The title is pretty self explanatory, but for you Google crawlers out there: We’ll cover what a hacking attempt on a WordPress site can look like, what happens if you get hacked, and WordPress Security options to fight it. Let’s dive in, shall we?

What does a hacking attempt look like?

I got an alert for a site we manage. It looked like this:

What does this mean? Someone who supposedly lives in France (but probably doesn’t) tried to log in with the username “www”.

Without security, hackers can “grind” passwords. Forever. Programs or “bots” will automatically keep trying different combinations until it works. They will also try different usernames, and even have sneaky secret ways of getting WordPress to tell them your usernames. I am not a hacker, I don’t know how they do this, but our security plugin has an option to stop them from doing it, so…it’s out there!

What happens if you get hacked?

Lots of things can happen. You might…

• Lose your site forever
• Get blackmailed into “buying” your site back (arguably worse than losing it forever)
• Have personal information stolen
• Have merchandise stolen
• Have financial information stolen – yours or your customers’
• Cry uncontrollably

It’s a horrible feeling getting hacked. Depending on how much work you’ve put into your site, you could feel that “I just dropped that last piece of pie on the ground” sad, or the “Where is my credit card? WHERE IS MY CREDIT CARD?” anxiety. In a truly epic hack, crumpling to the ground in the fetal position is acceptable.

What do we recommend for WordPress Security?

Three pretty easy steps can help. And they’re all free.

1. Install a Plugin
2. Use random characters for your password + change it regularly
3. Update your plugins regularly

As you can see, I like WordFence. It’s a popular, effective, free WordPress plugin. It includes the option to “lock out” users after a specified number of login attempts (4 in this case). This prevents the password “grinding” quite effectively.

You can also view reports with information on which IPs have been blocked, which countries have tried to access your site, and how many login attempts there are with each username.

Another neat feature I just found is the ability to immediately lock out users who try a specific username. In the example above, “admin” (which is a very common username) is shown as a non-existant user. If you create an administrator-level account with a different name, you can delete the default “admin” username and use it as kind of a bait to immediately block anyone trying to login with that username. Gotcha!

Paid security for your website is important as your size and visibility ramp up, but probably not necessary when first starting your online presence.

IMPORTANT ADDITION: Backups

If your site gets hacked and you don’t have a recent backup of your data, you may have a very long and disheartening journey ahead of you, my friend. For automated and thorough backups, it will cost you a little extra, but it is highly, highly, highly recommended. It’s like insurance for your car, except you get your car back as though the accident never happened.

Who do we recommend for security, website cleaning, and backups?

We have recommended Sucuri for a long time – they do security, website cleaning and backups. In fact, if your site has been hacked and you sign up with them, they’ll clean your site and get it running again as a first order of business. Follow this link to check them out! (It’s an affiliate link, but we have an account with them because they’re so good.)

As small or invisible as you might think your site is, please: don’t risk it. The site with this alert had over 30 login attempts in November 2015 alone, and is a one-person business based in the US. While your site’s security can never be 100% guaranteed (Sony much?), a few quick, easy, free precautions will go a long way.

Love,
Jason