In the past two months, two of my client’s websites were attacked by hackers. Both brought the servers to their knees, knocking out other sites on the same server. One had a virus installed. The other had a brute force attack.
There are many ways your site can get hacked, but some of the most common include:
- Outdated themes and plugins
- Outdated WordPress framework
- Compromised .htaccess files
- WordPress installations no longer used
- Username of ADMIN and/or weak password
- Malware on your local computer
- Admin username in the author archives
- Allowable directory browsing which exposes sensitive files such as wp-config.php or php.ini
You may check your site every day and it may look okay to you. But hackers can send all of your search traffic to another website and you won’t even know it!
When I first started developing websites, one of lessons about security is to never use the user name “admin”. An old plugin that I started out using was called Limit Login Attempts. It shows you what user name the hackers are entering to try to get into your site. Once I start working with a client and log into their website, if I see “admin” as the user I will strongly encourage you or get permission to change it.
Through monitoring, I’ve also noticed attempted access through the author’s login.
- Set up the administrator account user of the site to a business user name and monitored email. This user should not be composing blog posts.
- For Google Authorship, create user(s) for blog posting using the Google account email and setting the Display Name to the same name as the Google Plus Profile.
- These blog posting users only need a security level of editor or author.
- Change your author archives permalink to ensure that your username is not displayed in the browser window or cache.
Sites can also get hacked from vulnerable plugins.
Two months ago, the first site got hacked through the All in One SEO plugin and brought down an entire server with multiple websites running on it. [All in One Vulnerability]
That was a painful process to move the client’s site to a different server, clean it up to remove the virus, and get it back up running as quickly as possible. It was especially painful when the backup wasn’t as up-to-date as the site since we had just added content to it.
Last week, another client’s site had a brute force attack. There were too many hits to the website by bots in a short period of time so the server failed and shut down, taking 52 other sites along with it.
To give you an example of how powerful a brute force attack can be, on March 6, 2014 there was a large distributed brute force WordPress attack. The Wordfence Facebook page updated statistics throughout the day. Their last recorded statistic said “Increase in WordPress attacks detected. 1,638,045 attempts in the last hour compared to an average of 451,475 hack attempts for the last 6 hours.”
Last week’s attack went directly after a deactivated plugin that did not have any updates sent out by the plugin developer. Some plugins are not maintained for security breaches and if a bot finds a hole, you can have a major problem.
All my sites use the Wordfence plugin which is the latest and greatest security plugin. Wordfence protects from hackers with a real-time system of blocking attacks.
The free Wordfence version is usually enough for most small business websites and offers these features:
- On-demand scanning of your websites files and notifies you of any needed updates or vulnerabilities
- Will help repair hacked files even if you don’t have a backup
- Blocks potential threats on your site if someone else’s site is attacked
- Collects data in real time to help block attacks
- Filters live traffic and shows: all hits, humans, registered users, crawlers, and Google crawlers
- Shows lists of IPs attempting logins which you can block immediately. They will stay blocked for 4 minutes unless you block them permanently.
The premium version offers:
- Two-Factor authentication
- Country blocking
- Scan scheduling
For additional monitoring and protection, we’ve added Sucuri Security. Sucuri Security does active scanning of files on the server. It will detect malware, blacklisting, spam, and other security issues on your WordPress site. This plugin offers a 1-click hardening option for your site by restricting access to wp-content and wp-includes and protecting the uploads directory.
If malware is detected on your website, you can check out Sucuri for urgent help such as malware removal and firewall blocking.
A yearly paid subscription of $89.99 offers you the following services:
- Website-scan every 6 hours
- Server-side scanning daily
- Text, email, or SMS alerts of malware detection
- Malware clean-up
- Blacklist removal
Everyone with a website knows that, things can sometimes go wrong. We are so busy working on our business that we might not know there is a problem until a client calls to say your website isn’t working.
Uptime Robot is about helping you to keep your websites up. It monitors your websites every 5 minutes and alerts you if your sites are down.
We’ve set up our client sites on this free service with email notifications when something happens. It’s quick and easy to set up.
CloudFlare is a content delivery network (CDN) provided by many major web hosting companies. Think of how YouTube works. There are servers all over the world holding these video files. CloudFlare makes a copy of all the video files no matter which server it was found on, and stores multiple copies on many servers. When you click to watch a video, you don’t download the real video file, you get a copied version, hence the real file is protected.
Your website performance is improved since content will be served by a server that is closest to your visitor. CloudFlare blocks malicious incoming threats, which keeps your website safe. You can sign up for free with your hosting company.
WordPress Security Lessons learned:
- If your website is using a shared server, which most small business sites are, your site is vulnerable because of other sites on that same server. Your site can go down without being directly attacked.
- Don’t use the user name “admin”. To change the user simply log in as “admin” and create a new user for yourself. Log out > Log in as the new user > Delete the Admin user
- Set up Users for posting blogs and include the Google Plus Profile name and URL for establishing Google Authorship.
- Schedule or perform backups of the complete site and move the file to an offsite location for safe storage. Backups should be at least monthly but will depend on how often you are making changes to it.
- Plugins are a “necessary evil” but don’t use too many. If you aren’t using a plugin, delete it. Even if the plugin is deactivated, it can still cause problems.
- Keep all plugins up to date.
- Install Backup Buddy, Wordfence and Sucuri plugins for maximum protection. Not bullet-proof but offers notifications so you can minimize damage.
No matter what your WordPress skill level is, you can take simple steps to protect your website and keep it up and running. Should you need help with implementing a security plan on your site or just maintaining your website content, we offer a website maintenance service that is as-needed or on-going.