Some time ago I wrote about the website security risks you need to manage.
But the Internet being what it is, times have quickly moved on. Cybercrime is growing at an extraordinary rate and the hackers are becoming increasingly vicious with their victims.
The article I linked to above refers to 3 situations in 2015 where hackers gained access to different companies’ databases and extorted money from them – in one case putting the business out of business.
This morning I read an article that describes a package that can be bought online that enables the buyer to infect your computer with a hack that takes over your data files and demands a ransom from you for getting them back. Read it here.
The cybercriminals are not in any way discriminatory when it comes to their targets: it can be the US government or your computer – they don’t care.
So if you think ‘it can’t happen to me’ or ‘who would be interested in my little website’ – think again!
Hacks on WordPress-based websites in 2015
WordPress now powers around 25% of websites online and that makes it a juicy target for hackers. Given the extraordinary complacency of so many website owners there are going to be literally millions of WordPress websites that are not properly protected.
Just in case you were in any doubt about the hackers’ enthusiasm for WordPress, the image below shows the trend of brute force attacks on WordPress websites in 2015. It is reproduced here with the kind permission of Sucuri, and the full article can be read here:
Brute force attacks on WordPress websites in 2015
I’ve written before about the need:
- For strong usernames and passwords
- To keep your plugins, themes and the WordPress core up to date
- To have a robust backup routine
What I haven’t touched on so strongly is that you need to consider not just your website but your entire online environment.
What protection do you have on your computer?
It’s no good having your WordPress site well secured if the hackers have a list of your usernames and passwords – which they could have got by inserting a key logger onto your computer via email.
Phishing is big business these days. It’s where you receive an email that looks official and entices you to click on a link – which then places a key logger (or other malware) on your computer.
Alternatively, you could receive an email in your inbox that immediately triggers a self-launching malware script as soon as you click the attachment. Or simply open the email.
Once this key logger is active on your computer it will send the details of all your usernames and passwords for all your accounts (think: online banking, insurance accounts and tax accounts, not just your WordPress admin area) back to the hackers, who can then access your site at their leisure.
So not only do you need to be protecting your computer when you’re surfing online, you need to be extremely wary of email, especially from people you don’t know.
And definitely do not click on any attachments unless you know what they are, or come from someone you know!
Update – 12th January, 2016
I just came across an article that explains how hackers attack your computer in more detail – I urge you to read it here.
Remember: once they have access to your computer they can steal your log in details and that gives them free access to your website (and all your other accounts).
Some protective steps you can take
Here are some self-protection steps you can take for your computer:
- Install a full Internet Security application on your computer, not just one of the free anti-virus solutions
- In addition, install a separate malware scanner such as herdProtect or Malwarebytes. Do a full scan at least once a week
- For the adventurous: set up Gmail as your email client, rather than using Outlook, Thunderbird or whatever. The benefit of Gmail is that it scans emails for ‘suspicious attachments’ before it downloads them, and leaves them on the server when it finds one – the bad stuff doesn’t even reach your computer (although Google tells you about them so you can check them out yourself)
- Backup all your data at least once a week so you can restore it if someone steals it for ransom
- Backup your entire computer system at least once a month so you can restore it if it is compromised
Here are some self-protection steps you can take for your WordPress website:
- Install either iThemes Security Pro or WordFence security – both are very good
- Make sure you take full-site backups of your website at least once a week, and store them off line (or in the cloud – Dropbox, Google Drive, etc.)
- Make sure you can access your website files via FTP so you can delete and restore your website if it’s hacked
- Make sure you have the minimum possible number of administrator level accounts active – 1 is a good number here!
- Use strong usernames and passwords (remember that you can use upper and lower case letters, numbers and some symbols in your WordPress user name)
- Keep all software on your site absolutely up-to-date
Cybercrime is growing at an extraordinary rate and you’re exposed to it wherever you go online – and that includes your email, Facebook (at least 2 of my friends have had malware placed on their computer from clicking links on Facebook), other social media sites and other websites.
And, as far as your website is concerned, you need a mindset that thinks not if it is hacked but when it is hacked – and put mitigation steps in place now.
If that seems a bit daunting, we can help. If you’d like to talk about protection for your WordPress website do please read this page or: