In my previous post, I talked about no-code, non-techy WordPress security measures. When one of my friends read the post, she asked, “Why would I care about this? Why would anyone hack MY site?” And I realized that this is a pretty good question, and I probably should have answered it first!
Even though my friend has a one page with an email address collection form, she’s still at risk. She doesn’t collect credit card information or even names. But, her site and the web server host are both valuable to hackers.
I’m going to run down some of the top ways that hackers benefit from hacking your site and a bit more about prevention.
How Hackers Benefit from Hacking Your Site
First of all, they can steal the data that you collect from your customers/site users. But, even if you don’t have data on your site that a hacker could swipe and use or sell, there are lots of other ways they can profit from breaking into your site.
If they access your site or web host, they can:
- host phishing scams that will be traced back to you, not them
- send out all manner of spammy emails and sales pitches
- spread malware via the server or by sending out emails
- get to other websites if you’re on a shared hosting plan
- change the content on your site or host ads on your site, and they don’t usually add they type of content you want to see – think pharma ads and adult products
- redirect your traffic to their own pages
- take your site hostage and demand a ransom
- take down your site just for fun
Not one of those things on the list are much fun.
In addition the three recommendations I’ve already made,
-quality web host
-user name that’s NOT “admin”
-long, unique password that’s not “password”
you should keep your site software up to date. While this isn’t terribly technical, not everyone is going to feel comfortable with this. And if you don’t feel comfortable, I recommend paying for a service to make sure this gets done.
Step 1 – Backup
Make sure you have a current backup at all times and keep it on a server that’s not your web host (think Google Drive or Dropbox). If your site is compromised, you’ll be able to restore your site to pre-hacked goodness. You’ll also want to make a backup right before you update your software. If something doesn’t work right for any reason, you can roll back those changes pretty easily.
Step 1.5 – Test Server
If it’s practical, or if you have a lot of moving parts and even one minute down will cause you to lose money, you should use a test server. Before you make any software changes, pull your site down to its test server and make the changes there first. This way, you can do all of your testing before you push any of the changes live.
Step 2 – Core WordPress
While you can set WordPress to do automatic security updates, you’ll want to keep up with the general updates as well. This is so that you can make use of the latest features and so that the other moving pieces of your site will continue to work. Quality plugins and themes will keep their software up to date with the WordPress releases.
Step 3 – Plugin Software
Quite a bit of the vulnerabilities in a WordPress ecosystem come from plugins. This is because on any one site you’ll have many plugins, all built by different people, doing their best to work with the other plugins on the site. In addition, most of the functionality around data input and processing will come from plugin software.
Step 4 – Theme Software
Themes aren’t updated nearly as often as the plugins, but when they are, it’s usually for security reasons.
Step 5 – Test
Test out your changes – make sure the key parts of your site work. Then, if you’ve used a test server, you can push the changes live, and do another look-around, just to be safe.