Back in February I received a very troubling email.
I use a security plugin called Wordfence for my personal WordPress sites. They notified me that I was likely hacked, moments after malicious code was inserted into my site. I jumped in to investigate without really know what I was doing.
I logged onto my FTP and saw some folders and files that I did not upload. I ran through every folder on my server and deleted anything that looked malicious. After about 20 minutes of work I was pretty confident that I had my server pretty clean.
Wrong wrong wrong wrong.
About 2 weeks later the hackers were back with a vengeance.
Well, what happened?I have a server and host multiple WordPress websites, some for my wife and I, and others for friends and family.
One friend neglected his site. He hadn’t done core WordPress or plugin updates in over a year. That’s a huuuuuge no-no on WordPress.
WordPress is a great CMS and it is hands down the most widely used CMS, but that comes at a price.
WordPress is a huge target for hackers. These hackers can get into websites through vulnerabilities that haven’t been patched in core WordPress files, plugins or even theme files. You can have the strongest password in the world, but if you neglect an update or two that could spell serious trouble.
Quick Tips for Security
1. Don’t use shared hosting for your website.
As our developer Brad said previously, a cheap hosting plan looks really tempting at $10 a month or less, but those shared hosting packages are not the best for security. If a hacker has access to one site on a shared server, they have access to all of them.
2. Force all users to use strong passwords.
This is a no-brainer. Passwords are so important, and while Mr. Snuggles is your adorable cat, his name is a terrible password. Pet's names, birthdays, and other bad passwords are easy to guess or socially engineer. Stay away from them.
Force all users to use upper and lowercase letters, numbers, letters and symbols in their passwords.
3. Change the default user name from “admin” to something else.
Since fixing my site and relaunching in February, hackers have tried to log into my site 129 times using the user name "admin".
"admin" is the default user name on WordPress sites and since most users don't change that name, "admin" is the user name that hackers will use to try and gain access to your site. Change it to something else, such as your email address, or a user name that is unique. This will make it that much harder to hack into your site.
4. Use an advanced security plugin.
Like Wordfence. Do I sound like a broken record? Well, get over it and install it. Wordfence is a free (but has paid upgrades). The fact that it’s free and offers so much added support makes this a no-brainer.
5. Make sure you do daily or weekly backups of your website.
Luckily all of my sites were backed up, so I didn't lose any posts or content on my server.
Do you make backups of your website? Don't trust your hosting provider to do this for you, it's likely that it is not included in your hosting plan. If they do provide backup services or you pay extra for it, great. But back it up somewhere else in addition.
Have you heard the expression "two is one and one is none"? It's so relevant to backups.
For people that do backups, they usually back up their computers to a hard drive next to their machine. Well what happens if your office burns down or is flooded or gets hit by a sharknado? Both your original copy are gone, as is your backup.
You can use an automated plugin for this like BackWPup. This will run backups on a schedule you set and will save the file to several destinations such as Dropbox, Amazon S3, Rackspace Cloud Files, Microsoft Azure and more.
6. Delete/remove unused plugins or themes.
No use in keeping those deactivated themes or plugins around, especially if the developers aren’t pushing out updates to them. Hackers can gain access to your site and server through those older un-updated themes and plugins.
7. Do your damn updates.
That was something that I wrote on a bulletin board in my parent's home office. I hated that every time I came home from college I had to do tech support and clear out spyware, update virus definitions and do Windows Updates.
This advice is the same for WordPress. So much aggravation and grief can be saved by doing your WordPress, plugin and theme updates on a regular basis.
If plugins or themes haven't been updated in some time, there's a good chance that they could be an easy entry point for hackers. Ditch those old plugins and themes and find yourself a replacement that is more up to date.
This is your website. It's likely one of the first things your customers will see. Make sure it's up, running smoothly and isn't an easy target for hackers. If your website is down any potential client could end up on your competitor's site, and no one wants that.