HOW DID I GET HACKED?
Suffice to say, there are infinite ways to hack, gain access to, a website. If WordPress, a hacker’s vehicle of choice is overwhelmingly via plugins you install! What? Yep, not much difference here than handing the keys to your car to a thief!
Be careful what plugins you install! One “bad apple” malicious plugin can wreak all kinds of havoc – from stealing your, and your site subscriber’s personal information to taking control of everyone’s personal computers, bank accounts, etc.!
WHAT CAN I DO?
Firstly, there are close to 50,000 (and growing) plugins available for your download and use in the WordPress.org Plugin Repository. Most of these plugins are available for free. Google searches and other popular software sites such as GitHub afford even more download opportunities. Caveat Emptor! While WordPress.org does have quality standards plugin developers must pass prior to including their work, there is no assurance offered or warranted by WordPress as to a plugin’s integrity! In other words, download and use at your own risk – and that of others. Ditto for other WordPress plugin download sites.
So, here’s my best advice:
- Download plugins from reputable sites. Notwithstanding what I said above, the WordPress.org Plugin Repository is reputable and a safe bet. However, stay away from poorly rated plugins, plugins which have not been updated for months or years, plugins not compatible with the most recent version of WordPress, and abandoned plugins. Other “premium” (paid) sites such as Envato/Code Canyon are likewise reputable, but again – check standards as you would with WordPress.org.
- Check for vulnerable plugins. You can Google search by using the plugin’s name and “vulnerable”. If you see something suspicious, such as numerous negative comments – stay away! There are also plenty of sites available for free use who have already done the research. WPScan Vulnerability Database is one. WP Campus, which I have featured before, is another.
- Always keep your WordPress site and plugins updated! Reputable plugin developers/vendors stay on top of their work, correcting would-be vulnerabilities (security holes). Of course, back up your site prior to updating.
- Use site security services such as WordFence.
- If in doubt, Just Call The WordPress Guy! This is what I do.
Stay safe, be happy!