In a recent WordPress hack, many WordPress users sites became vulnerable after a hacker hid code for a PHP backdoor inside the source code of a plugin disguised to appear as a popular anti-spam plugin called “WP-SpamShield Anti-Spam”.
The attacked leveraged the reputation of the legitimate program by naming the threat similarly as “X-WP-SPAM-SHIELD-PRO”, and users who downloaded the program unknowingly opened a backdoor that allowed the attacker to create their own admin account, upload files on the victims serves, disable all plugins, and more.
In the wake of this attack, many users are wondering how they can ensure their WordPress sites are secure. Although many people believe WordPress, as an open source script, is highly vulnerable, as a WordPress site owner, there are many simple tricks you can use to protect your site against potential threats.
Our web development team is highly skilled in creating sites that are both responsive and kept secure. Keep reading to learn our tips to ensuring your WordPress site is protected against potential threats.
Be Careful What You’re Installing on Your Site
This is the most relevant tip to the recent attack, and also one of the most straightforward. In the recent attack, the fake plugin never made it into the official WordPress plugin repository, but was made available elsewhere.
Make sure everything you install on your site comes from the official WordPress plugin storehouse only. This is the only way to ensure the programs you install have been properly vetted and are safe for your site’s security.
This goes for any themes you install as well. Both plugins and themes installed on your site are backdoors into your sites admin, so it’s important both come from trusted sources. The best source is always the official WordPress shops, but if you want a premium theme or plugin make sure it is from reputable sources like Themeforest or from a highly respected developer’s website.
Keep Everything Up To Date
Although simples, this step can have a big impact on site security. You want to make sure your site, plugins, and themes are up to date.
First, you want to make sure your WordPress itself is up to date. As soon as you see the “update available banner” on your dashboard, click it and update your site. This is crucial since any security bugs that were fixed from the previous version are available to the public once an update is released. This means that an out of date site becomes even more vulnerable since hackers can easily access information on security holes.
Similarly, make sure your plugins and themes are up to date as well since any security holes in them leaves an easy entrance to your site’s admin for hackers.
Delete Any Plugins or Themes You’re Not Using
In continuation of what was already mentioned above, getting rid of any unused plugins or themes will reduce the likelihood of being hacked. Unused plugins and themes often go unupdated as well, making them more vulnerable, so it’s a lot easier to just delete them. Remember, though, that deactivating is not the same as deleting – to keep your site secured, you must actually click “delete”.
Change Your Password Frequently and Make It Good
A good password is a little obvious for good security, but many still don’t comply. Random strings of letters and numbers are usually the best to go with. If you don’t want to bother making passwords up randomly (especially if you handle a lot of accounts) you can use a password generator to do the work for you like Norton Password Generator.