There has been so many reports of WordPress sites being hacked and compromised in the blogging community lately. Imagine what Nikki and Tina went through when they discovered issues with their blogs. Blogs which are a source of income and business, their livelihood.
Imagine going to your blog as normal to find that you had lost access to your dashboard or that your readership levels had dropped because every time a reader went to go there they were hit with a big warning, site compromised or hacked!
Hacks come in all forms from stealing your login details and locking you out of your site to redirecting your readers to a 3rd party website which then downloads viruses and keylogging trojans into their computer. Below are just some of the ways your site may be acting after a security breach:
- Malicious software being installed on your visitor’s computer.
- An excessive amount of unwanted comments and ugly spam links.
- Being labelled and blacklisted by search engines as a dangerous website. When a search engine visitor clicks on the link to your website, they are sent to a web page that says, “Warning – visiting this website may harm your computer!”
- Having parts or all of your site being completely wiped out.
Whatever the hack and its effect, it’s a scary time and heart in your mouth scenario.
I often get asked why are people getting hacked and are there some common reasons or links. While it isn’t always possible to know why or how it happened there are some stand out reasons why blogs are vulnerable and are an easy target which all blog owners should be aware of.
WordPress sites vulnerable to hijackings are ones that :
- Are running on Outdated WordPress versions
- Outdated plugin versions namely : Google Analytics, WP Addthis, WP Touch, WP Total Cache
- Using an old version plugin TimThumb – this plugin was a major source of security breaches for many users however it has been written from scratch and reports are now that the new version is safe.
- Not monitoring visitor activities via Webstats
- Using the default userid, i.e. “admin” While no-one can 100% guarantee that your site is safe there are steps you can take to protect yourself and the blog you have worked so hard at building. It’s important to remember that there is no such thing as hack-proof, even the FBI and other Government agencies get’s hacked.
- Using a weak password
Here is a list of steps to minimize vulnerability for WordPress sites.
- ALWAYS … update to the latest WP version. Updates can be annoying and for some users downright scary but these updates or patches are released for a reason and more often than not because of identified weaknesses which have been repaired.
- ALWAYS …. update to the latest plugins
- Do not use the same USERID and PASSWORD as the cPanel and MYSQL
- Use different USERID and PASSWORD for different sites/domains.
- Change the default extension of the db tables from wp_ to something else.
- Change your login password regularly.
- Deactivate and delete all unused plugins from the plugins folder.
- Know what plugins you are installing and what they do.
- Ensure that the plugins you are installing are up to date and are compatible with the latest version of WordPress
- As added security, ensure your cPanel passwords are also secure – the original password given on sign up was difficult to remember for a reason.
There are a few things to remember when choosing themes and plugins:
- Always Research your themes and plugins!
- Ask yourself the following questions:
- Is the plugin or theme in active development?
- Are the authors upgrading with the WordPress development cycle?
- Is the plugin or theme from a reputable source eg WordPress.org repository.
- Is the plugin or theme up to date
- Does the author of the plugin or theme update them quickly
- Is there support provided by the authors?
- What are the reviews saying about the plugin or theme?
As I wrote above we cannot always prevent a security breach but we can take the above steps to help protect ourselves. Unfortunately it can happen to anyone who owns a website and when it does you need to take action to clean the website and protect it.
LHH has teamed up with Sucuri to provide a monitoring and malware removal service.
LHH has secured lower prices for our clients and even non clients and are thrilled we can help give you peace of mind.
To find out more about this new service please see here.
There is part 2 of our series on website protection and backup’s. Over the next few weeks we will be writing about how to backup and how to protect yourself online!
Part one is found here
Part 3 is found here