Recently a couple of my personal WordPress sites were hacked — arggh. I got my developer ninjas on it right away, and we scrubbed the sites clean, backed them up, updated all the software, updated all the passwords, and installed a bunch of security monitoring and protection software to prevent it from happening again.
Nonetheless, it hit me hard to have my baby, Fierce Wisdom, embargoed by Google for almost two full days, stopping me from posting new content, and blocking thousands of potential visitors.
NOTE: This will provide the basic info to help keep you safe and protected from most typical attacks. Keep in mind, there is no guarantee here, and no way to fully bulletproof yourself from hackers.
If a really good hacker wants in to your site, they’ll find a way. Witness: A representative of Anonymous Hacker Collective speaking on taking down websites from Visa, Mastercard and Paypal in response to the anti-Wikileaks backlash.
As soon as everything was cleaned up and locked down, we submitted the site to Google and they removed the malware message pretty quick. What a relief!!
We always install basic backup software on our client sites, but unless you’re a regular client or have us on a maintenance contract, it’s up to you to stay on top of upgrades! You need to understand the basics, especially if you’re doing it all yourself.
Websites are similar to any property — they’re online properties — and they need to be maintained. Especially in the case of sites with open source and database-driven software. All software and programming code degrades over time — it’s just natural — and when neglected it becomes a liability.
Code makes stuff happen. It’s interactive — and to a point, it’s alive. That’s why it degrades, just like anything else that’s living.
How to protect your online properties, accounts and WordPress websites from attacks:
1. First off, the most basic precaution: Passwords.
You really do want to use long and complicated passwords with numbers, uppercase letters and random symbols. The main reason why: “brute force attack.” The software used for these attacks essentially runs thousands of combinations until it breaks yours. The more complicated your password, the harder to crack.
The real danger, however, is “offline” cracking:
Hackers break into a system to steal the encrypted password file or eavesdrop on an encrypted exchange across the Internet. They are then free to decrypt the passwords without anybody stopping them.
Doing this, hackers can guess passwords at the rate of 1 billion guesses a second. That’s fast, but not when you consider how big the problem is. Consider passwords composed of letters, numbers, and symbols. That’s roughly 100 combinations per character. A five-character password will have 10 billion combinations. This means a hacker can guess a five-character password in only 10 seconds. But things quickly get worse for the hacker. This problem grows exponentially:
5 characters = 10 seconds 6 characters = 1,000 seconds 7 characters = 1 day 8 characters = 115 days 9 characters = 31 years 10 characters = 3,000 years
This is why you need long passwords. Hackers can usually crack anything with seven characters or fewer, but they would be unlikely to guess passwords using this technique that are nine characters or more. Learn more
So, please keep this in mind for ALL your important accounts online. I use a master spreadsheet protected behind a firewall to keep track of them.
Be sure to update your main server password and your WordPress wp-admin access users and passwords with something super strong.
I recommend random password generators, or long and weird word/number/character combinations you can remember for frequently accessed sites. You can use a password generator like this one I use, named: (surprise) Strong Password Generator
2. Get Those Backups Sorted!
Contact your web host provider to inquire about their backup policies. Most managed server plans will include backups, but many inexpensive shared server webhosts — like HostGator — also create automatic backups and will restore your site for a small fee, or no charge. Regardless, you’ll have to talk to them to inquire about your options.
For many sites the size can be prohibitively large for your webmaster or developers to store complete backups. Always talk to them about their policies, and what they have in place for you.
If you’re running your own sites, you want to be sure you have complete backups available either locally, on the cloud, or at your web host.
I’m fond of Dropbox for cloud-based file backups, and they offer a free account for starters (though it may not be big enough to handle very large site backups). I use it for all my important files, and this link will give you 250MB extra bonus space: http://db.tt/61XsOac
3. Use WordPress Backup Plugins:
You want to backup your database, and your core site files. (These are all the files in your wp-content folder, and you can literally download this folder to your hard drive — or Dropbox — via ftp for a restore if needed.) Your database holds the information and content of all your posts and site pages.
Plugins can be easily installed via the Plugins Menu >> Add New >> Search Plugins function via your WordPress admin dashboard menu. There are tons of plugins — you want to look for frequently updated and current plugins, preferably with tens of thousands of downloads already logged.
