Hacking is often done in a way designed NOT to draw attention to the breach. Its often drawn to your attention by Google throwing up warnings to visitors, or by your hosting company blocking access to your website and giving you an ultimatum to clean up the problem within 24 hours, or else…
How to deal with WordPress Hacking
Don’t panic, because that won’t help! Usually, the hacking efforts I’ve seen relate to exploits of inherent security weaknesses in;
- JavaScript within plugins
- file or directory permissions, allowing concealment of phishing (most often bank fraud) code in a sub-directory
- cracking Cpanel or WordPress Admin accounts
The first indication may be;
- an email from Fraudwatch requesting you delete the offending content
- a warning from your hosting company that the site is compromised and in danger of being shut down
- a tip from a friend or client that Google is displaying malware or virus warnings about your website
It is rarer to have an overt, immediately obvious hacking occur. Its mostly an out-of-sight, deeply planted problem that the hacker hopes won’t be discovered for weeks or months. Dealing with the problem is usually a straightforward process, as per the next section.
WordPress Hacking Recovery
In the unfortunate event that your website is hacked and you need fast help, contact me for prompt assistance. I have extensive experience in WordPress website recovery after hacking attacks, regardless of whether the problem is a;
- Blackhole Exploit
- Account takeover
- Admin password compromise
- Phishing attack
- Link injection
- Malware infection
- Virus infection
- Permissions exploit
This usually consumes a couple of hours effort because I will go through and;
- – check if http://sitecheck.sucuri.net/scanner/ identifies any phishing/virus/malware files
- – secure the Hosting & FTP accounts by changing passwords
- – secure WordPress by changing Admin ID and passwords
- – secure WordPress database by changing DB User ID and Password
- – replace all core WordPress files
- – remove / quarantine any suspicious files & directories
- – install Wordfence; run a scan on all files, configure lockdown settings, apply User ID & Password restrictions
- – apply a range of preventive measures to minimse futher issues
The goal is to disinfect the site and prevent futher intrusions.
WordPress Security Implementation
Securing your WordPress business site is a mission-critical risk management strategy. I am able to;
- Install the most appropriate WordPress website security application
- Configure the site to give you the best possible protection from hacking attempts
- Enforce strong passwords
- Block illicit login attempts
- Block access from troublesome geographic regions (China,Russia etc)
- Secure the Admin access
- Mitigate DDOS threats
- Etc…
Attacks are primarily initiated in Russia, Poland, Germany and India. Generally speaking, its easy to minimise the potential threat by an hour proactive efforts! As always – an ounce of prevention is better than a pound of cure!
How to Secure WP
Several basic items need to be addressed as part of securing your WordPress installation.
#1 – A Secure WordPress User ID
The default User ID is “admin” and you should NEVER use that on your site. If you do, it immediately means 50% of the “site access” details are known – Mr Hacker only needs the password now..
A secure User ID contains a minimum of 10 characters containing a mix of upper and lower case with including numeric and special character variations e.g.; #tHe$1bOss
In addition, you should then assign a User Account “nickname” that gives no clue as to the real Admin User ID (should you inadvertently use the account to publish any pages or posts!
For example, if the Admin User ID was “#tHe$1bOss” then using “Admin” as the nickname may prove to be an effective element of confusion…
#2 – Secure Passwords
Most people foolishly use a password related to their life in some guessable way. Phone numbers, wife’s name, child’s name, dog’s name etc… A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open!
A secure Password contains a minimum of 10-12 characters containing a mix of upper and lower case with including numeric and special character variations e.g.; #4X~bEEr$5
There are several websites specialising in secure password generation…
- www.pctools.com/guides/password/
- www.strongpasswordgenerator.com/
- www.onlinepasswordgenerator.com/password.php
Always USE one of them if you are short of inspiration!
WordPress Security Plugins
A properly implemented WP security plugin will divert the majority of hacker’s efforts – specifically the bot-based ones! In the less likely event that a human-authored attack is made, it is easy to have basic but robust barriers in place that increase the probability of the hacker giving up and going in search of softer target. Time is money…
Wordfence is my prefered security plugin because it is robust and reliable, easy to configure and covers the most important ares of vulnerability.
Comment Spam & Bad Links
These contribute negatively to your website’s online profile, and consequently have a negative impact on rankings. Eliminate this easily;
- Don’t allow user registration unless its necessary!
- Don’t allow comments OR trackbacks on pages!
- Close comments on posts after 2 – 4 weeks!
- Don’t allow trackbacks on posts!
Installing and configuring Akismet is not at all difficult and it effectively screens out the worst of the comment spam garbage!
Maintaining WP Core Files & Plugins
It is crucial that you install WordPress and plugin upgrades in a timely fashion. Whenever a security breach or exploit occurs, fixes are quickly put in place.However, word of the exploit vulnerability quickly circulates amongst the hacking community, and fresh targets are sought.
Wordfence security ensures you are notified immediately WordPress or plugin upgrades are released.
