It’s no small surprise that security has become a significant concern for web developers and site owners. As the internet exploded in popularity and became the new go-to method of communication, research, and shopping, website security checks are critical to thwarting the spread of malware and spam.
Whether you run a tiny personal blog or a huge multinational online store, the threat of getting hacked is always present. Some people will deface your site and embed malware in it, attempt to steal your or your customers’ data, and delete important content on your server. You need to protect yourself and your sensitive information.
Let’s figure out exactly how secure your site is right now. We’ll also offer a few tips on removing the low-hanging fruit malware authors take advantage of. WordPress is secure out of the box, but it takes a little work to patch it up entirely.
Website Security Check: Why Does It Matter?
You might think that your website is so small and unimportant that no one would bother targeting it. Or maybe you’ve just never thought about security before and figure it doesn’t matter enough to bother with.
Thinking like that is why, in 2013, more than 70% of WordPress installations were vulnerable to attacks. Many of these attacks were due to outdated software — because most people either don’t know enough or don’t care enough to secure their sites, which led to a massive wave of hackers targeting WordPress installations.
So what could happen if your site experiences an unwanted intrusion? It’s not just a simple annoyance easily solved by changing your password.
- Your site could have code injected into it that causes visitors to infect themselves with malware, which could be extremely difficult to locate and remove.
- Your critical pages may be defaced, blanked, or stuffed with links to illegal sites.
- It can result in the deletion of content like blog posts and pages.
- Sensitive info such as login or credit card info belonging to you, your users, or your customers may be stolen and sold online.
- Attacks could spread to other websites on your server.
- If Google detects any malware on your site, it will block its access and remove it from search results, destroying your search engine optimization (SEO) efforts.
- The admin account’s username and password could be changed, preventing you from accessing your backend at all.
Hacked sites can be a huge deal if you run an ecommerce store.
And while you may say that your site doesn’t matter enough, not all attacks are targeted. Many WordPress attacks are automated — a bot probes your site for vulnerabilities and initiates an attack without human intervention.
That’s why you need to take steps to secure your site, no matter what.
Why Does WordPress Get Hacked?
Hacking is widespread, but what are the most common vulnerabilities hackers leverage to break into your site?
You may imagine that getting into a website is a challenging process that requires days or weeks of work and vast knowledge about computers, coding, and servers. This situation could be true for targeted attempts to break past the defenses of a large, well-protected site, but the story is very different when it comes to small WordPress domains.
The vast majority of attacks on WordPress are successful due to people using easy-to-guess passwords and not updating their themes and plugins. Hackers break into most such sites using automated programs.
Password-cracking is the simplest form of hacking possible, but it’s so common because it works. Many people leave their WordPress login on the default “admin,” taking out half the guesswork, and then use a simple, guessable password besides.
When that fails, hackers will leverage common vulnerabilities in popular plugins or outdated versions of WordPress. That’s why it’s so important to keep everything updated.
There are many more complicated, complex ways to break into a website. Still, most WordPress attacks make use of the low-hanging fruit of an insecure password and outdated software that makes it extremely easy to get into a site.
How to Perform a Website Security Check
The first step of securing your website: determining how secure your website already is. Are there any glaring vulnerabilities in your backend that you need to patch immediately, or any easy fixes you can make now?
Use an Online Tool
One quick and easy way to check your site for malware and vulnerabilities is to use an online scanner. These remotely scan your site and identify common issues. It’s super convenient since it doesn’t require any software or plugins and only takes a few seconds.
There are dozens of scanners to choose from online, and we’ll list a few others in our tools section below, but for now, let’s pick a popular one that’s easy to use: Sucuri SiteCheck.
This tool is a good choice since you can install the Sucuri plugin and get right to fixing any issues it detects.
Once you scan your site, Sucuri will check it against blocklists, look for obvious issues like injected spam or out-of-date software, and briefly scan any code it can access for malware. It also offers some suggestions to harden your site against attacks.
Tools like this are a great launching point for detecting hidden malware and other issues.
Scan Your Website With a WordPress Plugin
While online scanners work well enough, it’s even better to install a plugin that’s capable of digging deep into the root of your code and fishing out vulnerabilities or hard-to-detect malware.
Once you’ve installed your plugin of choice, it will likely instruct you to run a scan immediately. The upside of these plugins over remote scanners is that they can remove malware and make changes automatically.
Look for Strange Changes
If you suspect or know that your site has been infected with malware, pinpointing the source can sometimes be challenging. Here are a few unexplained changes you may notice, as well as the files hackers are typically attracted to:
- Sudden links to strange websites you didn’t add yourself
- New articles and pages you didn’t create, or the content of existing pages suddenly changing
- Changes to settings you didn’t make
- A new user, especially one with high-level privileges, you didn’t add
- Plugins or themes you didn’t install
- Malware can often inject malicious code into your files. Check plugin and theme files, the wp-content/uploads folder, WordPress core files located in an incorrect directory, wp-config.php, and .htaccess. You should back up your site and have an understanding of the code before making any sensitive changes.
If you connect to your site with FTP, you can sort by recently modified files for code that shouldn’t be there.
If your site is infected periodically with malware and you can’t find any cause in the files, the issue may be with your server or another site on your server.
Make Sure Everything Is Up to Date
As we’ve already mentioned, out-of-date software is by far the most common vector of infection in WordPress. If there’s only one thing you can do to keep your site safe, it should be to keep WordPress updated.
The easiest way to check the status of all software on your site is to go to Dashboard > Updates, which will alert you if your core, theme, or plugins are out of date.
As WordPress now performs automatic updates since version 5.5, nothing should be outdated unless you have an outdated version of WordPress. If you don’t, you can update everything from this screen.
If you know there’s a new version of WordPress, but it isn’t showing up, click the Check again button below Current version.
You can also check your Plugins > Installed Plugins or Appearance > Themes pages for updates.
It’s essential to keep PHP up to date, especially if you’re using a version older than 7.3, as it can present significant security vulnerabilities.
Secure Accounts and Passwords
A weak password on your main account makes it easy for anyone to break into your site with brute-forcing programs, giving them administrator access and the ability to change anything.
While a complicated password can be arduous to remember, making logging in less convenient, it’s even more inconvenient to have to recover your site from a hack. It’s definitely worth using a more secure password, even if you have to keep it written down.
Your password should use a mix of uppercase and lowercase letters, numbers, and symbols. It would be best if you did not base it on dictionary words or personal, guessable information such as your address or family member’s name.
In the best-case scenario, your password would be a long, tangled string of random characters. We strongly recommend you use a password manager. Use a site like 1Password or LastPass to generate a secure, unguessable password.
You can update your password and email in WordPress by going to Users > All Users or straight to Users > Profile. Scroll down and find Email under Contact Info, and New Password under Account Management.