by Karen Nierlich, Tod Abbott and Allison Rolls
WordPress has grown in popularity exponentially over the last 5 years. Unfortunately, hackers have been turning their attention to the platform because of its popularity. Prior to last year, hacking was very rare in our experience with small and medium business clients. Last year we fixed several instances of hacking (Two were sites we had built, several others were sites owned by colleagues or people who came to us for help.)
As we start 2014, I want to share with you simple steps you can take to make your site safer from hackers. Unfortunately, no site is ever 100% invincible, but your site will be less vulnerable than the majority if you take all or even some of these steps.
The hack we’ve seen most commonly is where links to other businesses are placed in your site code*, like links to sites that sell handbags or viagra–both popular black market items. The other things that can happen are that your site disappears and visitors see a “404 Error — Page Not Found” instead of your site. Or your sales page gets hijacked so that credit card info is sent to a country overseas. Hope these scenarios will compel you to take the following steps.
Here’s a list of how to protect your site. Below is more info on each tip.
1. Update WordPress Software, Themes, and Plugins as updates are released
2. Back Up your Site and Store it on a Cloud Server or not just your server
3. Use Hard-to-Crack Passwords for your Website (& bank account & stuff you want to stay secure)
4. Do not use “Admin” as your User Name; Use a Unique User Name
5. Use WordPress Security Plugins
6. Set up WordPress to use information other than the default information
7. Get your Themes and Plugins from reputable sources
And now the extended version:
1. Frequent Updates of WordPress Software, Themes, and Plugins
WordPress puts out several software updates a year and each one of these have to do with plugging vulnerabilities that have been found or making changes to keep sites more secure.
How do you know it’s time to update? When you login to your WordPress dashboard area, you’ll see a message at the top saying there is a new update for the WP software available. You’ll also get cues to update the plugins. The #’s that show up on the plugin tab indicate there are so many plugins that need to be updated. Don’t update however until you’ve read #2.
2. Back Up the Site and store it on a cloud server or not just your server
Before updating the version, back up the site. Backup Buddy is a plugin which will do it for you on a schedule, for example.
Additionally, it’s wise to store these back ups on a different server. That way if your site and server get hacked, you still have a clean version of the site to upload. It could save you hundreds or thousands of dollars. Some hacking code is hard to clean up or remove, in those instances we reload the back up copy. Also, the back up copy is essential in case something goes wrong with the site when the new version is loaded.
[Finally, our FOW sites are built to handle all the regular incremental WordPress version changes…ie. v.3.1, 3.12, 3.13 etc. However when it’s time to move from v. 4 to v. 5 we’ll be calling our clients and offering our services in case it’s a bigger change to the WP Software.]
3. Use Hard-to-Crack Passwords for your Website (& bank account & stuff you want to stay secure)
Most people are using passwords based on their pets names, their favorite teams, children names, phone #, addresses and other data that’s easy to discover. It’s especially easy for computers that are working to crack passwords. If you are using easy to remember passwords, it’s time to move to a longer password with multiple random characters like 45Vb{T*&$!!mounttam. You can use password software or an Excel spreadsheet to keep track of these passwords. It’s fine to use less secure passwords for other things, but move to a STRONG password for your website, bank account and anything else you want to remain secure.
4. Do not use “Admin” as your user name; Use a Unique User Name
I think 90% of people are doing this, including me until recently. Don’t give hackers an easy starting point by using an obvious user name like “admin.” Don’t use your name or nickname either. Keep in mind that you can set your login name to something very secure, and use WordPress User Profile controls to change how it is displayed on blog posts. So, your login id might be “wp@jane*admin3”, but posts show the author name “Jane Doe.”
5. Use WordPress Security Plugins
A very simple thing to do is to add a firewall plugin to WordPress. These plugins, among other things, will monitor all the information submitted through a form on the site and block attempts at code-injection (submitting text that gets run as code). Some plugins can be set up to send you an email when such an attack occurs — so you are notified if your site is suddenly under attack.
The plugin we normally use is a variation the venerable “Wordpress Firewall” plugin. When we started using this, it was called “Wordpress Firewall II,” but now we use something called “Wordpress Simple Firewall.” However, there are a lot of these plugins out there. Feel free to search for “firewall” in the WordPress Plugins list, and review what you see. You want to be sure the plugin is highly rated, and, importantly, was recently updated. It’s always good to use plugins that are actively updated, but it is crucial for security plugins since hackers are developing new attempts all the time.
6. Set up WordPress to use information other than the default information
This can be done either at the time of installation, or at any time after that (though it’s easier to do it right from the start). The first step is to override the WordPress default database table prefix — this just changes the names of the different tables in the database so that it is harder (or impossible) for hackers to guess. Without the correct names, hackers can’t easily add values directly to the database.
The second step is to relocate the wp-admin folder. This holds all the controls that you use to control the site — post pages, add plugins, manage users, etc. By renaming this folder, you make it harder for hackers to directly access these very powerful tools.
7. Get Your Themes and Plugins from Reputable Sources
There are many free themes and plugins available. The downside is that a theme or app could have a malware or a virus or other hacking code already stowed on board. To be safe, get your themes and plugins from the WordPress site and always read some of the reviews. If you do want to use a theme or plugin from another source, be sure to Google the name of the programmer or company releasing the plugin or theme and the item it to ensure it hasn’t been identified as a bad source.
Several of these tips are very easy to implement such as using strong or unique user names and password. Hope you’ll implement those immediately. Look for future articles on backing up or how to know if your site has been hacked.
* (more info on how a site gets hacked)
There are a number of ways that a WordPress site can be compromised. The easiest to understand is hackers guessing the login credentials of a site administrator, and so gaining full access to the tools controlling the site. Another practice has hackers targeting specific files in the WordPress site and accessing their functions directly (such as a script to write a value to the database). Another strategy is called “code injection,” where specially constructed values are submitted through a form on the site (such as the search form). When processed, the submitted text can trick WordPress into running it as code and doing something such as setting up a new administrative user or downloading and running a script from another site.
All of these can lead to a broken site, a site with illicit content, a site that is used to spread spam, or any other of a number of undesirable activities. Because of these different ways of hijacking the site, there are different things that must be done to protect a site.
Karen Nierlich, Principal, Full Orbit Web and Marketing
We are now offering a monthly WordPress maintenance package if you are interested in having FOW back up and update your site. That means we’ll back up the site, check for viruses or hacking, and update Word versions and plugins. Give us a call at 510-527-9920 or send an email, if you’d like to know more about the package.