I was asked last week to provide some more details regarding fighting off the hackers from our precious WordPress (WP) blogs and WP sales pages and squeeze pages after the gratuitous hack on my webspace earlier this month. Currently the most up to date product is by my friend Matt Garrett who has recently spent a lot of time updating his Blog Defender program to 2014 standards. Matt delves into all things WP and explains exactly what you need with regard to protection and blog security. You can take a look at Matt’s program right HERE.
If you are more hands on rather than hands out of your wallet, then here are some tips to avoid the hackers and some important points to remember when keeping your websites safe. Please remember, it is your responsibility to look after your own business and by NOT doing so, you can pay the price just as I did. If you follow Matt’s advice above or mine here, then you should be ok to carry on without worry.
Important Tips to Avoid WordPress Hacking!
1. First and foremost are passwords and administrator names
Back in the early 2000’s when WP first started to gain some decent traction, usernames were more commonly called ‘admin’ and passwords relatively simple, such as important dates and names. These days, that’s a BIG no no! The first username any hacker will use is ‘admin’ so this is the first thing you need to change. What you need to go for are any usernames that are not so easy to guess. The same goes for passwords.
Maybe you have noticed, maybe not, but passwords are becoming more complex as a requirement with many commercial sites such as banks and online shopping. All passwords must now have a complex make up of uppercase, lowercase, numbers and special characters. So with that said, it’s a good idea to have a good mixup to prevent password guessing. The reasons behind the number of hacks are varied across the web. Statistics show that nearly 40% hacks come from account hosting, 30% hacks are from WP themes with vulnerabilities, 22% hacks are from old vulnerable plugins and 8% hacks happen because of poor usernames and passwords.
2. Hosting and a reliable package that’s makes a difference
Now we have covered usernames and passwords, you should have a good idea what that means for every account you have not just WP. Your password need to be just as secure for your hosting service. After all this is the home of all your websites and your business hub.
Choosing a reliable host is paramount. Whatever you do, don’t go cheap on hosting. Free accounts and $2 accounts are not worth the trouble. So ensure your hosting account is equipped with all the latest antivirus, SSH, secure emails and webspace scanning systems.
*TIP* something to remember when choosing hosting. Your hosting account may have in their terms and conditions, that in the event of a hack and your websites disappearing, they can provide backups but are not obligated to fix your websites for you. This happened to me! Fortunately I have some tech knowledge and some good friends in the business. You may not be so lucky..
3. Update WP frequently
The old saying, I will update it later when I know it works is old hat. WP updates their code for a reason, and when this is a security reason it’s a good idea to do it immediately. Fortunately, WP has an auto update feature available now which updates your websites as soon as the updates are ready. However, don’t rely on this as it may just not update for some reason. Check for updates regularly.
4. Update themes and plugins
WP update their backend code more often than any plugins or themes do. This can cause vulnerability issues and prevent plugins (more often) and themes from working correctly or completely stop them from working. If you have broken plugins on your WP site, this can lead to problems and security issues. To prevent this, it is always worth checking your plugins are working and updating them as soon as updates become available.
5. Backup your wordpress database
Your WP database is very important due to the fact it holds all of your site data and post data. If you lose this you lose your website! You can back it up manually which can be sometimes overlooked, or you can use a database backup plugin such as ‘Back up WordPress’ (I use this) or ‘BackWPup’. Both of these plugins are excellent and will backup your WP database and email it to you along with any other files you requested to backup.
If you want to restore the site from a backup, the process is relatively easy. All you need to do its download the latest backup file from the download file in the admin panel or on the backups page or via FTP. Then you need to, decompress the files and upload all the files to your hosting account for insert back to your database using your hosts database management tools. Or if you have a good hosting company, simply send them the files and ask them to do it for you.
6. Use a WP security plugin
Installing a WP security plugin can greatly help you increase website protection. Adding a security plugin such as ‘Better WP security’ or ‘iThemes Security’ as it is now called can help protect your website from a ton of security holes and flaws.
Some of the features of this cool plugin are:
The ability to change your WP-Config.php files to something a little less recognizable, but with the ability to still do the same job. Your config file is essential as it holds all your database info. It’s imperative to keep this file safe and backed up.
Security plugins can also help you with access files, weak username and passwords, they can even set a reminder to force you to change your login admin details to a nick name to prevent hackers seeing your admin name.
Some other plugins to look at are Wordfence and Securi. Wordfence is a new-ish security plugin, it’s been around for just over a year. It will compare the plugin, theme, and WordPress core files on your installation with the official version in the WordPress repository. If there are any discrepancies, the plugin will send you an email. It will also scan your site for known malware, phishing, backdoors, and virus infections.
Sucuri is more than just a security plugin. In fact, Sucuri specialize in cleaning up infected websites. If your site is infected, they will clean it for you. However this comes with a cost, but a very cheap one indeed. The Securi WordPress plugin adds a web application firewall and malware file scanning. The web application firewall that will communicate with Sucuri servers, so a site is under attack from certain IP addresses they can be blocked across from Securi over the network almost immediately. Securi comes highly recommended by a lot of bloggers and WP users.
