers only have to guess the password. If you change the name of the admin account, hackers will have to guess both the name of the account and the password.
Get a login security plugin – I use a plugin called Limit Login Attempts to help prevent WordPress hacks. If someone fails to login on three consecutive attempts, they’re locked out for a period of time (default is 20 minutes.) This prevents automated “brute force” login hacks, as the hackers only have three tries before they’re locked out. This plugin is free and easy to install.
Protect your config.php file – The config.php file sits at the root of your Website and contains the name and password of your database. WordPress requires it, but that doesn’t mean you have to let anyone see it, access it, or find out its contents. Also in the root of your Website is a file called .htaccess. It’s a file without a name and a “.htaccess” extension. If you edit that file via FTP and add this code to the very end of it, you can keep anyone from accessing that information:
deny from all
Protect your login screen – If you have hosting that uses WHM and Cpanel, you can make it impossible for anyone but you to access the WordPress login screen at all. This is a bit complex, and you might need the help of your hosting company’s tech support team, but it will keep anyone but you from even attempting to log in.
1. Log in to WHM (WeHost Manager)
2. In the left hand panel, select “Apache Configuration”3. Click “Include Editor”
4. Click “Pre Virtual Host Include”
5. In the pulldown menu, select “All Versions”
6. In the window labeled “Global”, add this code:
Deny from all
Allow from 126.96.36.199
Be sure to replace “188.8.131.52” with your IP address. Then click “update” and “Restart Apache.” Any time anyone tries to connect to your login screen, they’ll be redirected to your home page. Important: Don’t do this if the computer you use to connect to your WordPress site has a dynamic IP address that regularly changes. If so, you won’t be able to log in. If you need to travel, you can always add another IP address via WHM.
WordPress Hacks Conclusion
WordPress hacks are a nuisance and cost a lot of people a lot of time and money. While it’s impossible to ensure that every site is 100% secure, a few simple steps will deter hackers and send them looking for another site to hack. It’s good practice just to make sure that your site is safe for your customers to visit, and it only takes a few minutes to put these security measures in place.