5 Ways to Protect your WordPress Website
In two days I have had to repair two hacked websites. One was vulnerable to hacking with old plugins and a very out of date version of WordPress core. The other site was not out of date, but must have had a backdoor somewhere that a clever hacker or bot discovered… maybe even a long time ago, as some malware expands through a site over time. This clever hacker got in to the Dashboard, created usernames for himself and created a bunch of pages. It looks like it all started with a fake plugin file added to the plugin folder (xcalendar) and then some code in the wp-config file that required this plugin folder to be present. In both cases, I was able to remove all the malicious code, but it took several hours and in the second case, we ended up moving the site to a new server, as the hacker continued to get in despite changing all logins and ftp access information with the webhost.
How to know if your site has been hacked
The worst way to discover a site has been hacked is to have a user tell you. They may notice a link that takes them to an explicit image, or an ad for Viagra or some other pharma product. These are common hacks. You may notice them yourself before a user does if you are looking at your site regularly.
Another way you might learn that your site is hacked is that your web host will alert you that their scans found malware, and that your site is going to be taken down or has been taken down as a result.
How to “cure” an infected website
Repairing a hacked website can sometimes be as easy as restoring a backup from before the hack was launched if you can determine when this was.
If a clean backup is not available … which would be unfortunate … here are some things to try:
- If you are able to access the Dashboard, installing a scanning plugin can help. I use WordFence. (WordFence offers a Pro upgrade, but so far I have only used/needed the free version).
WordFence scans a site for changes and differences between your site’s code and the original open source code, as well as for known malware files. Be sure to go into the settings and have it scan theme and plugin files, which is turned off by default. If WordFence finds an infected file, you have the option to delete the file if it doesn’t belong, or restore it to its original state (the code that is in the open source repo).
- Turn to your hosting company for support. Most hosting companies offer malware scans and cleanup (for a fee), but Be Careful! If you discover malware on your site and tell your host about it, they may block or quarantine your website until the code is removed. Some hosts will actually delete your entire site if they detect malware. If your site is blocked by the host, they will likely suggest SiteLock or another malware removal service in order to get a site cleaned and back online. I actually had a client tell me they thought this was a scam and that the host probably put the malware on their site to get customers to pay them to fix it! I assured the client this was not the case, and told them how many hours it would take me to investigate, repair, test and backup the site (the site was taken down by the host who provided a list of about 100+ files that were infected).
- There are many helpful articles about fixing a hacked site. WordPress.org is a great resource and Sucuri has instructions which may demonstrate to novice users that the process is not always easy, and requires some technical knowledge and ftp access to your website files. A badly hacked site is not easy to fix, and a beginner or blogger cannot do it alone.
Protecting your website can prevent or minimize chances that your site will be hacked
The best way to deal with a hacked website is not to get hacked! While even the toughest security measures are sometimes not enough (think Target and the Federal Government!), there are things you can do to improve the security of your WordPress website and reduce your chances of being hacked. Here are my top 5 things you can do to minimize the most basic intrusion, and in most cases higher level hacks, to your site:
- NEVER use “admin” as your wp-admin user name.
With WordFence, I get reports of failed login attempts on some of the websites I monitor. The username “admin” is tested by bots with basic password combinations (see #2 below) to try to “guess” its way into WordPress websites. It is amazing that these automated bots often succeed, which is also why you should:
- Use strong passwords and change them periodically
Many WordPress websites are hacked not only because their username is “admin” but because this is combined with the password “password.” Don’t be that person! When I look at the failed login reports on my websites, I see clever combinations of words/names related to the domain name, and post author (ie “tara-claeys” has been tried numerous times on my website), and passwords like “abc123” and other obvious phrases. Bots are smart … you need to be smarter! But even a stupid bot can get in with “admin” and “password!”
The latest WordPress core update (4.3.1) requires a strong password, or if not used, the user must check a box saying they choose not to use a strong password. Why would anyone do that?
This is true for sftp and cpanel passwords as well – strong passwords are a key!
- Keep your plugins, themes and WordPress core software updated
This is one of the main ways websites get hacked. Just like your smartphone apps and computer release updates with enhancements and security patches, WordPress software is constantly being improved upon with new versions. If a site has out of date components, it is like leaving windows open for bad guys to get in.
Delete spam comments, while you’re at it!
- Use a security plugin
Plugins like WordFence and Sucuri are popular and effective tools to monitor and protect a WordPress website. WordFence detects attempted/failed logins and can alert you when a user has been blocked and from where, as well as when infected files are discovered during one of its regular scans. There are many other security-related plugins available, such as those that limit login attempts to stop “brute force attacks,” where bots bombard a login page with hundreds of password guesses in an attempt to break in.
- Use good code and hosting
Know who is behind the structure of your website. Some WordPress themes may have vulnerabilities that allow access for hackers to insert malicious code. I use the Genesis theme framework, because it is coded well and follows all WordPress security best practices.
Make sure that your hosting company has a good security offering, that sftp access is available, the support is easy to access and that backups are kept frequently (and keep your own backup too).
The best defense is a good offense! Show your website some TLC – pay attention to it or someone else might give it the attention you don’t want it to have.