WordPress Security Experts: Most Common Backdoors for Hackers and How to Avoid Them

Having a reliable and secure WordPress website  is critical for both your business and your users. For one thing, not having to worry about someone hacking your website and destroying years of work is a priority – but also, any user’s data breach will undermine your audience’s confidence and it’s questionable whether they’ll ever return. Even though website security is an on-going process, there are a few most common back doors for hackers that you can effectively avoid. That’s why we turned to well-known  WordPress  experts on the subject and organized a #WPSecurityChat on Twitter along with the creator of 11+ million websites-powering plugin Yoast (@Yoast), the full-stack developer and marketing technologist Jono Alderson (@jonoalderson), the PHP community force Cal Evans (@calevans), and SiteGround’s WordPress Initiative Manager Hristo Pandjarov (@pandjarov). Here’s a summary of their discussion with useful tips on how to safeguard your website against hackers.

Top 5 common ways for WordPress sites to be hacked in 2021

WordPress is a safe and secure software in and of itself. The majority of vulnerabilities are caused by the use of unreliable plugins, outdated themes and weak passwords. Hristo Pandjarov, our WordPress Initiatives Manager and SEO strategist outlines five most common backdoors: “My top five NOT ranked by priority, since any of those can cause enough harm are:

• Weak passwords
• Old plugins & themes not updated
• XSS attacks 
• Malware on computers with access to your site
• Weak passwords 🙂 “

Using a password manager, such as LastPass or 1Password, is advised by our WordPress security experts. Over the years, having a very strong master password and then randomly-generated ones for different logins has proven to be the best solution. You can find more useful tips and simple steps that address the issues above in our blog article “4 Simple Steps to Secure your WordPress” by one of the other participants in our #WPSecurityChat, Cal Evans.

Most hackers don’t care about your site’s popularity according to our security experts

Many website owners think that if your website is not hugely popular, then there is no reason for it to be a target. All of our WordPress experts agreed that it makes no difference whether your website is popular or not; everyone is at risk, and everyone should take measures to prevent hackers from gaining unauthorized access to their sites.

According to Jono Alderson (@jonoalderson), a Special Ops at Yoast, “It’s much more common for attackers to try to compromise lots of websites at scale, via automated attacks. If they can take control of your site, they can inject links (for nefarious SEO purposes), redirect your visitors, or abuse your site’s resources.”

How does site security affect SEO?

Jono Alderson, an expert at Yoast, the widely-used WordPress SEO plugin, summarizes that “…so much of SEO is all about building up and demonstrating trust, relevance, and authority. If your site gets hit, there’s a real risk that all of that gets compromised.” Your website’s reputation and SEO are closely connected. For example, if your website displays irrelevant content to users and search engines, your relevance and trustworthiness will suffer. 

Because site security is so important, Jono Alderson also revealed helpful methods for determining whether or not your site has been hacked, “Most good security plugins will also let you know when sensitive files have been changed or added, or when unusual behaviour has been detected. Make sure that you’ve configured that kind of logging, and regular scans.”

At SiteGround, we offer SiteScanner malware detection and monitoring service. The scanner lets you perform on-demand scans of your website as well as comprehensive daily scans to detect domain blacklisting and malware.

Site security is something you have to constantly work on

There is a common notion among our WordPress experts that webmasters tend to neglect site security over other tasks. Common mistakes include failing to update software, plugins, themes, and so on. Cal Evans, PHP developer and WordPress expert, shared his tips for avoiding common hacks “Be diligent in maintaining your site. Check in daily to see what has changed. It’s ok for YOU to update plugins instead of waiting for autoupdate,” adding “Keep good backups and keep them for a while.” 

At SiteGround we try to take some of that load off your shoulders by automating many of these tasks as part of our managed WordPress security services. We automatically update your instances and their plugins to the latest version and patch against common WordPress-related exploits through our server firewall. Our latest backup service updates include distributed physical backup locations and enhanced data protection which help enormously in event of a hacking incident.

How can your web host help in keeping sites secure?

If your website does get hacked, our experts suggest you contact your hosting provider or a specialist. Hristo Pandjarov puts emphasis on “Regenerating the #wordpress salts, to make sure there aren’t any logged hackers, plugin & theme updates, malware scan of all computers with administrative access to your site and last but not least changing your hosting account pass and enabling 2FA auth!”

To add to the importance of choosing the right web host to help keep your website secure, Jono shares that “Good WordPress hosting companies also know WordPress inside-out. They’ll make sure that your setup – and theirs – is hardened. They’ll recognize and protect against common attack patterns, and know exactly what to do if things go wrong.”

SiteGround is well-known for our powerful, yet simple to use managed WordPress services. We place a high value on site security since the beginning. Our team dedicates hundreds of hours of development time to keep improving our web hosting security, starting on a server level with shared accounts isolation, reliable backups on distributed geographical locations, a smart Web Application Firewall (WAF), and enabling 2FA authentication for our users among other things. On the WordPress application level, we’ve also always made a targeted effort to go the extra mile for our clients in order to make running WordPress more secure on our platform. Our most recent security upgrade is the release of the SiteGround Security plugin, which addresses the majority of threats and assists clients in adopting better security policies, such as:

• Establishing relevant rules to protect WordPress against common malware, bruteforce and other security issues. Some of these rules include hiding your WordPress version or deleting your default readme.txt, making it harder for crawlers to detect that you’re even using WordPress.
• Strengthening WordPress login security
• Monitoring your admin area activity log
• Post-hack actions tool in case you suspect your site might have been hacked

You can find the whole conversation between our WordPress security experts by checking searching the #WPSecurityChat on Twitter. For more WordPress security expert tips, check our free ebook on WordPress Security. Share your thoughts on what are the most common threads for WordPress sites and what are the best practices to prevent them. Follow us on Twitter for more exciting news and expert discussions on relevant topics.