WordPress website hacked? Top tips to improve your wordpress security
So there I was in early March this year, busy preparing the content for my newly created WordPress website for The Systems Superwoman, having just completed the rebranding of my LaunchMeOnline website, when I found the sites were gone, and in their place a notice to contact my hosting company!
Complete panic ensued as I had a BIG Launch planned, within a couple of weeks and had spent hours and hours perfecting the two sites and was very nearly ready to go. Instead, I learned from my hosting company that my main site (which was in the process of being replaced with The Systems Superwoman site) had been hacked, and more importantly, had been used to send out 20,000 phishing emails!
Not the best news I’ve had, that’s for sure!
As a result, my IP address had also been blocked by my hosting company, and it took around three days of ‘backwards and forwards’ emails with their support team before I managed to get it unblocked and could access my site again to try and repair any damage. I had planned to remove the site that had been hacked anyway, I just needed to retrieve a few things from it, such as my blog and some content. So, after an absolute age going through the code and clearing out the malicious code, the site was once again clean, or so I thought…
I duly exported my blog, installed some further security measures and went about my business for the next two days, playing catch up on the tasks that had fallen by the wayside whilst I was busy with the site repair. On the second day, the same thing – no access to any of my sites and another email to the hosting company. This time, it appeared that all my sites with that host had been hacked – including my two new sites. The problem was, according to my hosting company, the hackers had likely entered malicious code into the database, enabling them what is known as ‘back door entry’.
From here they had got into the root folders, and none of my sites were safe. I had something in the region of 13 websites with this hosting company, all on their shared hosting, and all now completely lost. As we couldn’t guarantee the databases hadn’t been compromised, the safest option was to remove ALL of the websites, and there was no guarantee that my exported blog didn’t have the same issue. I can’t even begin to calculate the amount of man hours were involved in those sites or the blog. The back-ups I kept could also not be guaranteed as free from the malicious code, so all in all, an expensive education!
So, starting from scratch again, I built The Systems Superwoman site – with a different hosting company, (I generally have two hosting companies, and usually host several sites between the two). I’ve not yet replaced LaunchMeOnline, or some of the other sites I had BH (before hacking), so maybe it was a great time to take stock and spring clean!
The BIG question:
How did it happen? I’m quite a web savvy person – I’ve been creating websites for a number of years, my first HTML site created using Dreamweaver back in 2005 then onto WordPress in later years (and never looked back). I’m also fairly security conscious, keeping regular back-ups, (although each of these was overwritten by the latest, and in this instance, rendered useless). I never used Admin as a login name, used crazily complicated passwords, and various other precautions to try and keep the sites safe.
According to my hosting company, and confirmed later by the big noise about the WordPress Brute Force attacks, WordPress is an open source software which is generally fairly easy to hack (although it is getting stronger). The BIGGEST problem comes when site owners do not keep their wordpress installations and plugins up to date.
This, I shamefully admit, was my issue. I was always of the mind that you never update straight away – give them the opportunity to iron out all the cracks first before updating, (usually only waiting a short time), so I was out of date with the WordPress installation, and because I was in the process of replacing the hacked site, I hadn’t bothered updating it – it was only one version out!
Of course now, I am much more stringent! I always update straight away now, (there is an option to automatically update), and I have enhanced my security levels, after a great deal of research! That said, if a hacker wants to get into your site, there will always be a way – after all, hackers got into the White House! It really can happen to anyone, but you can make it more difficult for them so here are my recommendations for keeping your WordPress website secure:
1) Install WordPress into a sub directory, not the root folder – try and use something original, not mysite.com/wp/wp-admin but perhaps mysite.com/Blabla/wp-admin
When choosing this option, ensure you then move the main folder back to the root folder so that it’s only your login that is in the subdirectory, not the whole site. You can find out how to do that here: http://askwpgirl.com/how-do-i-move-wordpress-from-a-subdirectory-to-the-root-directory/
Alternatively, you can use this plugin: http://wordpress.org/plugins/stealth-login-page/ which will enable you to hide your login url, so bots cannot find it!
2) Ensure you use something other than Admin, (or derivatives of) for your login / username. Make it as obscure as possible using letters, numbers and characters. Make sure you remember it or write it down somewhere safe.
3) Ensure you use a cryptic and long password – again, letters, numbers and characters will help to prevent hackers.
4) Use WP Author Slug plug in to prevent hackers finding out what your username is. It is actually incredibly easy to find out your username, even some of the ‘Wordpress experts’ out there are not doing this, but if they know your username, they are 50% of the way there – ensure you change your author name to something more viewer friendly (in the user settings from the WP dashboard). http://wordpress.org/plugins/wp-author-slug/
5) Install security software such as Wordfence Security – I would highly recommend the paid for version of this, it enables you to block countries, and you can see exactly who is visiting your site and where they are from. It will scan your site daily and will also send you mails to remind you if you need to update, or if someone has tried to hack into your site. http://www.wordfence.com/
6) Take regular backups, and regularly export your content – get it mailed to you, so that you have archived copies of your back up in your email folders.
7) Remove unwanted sites / themes / plug-ins. If you are no longer using a site, or a sales page, remove and uninstall it. No point in having sites that are not serving you – same goes for old themes you are not using and plugins. Each of these are vulnerabilities you could do without. Same goes with old themes and plug-ins. Only keep what you actually need.
8) Keep on top of security news – make sure you know what’s going on, what changes and advances are made from both yours and a hackers point of view.
Need more wordpress security facts? Check out this awesome infographic here: http://www.bloggersentral.com/2013/06/wordpress-blog-gets-hacked-infographic.html
Please feel free to add your comments below, and let us know of any tips you have for securing your sites…