I originally wrote about hacked wordpress websites just over a year ago, and in my last article I talked about how you can tell if your website had been hacked, this article is going to cover a few steps you can take to ensure you stay one step ahead and hopefully not get hacked in the first place!
Step 1 – Don’t use common usernames or bad passwords!
I would estimate that more than half of the “Hacks” that occur on a daily basis, are due to people having terrible passwords and/or obvious usernames. Make sure that your website login passwords, email passwords and control panel passwords are secure, and stored somewhere safely. Email passwords may seem irrelevant to website security, but if someone hacks your email they’ve effectively got access to everything associated with that email account.
Additionally, choosing “Admin” as a username is just as silly – platforms like WordPress do not come with any brute force protection, so someone can try and gain access to your website over and over and over and over and over again by firing millions of login requests at it under the username Admin, and it would only be a matter of time before they saw the WordPress dashboard and your day would be getting a whole lot worse. Ask your web host or designers if you’re unsure how to change passwords.
Step 2 – Be careful who you trust!
This step could apply to life in general, but in “website security” terms what I mean is don’t just give a login to your mate, or his mate, and some guy you met on the bus that said “i can do websites”… The main reason for this is not down to the abilities of that person, and the fact they may mess up content or break parts of the site by installing dodgy add-ons – it actually relates to the fact you have ZERO control over that persons PC, and that means you don’t know if their laptop or desktop computer is clear of viruses and malware which have been known to use FTP programs to spread onto web servers, and in turn deface websites and in some cases even bring the whole web server down.
If you only allow people in your organisation to update and edit your website, and only on computers that have full virus protection and that have regular spyware/malware scans carried out.
Step 3 – Be careful what you add-on!
I encountered a situation recently that involved a flakey WordPress plugin, and a user harmlessly wanting to add a neat new feature to their website. The exact nature of how the issue occurred is unclear, but it seem that the plugin was either not from the official wordpress plugin repository, or it was downloaded from the wordpress repository, to a computer, infected, then re-uploaded.
What is clear is that the timestamp on all the files exactly matched the admin log of when the user installed the plugin, and every PHP file on the account had code injected into the top, rendering the website completely useless.
Make sure you install plugins directly from the wordpress plugin repository by going to [Plugins] > [Add New] in the admin section of your website, then search for your plugin and install directly from there. If you can’t get it to work contact your web host or web designers and get them to sort that for you. Also if you are buying a premium plugin, make sure its from a reputable source.
Step 4 – Keep a tidy house!
I don’t mean washing the pots, I mean keeping things in order in the admin section of your website. Keep old admin accounts under control, make sure plugins are kept up-to-date and delete any that are unused. This includes themes too – if you’ve got more than one theme installed and only ever use one then delete all the others. Some themes come with exploitable files, and it doesn’t matter if the theme is active – the file is still there and its still a back door!
Step 5 – Call in the heavies!
There are a number of plugins that can help you protect your wordpress website, and most of the basic versions are free. We use a combination of;
- iThemes Security
- Captcha On Login
Your web company should recommend a range of plugins and services to slow any attacks down, we have a service called Website Warranty that helps defend against attacks, and in some cases stop them altogether if we get right combination of the available defences in place. Get in touch for details.
To conclude, owning a website is like owning anything else. If you pay it no attention, it will end up falling apart. And if you use your website to generate enquiries or sell products then don’t let it get to a stage where those enquiries have stopped coming in, or you notice your products are starting to gather dust on the shelves. Keep on top of things and you have the best chance of staying online.
If you need help securing your wordpress website or help restoring a hacked one then contact your website provider, or if you’re at a loose end then get in touch with dijitul and i’m sure we can get things in order for you.