WordPress Database Backup
Also known as WP-DB-Backup this is a great plugin I’ve used for a long time which will email your complete database backup on a daily or weekly basis:
WP-DB-Backup allows you easily to backup your core WordPress database tables. You may also backup other tables in the same database. By Austin Matzko
WordPress Backup to Dropbox
Cool plugin, and popular:
WordPress Backup to Dropbox has been created to give you piece of mind that your blog is backed up on a regular basis. Just choose a day, time and how often you wish yor backup to be performed and kick back and wait for your websites files and a SQL dump of its database to be dropped in your Dropbox! You can set where you want your backup stored within Dropbox and on your server
Online Backup for WordPress
Online Backup for WordPress will automatically backup your WordPress database and filesystem on a configurable schedule, and can incrementally send the backup compressed (and optionally encrypted using DES or AES) to our online vault where you can later retrieve it. Backups can even be produced on-demand and downloaded straight to your computer. You can view the current status, change any settings, and restore individual files at “Tools -> Online Backup”, or by clicking the “View Status” link to the left.
Drawback on this plugin is the free backup allotment is on the small side, but I believe they do offer paid upgrades if needed.
4. Keep Your WordPress Install, All Software and Operating Systems Current
In our case, one or two inactive WordPress sites on our main server had been neglected for a while and were running older versions of the software, leaving them vulnerable to hackers. Keep your WordPress installs current. You’ll want to have backups in place before any upgrades.
This should be done with all software running on any of your sites. Keep them updated whenever possible.
On your home computers, you also want to allow software upgrades and keep the operating system current.
On your web browsers, keep them updated, and avoid Internet Explorer altogether. Stick with Chrome, Firefox or Safari.
5. Use Website Malware Scanners and WordPress Security Plugins
I’ve found this website malware scanner works well: Unmask Parasites
This post on the google webmasters forum has a bit more info which may be useful: best means to scan a website for malware?
WordPress Malware Scanning and Security Plugins:
WP Security Scan
WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
WordPress admin protection/security
Removes WP Generator META tag from core code.
AntiVirus for WordPress
Another popular plugin option:
AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Malware protection for your blog.
WordPress 3.x ready: Design as well as technical
Detect the WordPress permalink back door
Quick & Dirty: activate, check, done!
Manual testing with immediate result of the infected files
Daily automatic check with email notification
… By Sergej Müller.
This plugin hasn’t been updated in almost a year, but it does work on the latest WordPress version. I would generally avoid leaving plugins installed for long that aren’t regularly updated, but this one has some great features that can help you evaluate your site:
WP-MalWatch is a WordPress security plugin scanner designed to help alert you when hackers have been at work inside your blog. When hackers infiltrate a blog, the first thing they do is plant hidden files, disguised .PHP, and malicious .HTACCESS files in various directores. Their goal is to litter your WordPress installation and theme with links to their sites. WP-MalWatch performs a security scan of your WordPress installation nightly looking for evidence of foul play and if WP-MalWatch finds it, a dashboard widget will tell you were you should take a closer look.
WebsiteDefender WordPress Security
This is a new release and upgrade on the popular Secure WordPress plugin that was taken over by Website Defender.
The WebsiteDefender WordPress Security plugin is a free and comprehensive security tool that helps you secure your WordPress installation and suggests corrective measures for: strengthening passwords, securing file permissions, security of the database, version hiding, WordPress admin protection and lots more. By WebsiteDefender.
One other popular option to consider:
Website Security Protection: BulletProof Security protects your website from XSS, CSRF, Base64_encode and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. One-click Website Maintenance Mode (HTTP 503). Additional website security checks: DB err… By Edward Alexander.
What to do if you’re attacked?
Hopefully these precautions will keep you safe. If you are hacked, the best thing to do is hire a professional developer to help you out.
The first thing they’ll do is reset all passwords. They’ll run a security audit on your site, looking for malware scripts, files and code that isn’t supposed to be there, and determine which files have been modified recently. This is done manually and with the help of special malware scanning software. In most cases your site can be repaired and restored within hours. If you don’t have backups in place, this can be a lot longer.
We have some expert developers on our team who can get you sorted if you need some assistance. Just stay calm and know that as long as you’re well prepared, and follow the backup procedures recommended here, you should be back up and running in little time.
You can also find more info on the Google webmasters forum for Malware & Hacked sites
Once your site is all cleaned up, you’ll want to have it submitted for re-evaluation by Google if you’ve been slapped by the warning page/embargo. You can do this through Google Webmaster Tools. The site must be added to your account and verified first, and your developer can also do this for you. It’s a good idea to have this account set to forward any messages to your personal email. In my own case they scanned the site and removed the warning message in less than 24 hours.
Keeping yourself protected online and in real life is essential. Always better to be prepared than sorry. Good luck out there! :)
For more info on protecting your physical and spiritual self through your luminous energy field visit my personal site, Fierce Wisdom.
For help with strengthening and building your online presence, contact us here.
Please share this and Retweet with your gang. Thanks! :)