07 Apr Securing WordPress from Hackers
Groan hackers and malicious scripting are such a massive pain. They take up time, energy and resources that otherwise could have been spent doing something productive. Anyway here is a nice little post to help stay secure and more importantly backed up, in case the worst happens.
I am writing this post after a pretty serious hack and defacement on a new site that is currently in development and thankfully not live. As WordPress gains popularity it becomes more open to hacks and a more lucrative target for people to hijack and exploit. I have compiled a quick list of checks and plugins to help you stay secure.
Installing WordPress ~ The Secure Checklist
- No admin user
- No generic dictionary word passwords
- Correct folder permissions or CHMOD
- Up to date PHP versions and settings
- Use a supported and reputable theme and or plugins
- Secure your admin area and lock it down tight using IP restricting .htaccess file in your /wp-admin/ folder
Once Live ~ Backups, backups and more backups
- Start a remote backup plan
- Ensure server side backups via cPanel are in place
- Each time you make a large change, e.g. a new page or theme up
- Update plugins and WP core files as soon as the new versions come out
- Delete old themes.plugins you are not using they can become holes or funnels for strange activity
- If you allow signups, monitor them as much as you can
Plugins ~ Use the force
- Akismet – This is a total no brainer and it comes bundled with WordPress, signup for an API key and make sure this is on everything you have running WP. This will stop spam comments and keep you safe from comment and linkback spam.
- WP Security Scan – I like this plugin it tells me when I have forgotten to lock something and gives an option to connect to the plugin author WebsiteDefender.com they have free and paid options so you can get a package to suit you, which will alert you sooner to any hack or malicious software.
If you get hacked, don’t panic
- Take a deep breath, at the end of the day it is a website and no one has died
- Contact you host and ask that your site be suspended or redirected asap
- Check your backups via cPanel or local
- Asses the delta in changes
- Decide on which version of your backups you plan to rollback to
- Restore your server based on this backup
- Reinstall WordPress and your theme
- Delete all of the other unused or dormant themes and Plugins
- Talk to your host to find out more a good WordPress Host will help here and they will/should be able to say what if anything was the cause
- Learn your lesson and do as many backups as possible
Right so this should be enough to keep the script kiddies and amateur hackers out, in most cases a backup restore will be the best way to just nuke the issue and go back in time to a point where your site was ‘clean’. Talk to your host and if they wont help reach out to the wider community, everyone has felt this pain at some point and people will help you.
Questions, comments or feedback, you know the drill drop me a line firstname.lastname@example.org