Last week we at BRNM experienced one of those dreaded, but avoidable headaches — the website hack. It happened because one of our client websites was running an old version of WordPress in one of our shared hosting accounts. It was a pretty nasty job. Once the hacker found his way in, he injected some code to auto-infect any other WordPress websites in the same account. Had we done like some smaller hosting companies do and combine their clients into one directory. But we don’t. We isolate each account properly and give each its own cPanel for individual control and access. We considered ourselves lucky… until we found that this virus was a cover up for a more lethal problem — gaining access to master controls of our servers. Whoa, indeed! As soon as we realized what was going on (which took all of a few hours), we quickly wiped the server clean and restored it from a backup before the hack. Phew…This was the first successful hack ever against us in our six years in business. Still, it was a week long process of updating all our processes and content to their current states. Long story short, hacks are a pain.
Hacks are an Avoidable Pain
As I said, the reason the hack succeeded was because a WordPress site was not updated to its latest version. (If you missed it, here’s some thoughts to the right way to go about updating your site). Software updates happen regularly, and with good cause. Developers aren’t just releasing new and fun functionality. They’re constantly patching loopholes and hardening security issues. The same goes for plugin updates. It’s a really good idea to log into your WordPress admin periodically, especially if you’re not in there often to add new blog posts and such, at least to check for updates. On versions 4.0 and higher, minor updates are automatically made. You’ll still need to make the bigger updates yourself. Still, they’re super easy.
Keeping your site up to date is the single most effective way to prevent being hacked.
Other Ways to Stay Secure
There are a number of other easy things you can do to keep things secure without the help of a developer.
- Use a unique, hard to guess password. Choose a password that passes WordPress’s validation as “very good”. Use upper and lower case letters, numbers and symbols. It’s a really good idea not to reuse the same password that you use for Facebook, or your online banking login, or even your eHarmony account. If a hacker figures out your password, its a safe bet that he’s going to test it against as many other sites as possible to gain access.
- Don’t use “admin” as your login username, or anything that is generic or easy to guess, for that matter. Even if you use your name, throw a number or symbol in there. Hackers make bots that use default usernames to run their brute-force attacks. What’s a brute force attack? It’s a method where a bot tries a different password over and over on your site till it guesses correct. Needless to say this goes hand in hand with #1.
Check for (and get rid of) malware. In the event that naughty scripts do make it to your site, you’ll need a way to check for it and clean it up. The WordFence plugin is a great solution here. It scans files, sends you notifications for anything out of whack, and cleans it up for you. We recommend it highly as one of our plugins of choice, and include as part of our Increased Performance package for security.- Choose a solid webhost. The environment on which you host your site will play a huge role in your peace of mind. There is the age old saying, you get what you pay for, but then again when it comes to technology, how do you really know that what you’re getting is quality? Here’s a few of the biggest out there that we trust and know offer good quality and customer service: BlueHost, GoDaddy, HostGator, and there are other great web resources out there as well.
- “Vet” the themes and plugins you use. There are a lot of crappy WordPress themes and plugins out there. This fact has led people to believe that WordPress is insecure or a faulty platform. This simply isn’t true. The core platform is solid, and strengthened (or weakened) by the quality of the add-ons you bring on the site. We strongly recommend against template themes, and to use professional, custom design instead. Template authors aren’t always held accountable to the latest security concepts, nor do they always offer periodic theme updates.
There are plenty of other ways to harden WordPress against security threats listed on the WordPress site. We include these in each of our website projects.