“My site was hacked! Why?!”

One of my web design customers had his website hacked. The site, built on WordPress, had a mysterious user account created. As soon as I discovered it, I deleted the account and installed WordFence to monitor and protect his site. I scanned the site and talked to the web hosting company to see if they could find anything malignant. Fortunately the answer was no.

WordPress is a powerful content management system that runs more than 25% of the world’s websites, so naturally it’s a target for hackers. But that doesn’t mean it’s not a good platform. A few companies trust WordPress with their websites… maybe you recognize some of them:

My customer wanted to know, “Why would they hack a site that doesn’t get much traffic?” If your site’s been hacked, I hate to break it to you – it’s not about you.

Hackers try to break into websites of all sizes for a few reasons. They want access to the web server so they can hack the other servers connected to it, or send spam from your server. If you have a member login area, they want to steal the passwords of your members so they can get their personal info. Or they want to implement malware or ransomware on the computers of people who visit your website.

Most of the time it’s not even a geeky guy in a dark basement trying to hack your site – it’s automated computer processes that are attempting to hack thousands of sites at the same moment looking for that one site that’s not running current software. The hackers find a loophole that hasn’t been closed by a software update and start exploiting it.

So what can you do?

Make sure your website software is current – that includes all plugins as well. Delete old plugins and themes you no longer use. Don’t use “admin” as a username on your website. Choose passwords that have upper and lower case letters, numbers, and symbols for your login account. Install a good watchdog on your WordPress site like WordFence.

Need help with any of those things? Send me a message.