To understand the best way to stop your WordPress website from being hacked, you need first to learn how websites like yours get hacked in the first place. Discover the 3 most common hacks – the answers may surprise you!
1. Session Hijacking
When you log into a website, you do not have to log in again whenever you visit a new page. Sometimes, you can even close your internet browser, open it again and you remain logged in.
When you log into a website, your browser downloads session cookies. These are small snippets of code that allow you to ‘stay logged in’ for a time.
Renowned security expert Thomas J. Raef published an extensive study that revealed hijacking stolen session cookies was responsible for 60% of WordPress website hacks in 2023.
Why? Because the widespread use of two-factor authentication (2FA) made other ways of hacking sites much harder.
How to Protect Yourself Against Session Hijacking
There are 4 things you can do to protect your website against session hijacking:
- Protect your devices (computers, phones, etc.). Hackers use malware on your computer to steal session cookies. So, install security software on your devices. There is a range to choose from. Personally, I recommend Bitdefender Total Security.
- Never Click ‘Remember Me’. When you log into a website, you are often given the option to ‘remember me’. Clicking on this option can extend the lifespan of session cookies up to 14 days. Please don’t do it.
- Always Log Out. When you are finished working on your website, always log out. This ends the lifespan of your session cookie.
- Don’t Use Unsecured Wi-Fi. Other people may be able to access your computer when you connect to public, unsecured Wi-Fi.
2. Plugin Vulnerabilities
Raef’s study also revealed that 33% of hacks came through vulnerabilities in your website’s code. This is the second most common way hackers get into WordPress websites.
Websites are built using different types of code, in much the same way as your home is built using different materials. This code includes:
- WordPress core code
- Theme code
- Plugin code
Hackers find vulnerabilities in code in much the same way that burglars find weaknesses in parts of your house – e.g., a broken latch.
Technically, hackers can find and exploit vulnerabilities in any code. But, according to security expert Oliver Sid, plugin code is far more likely to contain security vulnerabilities.
How to Protect Yourself Against Plugin Vulnerabilities
There are two things you can do to protect your website against plugin (and other code) vulnerabilities:
- Update: Keep your plugins (and other code) updated.
- Patch: Apply virtual patches to known vulnerabilities.
My maintenance plans do both of these for you.
3. Stolen Credentials
Finally, Raef’s research revealed that 7% of hacks used stolen login credentials.
How do hackers steal your username and password?
One common mistake people make is using the same username (email) and password for multiple accounts. If you do this, and one of those accounts is hacked, hackers can access all your accounts.
Check known hacks involving your email address at https://haveibeenpwned.com/
How to Stop Hackers Using Stolen Credentials
There are 2 things you can do to stop hackers from using stolen credentials to get into your website:
- Unique Passwords: Use a completely different password for each of your online accounts. Given the number of accounts people have, you should use a secure password manager to track them all.
- 2FA or Two-Factor Authentication: Set up a system where, after entering a username and password, your website sends a code (e.g., to your phone). This way, stolen credentials, on their own, will not be enough to access your website.
How Do WordPress Websites Get Hacked in a Nutshell?
The 3 most common ways WordPress websites were hacked in 2023 were:
- Session Hijacking: Where hackers use stolen session cookies to access your website.
- Plugin Vulnerabilities: Where hackers use known weaknesses in plugin and other website code to get into your website.
- Stolen Credentials: Where hackers steal or buy stolen usernames and passwords.
Are these the only ways WordPress websites get hacked? No!
Some websites still get hacked in more traditional ways, such as brute-force attacks, where bots guess and check login credentials at a rapid rate.
But session hijacking, plugin vulnerabilities and stolen credentials accounted for nearly all of the successful hacks in 2023.
