This post was originally written for the House Digital blog which has since been discontinued. I moved it to my personal blog because I still refer to it regularly and the advice is still relevant!
One of the most common things we hear from clients is that they are “unlikely targets” because they have little to offer a hacker. They don’t accept payments, they don’t store credit card details, and there is nothing to offer the average bad guy – right?
The thing is, hackers aren’t necessarily after what’s in, or on, your site. Let’s have a look at some of the reasons who you might be an attractive target.
1. You’re easy pickings.
According to the most recent statistics published by W3Techs, WordPress holds the market share for almost 60% of websites using a CMS. While that’s great for WP users in a lot of ways, it also means that we are the most likely to be targeted by hackers and bots that constantly search the web looking for vulnerabilities.
Gone are the days where hackers are shady guys (or girls) sitting in their basement typing away at a keyboard NCIS style. Now, hackers write code that they then send out to the great wide web, that is single-minded in its mission to find websites that they can access. The people who are behind the WordPress platform know about this, so they are constantly producing updates to the software that tightens up any weak spots that are discovered. This is why updates are so important!
2. You’re free.
Usually, attackers aren’t after your website but rather the server it is running on. We all pay for hosting, electricity, and our desktops/laptops/phones to provide us with computing power. Would you take those for free if you could? That’s what a lot of hackers are trying to do, because they need a lot of computing power for things like mining Bitcoin or sending out millions of spam emails.
3. You’re anonymous.
Well maybe not “anonymous” exactly, but you can’t be traced back to them. They want to be able to hide their identity by stealing yours so that they won’t get caught, and because emails from you are more likely to reach their targets.
We’ve all experienced it before – you open an email from your work colleague or a family member and click on the link expecting to see a hilarious cat video, and instead end up with an infected computer that is significantly less funny.
Once someone has access to your server, they have the ability to send phishing emails until you get blacklisted and have to pay someone to clean up your hacked site.
4. You’re legitimate.
Google is a lot smarter than it used to be. As a result, inbound links are only valuable now if they come from a legitimate source – such as your blog or website advertising your brick-and-mortar business.
It is very common for links to be inserted into webpages that are hacked, to eCommerce sites of dubious moral integrity selling little blue pills and magic weight loss cures. Why spend time and money on a true marketing strategy if they can just hack a few hundred sites and drop links everywhere to boost their rankings?
5. Your visitors.
One of the more serious risks of a hacked website is that it can be used to spread viruses to vulnerable visitors who don’t have sufficient antivirus protection of their own. From key-logging to crypto-lockers, there are lots of nasty bugs out there just itching to get on to every computer they can. Most of the hacking process is automated, and it doesn’t discriminate between high volume and low volume sites.
If your rationale is that you are “not worth it” for a hacker, you might want to reconsider. The fact is that the automated hacking program doesn’t care whether you are worth it – they’ll try anyway.
3 Things You Can Do to Protect Yourself (For FREE) Right Now…
It’s not all doom and gloom – while there are lots of nasty things out there on the internet hoping to take advantage of you, they are most likely to go for the lowest hanging fruit. Some basic precautions can provide a lot of security improvements, particularly if you don’t have the time or money to invest in getting a professional security audit done on your site.
Here are our top tips for protecting your site right now, free of cost. You’re welcome!
1. Change your login URL
This is one of the simplest and most obvious changes that you can make to protect your site. The vast majority of malicious attacks on WordPress sites use Brute Force Attacks to try and gain access to your admin account so they can gain unrestricted access to your resources. They do this by using a massive database of username/password combinations to try and “guess” your login credentials. On a default WordPress installation this is very easy, because the login page is always located in the same place – your URL followed by “wp-login.php.”
Fortunately, this is very easy to change – and if hackers can’t access your login page, it makes cracking your password a whole lot more difficult! The easiest way to do this is by installing a free plugin such as WPS Hide Login that allows you to change the “slug” on the URL to whatever you like. This is one of the first steps we take when doing a security audit on our client’s websites!
2. Install Sucuri Security
Sucuri Inc. is a globally recognised leader in website security, and they conveniently provide WordPress users with a very nifty free security plugin. While it won’t directly protect you against attacks in most cases, it has some of the best auditing and monitoring features available. It also provides blacklist monitoring, so you will know straight away if your site does ever get infected.
For those who are looking for a higher level of protection, there are a number of great paid security plugins around as well. While we highly recommend iThemes Security Pro combined with the Sucuri Firewall as the ultimate combination to protect WordPress sites, we still install the free Sucuri plugin as well as it really does have some awesome features. WordFence is another popular and reputable solution we’ve heard good things about!
3. Backups!
If you don’t already have security and backup precautions in place, chances are that your website is not currently a major part of you business strategy. If that is the case, you are likely not producing loads of content or making updates very often!
Many backup solutions offer a free plan that allows you to back up your site monthly, or manually without too much hassle. Updraft Plus provides a free backup plugin that works well, and the backups are easy to restore. Many hosting providers also hold backups for you, but it is much easier to get back up and running quickly (and much more reliable) to have your own in case of emergency.
We offer security audits and care plan services for WordPress users that want to be able to focus their energy on their business without getting distracted.
Get in touch for more information!