I was asked last week to provide some more details regarding fighting off the hackers from our precious WordPress (WP) blogs and WP sales pages and squeeze pages after the gratuitous hack on my webspace earlier this month. Currently the most up to date product is by my friend Matt Garrett who has recently spent a lot of time updating his Blog Defender program to 2014 standards. Matt delves into all things WP and explains exactly what you need with regard to protection and blog security. You can take a look at Matt’s program right HERE.
If you are more hands on rather than hands out of your wallet, then here are some tips to avoid the hackers and some important points to remember when keeping your websites safe. Please remember, it is your responsibility to look after your own business and by NOT doing so, you can pay the price just as I did. If you follow Matt’s advice above or mine here, then you should be ok to carry on without worry.
Important Tips to Avoid WordPress Hacking!
1. First and foremost are passwords and administrator names
Back in the early 2000’s when WP first started to gain some decent traction, usernames were more commonly called ‘admin’ and passwords relatively simple, such as important dates and names. These days, that’s a BIG no no! The first username any hacker will use is ‘admin’ so this is the first thing you need to change. What you need to go for are any usernames that are not so easy to guess. The same goes for passwords.
Maybe you have noticed, maybe not, but passwords are becoming more complex as a requirement with many commercial sites such as banks and online shopping. All passwords must now have a complex make up of uppercase, lowercase, numbers and special characters. So with that said, it’s a good idea to have a good mixup to prevent password guessing. The reasons behind the number of hacks are varied across the web. Statistics show that nearly 40% hacks come from account hosting, 30% hacks are from WP themes with vulnerabilities, 22% hacks are from old vulnerable plugins and 8% hacks happen because of poor usernames and passwords.
2. Hosting and a reliable package that’s makes a difference
Now we have covered usernames and passwords, you should have a good idea what that means for every account you have not just WP. Your password need to be just as secure for your hosting service. After all this is the home of all your websites and your business hub.
Choosing a reliable host is paramount. Whatever you do, don’t go cheap on hosting. Free accounts and $2 accounts are not worth the trouble. So ensure your hosting account is equipped with all the latest antivirus, SSH, secure emails and webspace scanning systems.
*TIP* something to remember when choosing hosting. Your hosting account may have in their terms and conditions, that in the event of a hack and your websites disappearing, they can provide backups but are not obligated to fix your websites for you. This happened to me! Fortunately I have some tech knowledge and some good friends in the business. You may not be so lucky..
3. Update WP frequently
The old saying, I will update it later when I know it works is old hat. WP updates their code for a reason, and when this is a security reason it’s a good idea to do it immediately. Fortunately, WP has an auto update feature available now which updates your websites as soon as the updates are ready. However, don’t rely on this as it may just not update for some reason. Check for updates regularly.
4. Update themes and plugins
WP update their backend code more often than any plugins or themes do. This can cause vulnerability issues and prevent plugins (more often) and themes from working correctly or completely stop them from working. If you have broken plugins on your WP site, this can lead to problems and security issues. To prevent this, it is always worth checking your plugins are working and updating them as soon as updates become available.
5. Backup your wordpress database
Your WP database is very important due to the fact it holds all of your site data and post data. If you lose this you lose your website! You can back it up manually which can be sometimes overlooked, or you can use a database backup plugin such as ‘Back up WordPress’ (I use this) or ‘BackWPup’. Both of these plugins are excellent and will backup your WP database and email it to you along with any other files you requested to backup.
If you want to restore the site from a backup, the process is relatively easy. All you need to do its download the latest backup file from the download file in the admin panel or on the backups page or via FTP. Then you need to, decompress the files and upload all the files to your hosting account for insert back to your database using your hosts database management tools. Or if you have a good hosting company, simply send them the files and ask them to do it for you.
6. Use a WP security plugin
Installing a WP security plugin can greatly help you increase website protection. Adding a security plugin such as ‘Better WP security’ or ‘iThemes Security’ as it is now called can help protect your website from a ton of security holes and flaws.
Some of the features of this cool plugin are:
The ability to change your WP-Config.php files to something a little less recognizable, but with the ability to still do the same job. Your config file is essential as it holds all your database info. It’s imperative to keep this file safe and backed up.
Security plugins can also help you with access files, weak username and passwords, they can even set a reminder to force you to change your login admin details to a nick name to prevent hackers seeing your admin name.
Some other plugins to look at are Wordfence and Securi. Wordfence is a new-ish security plugin, it’s been around for just over a year. It will compare the plugin, theme, and WordPress core files on your installation with the official version in the WordPress repository. If there are any discrepancies, the plugin will send you an email. It will also scan your site for known malware, phishing, backdoors, and virus infections.
Sucuri is more than just a security plugin. In fact, Sucuri specialize in cleaning up infected websites. If your site is infected, they will clean it for you. However this comes with a cost, but a very cheap one indeed. The Securi WordPress plugin adds a web application firewall and malware file scanning. The web application firewall that will communicate with Sucuri servers, so a site is under attack from certain IP addresses they can be blocked across from Securi over the network almost immediately. Securi comes highly recommended by a lot of bloggers and WP users.
As well a the above plugins and security tips, it is always always a good idea to backup your whole server once per week. If you have a reliable hosting company they will do it for you, however they may only keep your backups for a limited time period such as 7 days. Sometimes during this time, your backups can be infected without your hosting company knowing it (scary I know) thus causing the next backup to be infected, taking your infected backups over 7 days giving you no clean backups!
Check out the video below to show you how to download all your own files:
To prevent this, it’s a case of DIY. Simply install an FTP program on your PC or MAC such as Filezilla (its free) and download your whole website (whole webspace recommended) to a secure location on your PC or external hard disk. Along with your backup database and WP-Config.php file, you have all you need to get back up and running in no time.
Prevention is better than cure. So stopping the hacking at the source is the best course of action to follow, by installing and using security plugins and services. I cannot personally guarantee that your blog will not get hacked after implementing these methods I have discussed but, I am sure the chances of attacks will be greatly reduced.
Please feel free to add anything you would like to discuss in the comment section. Also if you enjoyed this post, don’t forget to share it. As always any shares are much appreciated.
Please remember, if you want to take WP security to the maximum, don’t forget to check out Matt Garrett’s Blog Defender program HERE