Today a client (who does not have a maintenance plan with us) contacted us because her email had been shut down by her host for sending more than the 500 emails allowed per hour. In case you weren’t aware that hosting companies had such limits, now you know. She definitely wasn’t sending 500 emails per hour, but she does have a WordPress website and her POP email is run from the same hosting package where her site resides. She correctly intuited that her WordPress website had been hacked. But how… and why?
Why Hackers Hack
Hackers tend to target your WordPress website for one of three reasons.
- They want to use it to send out spam email (as we discussed above).
- They want to gain access to your data, mailing lists, credit card information, etc. (If you’re not running an e-commerce website, this probably won’t apply to you, and in any case we design systems that do NOT store credit card information on your server.)
- They want to make your website download malicious software onto your end user’s computer, or they want to install malicious software for use on your site.
The Hosting Hack
Every hacking situation is a little different, because every WordPress site has a slightly different configuration of themes, plugins, and content, each on a different hosting platform with different passwords. It’s estimated that about half of WordPress websites get hacked through vulnerabilities on the host side. Ouch. You trust a company to host your site as cheaply as humanly possible, and they betray you by not working around the clock to secure their servers from bad actors.
Because your web hosting company holds the line between you and hackers, it’s important to pick a reputable company. These days, we recommend GoDaddy’s Managed WordPress hosting for most purposes. (For more complex websites, you may need a Virtual Private Server, or if you have multiple WordPress websites, you may be better off with a standard Linux hosting package that can be configured to run more than one site.) The Managed WordPress package does have limitations, like a blacklist of plugins they won’t allow you to install, but these are the trade-offs that make general day-to-day operations safer in general.
The Unmaintained Hack
The next most common source of vulnerabilities are plugins, themes, and WordPress itself. WordPress releases quite a number of updates—sometimes as many as two updates per month—and generally these are intended to close up vulnerabilities that have been discovered. There’s always a chance that an update might “break” your website, so it’s important to be judicious about them. We created a guide to help make a call about which plugins are consistently safe to update and which you might want to consult a web developer before tackling. When in doubt, take a backup before you proceed (in addition to the backups you should be taking of your website already).
The Password Hack
The least common source of hacking these days is… weak passwords. Surprised? The fact is, most hacks these days are automated. In general, hackers target your WordPress website for one of three reasons, and they do it by finding security vulnerabilities. Brute force password hacks
We certainly do recommend using a strong password for anything related to your website, whether it’s your WordPress admin account, your FTP credentials, your Cpanel login, or even your hosting login. Hackers will run a script that inputs random usernames and passwords until one fits—a brute force attack. This year, the National Institute of Standards and Technology updated its recommendations for strong passwords. Instead of W@3ds!Agb, consider using a password like intensecrayonpriderainforest. It works because longer passwords are harder to break than shorter ones, even with no special characters or numbers. WordPress is a bit behind the times on this front, and it will call you out for passwords without numbers and whatnot. Feel free to throw a number in there to appease it.
Next week, we’ll be talking about hacking prevention. If you have questions, let us know in the comments!