As well a the above plugins and security tips, it is always always a good idea to backup your whole server once per week. If you have a reliable hosting company they will do it for you, however they may only keep your backups for a limited time period such as 7 days. Sometimes during this time, your backups can be infected without your hosting company knowing it (scary I know) thus causing the next backup to be infected, taking your infected backups over 7 days giving you no clean backups!
Check out the video below to show you how to download all your own files:
To prevent this, it’s a case of DIY. Simply install an FTP program on your PC or MAC such as Filezilla (its free) and download your whole website (whole webspace recommended) to a secure location on your PC or external hard disk. Along with your backup database and WP-Config.php file, you have all you need to get back up and running in no time.
Prevention is better than cure. So stopping the hacking at the source is the best course of action to follow, by installing and using security plugins and services. I cannot personally guarantee that your blog will not get hacked after implementing these methods I have discussed but, I am sure the chances of attacks will be greatly reduced.
Please feel free to add anything you would like to discuss in the comment section. Also if you enjoyed this post, don’t forget to share it. As always any shares are much appreciated.
Please remember, if you want to take WP security to the maximum, don’t forget to check out Matt Garrett’s Blog Defender program HERE
Thanks for sharing this information. Being technologically ignorant I need this kind of advice. I thought I was backing up my site until there was a problem and it went down. That’s when I discovered I forgot to set where my backups were to go and the setting was for manual, which I have no clue how to do. Fortunately my hosting company (I already knew about freebies) was able to get things back to normal.
Thanks Jeff. Glad you got things back to normal in the end 🙂
Thanks for sharing this. A friend of mine just had her AOL account hacked, so it’s been kind of a wake-up call to me that I need to look at my accounts and see what changes need to be made. I will pass this information on to her as well since she has a WordPress blog too.
Wow! I did not realize how much is involved in protecting your websites, nor did I realize that if one is hacked, they can bring all of your sites down! I am guilty of not backing up on a regular basis and I need to start. I will look into Matt’s program as well. Thanks again for the very informative post!
Rich, it seems to be getting worse as time goes by. It’s a case of get secure and backed up ASAP buddy
I like to auto backup to Amazon S3 rather than my server. I notice that you can do this with the Pro version of ‘Back Up WordPress’ but it looks very expensive compared to the plugin that I use which is ‘Backup Creator’ which costs $47 per annum for unlimited personal sites. The plugin will also auto back-up to various other sources if you wish. The peace of mind this affords is priceless.
I am sorry to hear of you hacking problem – that truly is a nightmare.
Hi Mark, yeah I agree with you on that one. It’s a small price to pay to be safe in the knowledge that your backups are safe!
Ugh man, I do remember when this happened to you but I’m glad you were able to sort everything out.
One thing that actually happened recently to me, was that one of my sites got infected with malware (I won’t say how or why for security reasons) but like you say, it’s really wise to have everything up to date and not think “everything is good because you have never been hacked before”.
The hosting provider I’m using for that site is about $20 a month and it was beyond my belief when they told me they could eliminate the infected files for a one time payment of something around $100.
Man, you wouldn’t imagine how pissed was I because my site was clean when I first moved it to their servers and had to get rid of the malware myself but not before wasting about two entire days of my life when doing it.
I haven’t tried WordFence or Sucuri yet but I’ve heard great things from both the plugin and the Sucuri guys as well, actually I was going to hire the Sucuri people to help me out before I managed to solve it myself.
I bet Matt’s Blog Defender program is awesome on securing your websites, just saw the sales page and it looks very interesting to say the least!
Cheers man and good to see you pumping content here (something I should be doing as well lol)
$100 dollars! Thats crazy man. I just can’t believe these companies just won’t help you! After all it’s in their interests to keep you as a customer. I have been recommended so much to use Sucuri.
I have Matt’s program and it is very good. It gives to a good insight into hackers and how to stop them.
Awesome post, buddy. These are the most basic of security measures yet one that an alarming number of people either don’t bother with or don’t realise are important. Thanks for highlighting these.
When I saw the title of your post I immediately thought, “Matt Garrett!” and sure enough, you referred to him in your opening paragraph! The reason he immediately came to mind on this subject is because I recently bought his Blog Defender package. Wow! The value in that package is insane! I thought I had my security pretty well covered but after going through Matt’s product I was suprised at just how many potential security holes were still there. They’ve all been plugged now though, thanks to getting Blog Defender.
Incidentally, I’m not an affiliate for the product, I don’t know Matt personally and have never bought from him previously, but I HIGHLY recommend Blog Defender.
Thanks Dan, I hope all is going well for you.
Hosting does really make a huge difference and has an impact on security of vulnerability of our wordpress blog. So, it is always preferable to choose a robust hosting package.
Backing up is always something that I tend to put off, but seeing you, a very experienced internet marketer, getting hacked has really made me more aware that it is something I should be doing on a more often basis.
I will now be taking a day to find my best method and do back ups on a regular basis as I am putting a lot of work into this site!
Thanks for the reminder and warning
There’s certainly a lot to learn about this issue. I like all of the points you have made.