When it comes to running your business you’d probably prefer be working with clients or patients. Spending your time fixing a hacked website is likely just below taxes on your list of favorite things to do. Right?
We could joke about it except for the fact that it’s actually a serious problem. I regularly talk to people who balk at the idea of spending money keeping their website properly maintained and updated. Like most things in life, you can get away with that approach for a while. Eventually though, it’ll catch up with you and the pied piper will come calling.
Keep in mind, I’m not saying an up to date website is guaranteed to be problem free. Simply that you’ve taken some reasonable precautions which hopefully, will minimize the chances of being hacked.
What happens when your website gets hacked?
Sometimes it’s obvious as your entire site is taken over – Major pieces of content are defaced or eliminated. Other times the hack can be more subtle. Visible only to people who are searching for your business or worse yet, spamming thousands of people via email from your IP address. Hacking ranges in seriousness from a minor nuisance to what could be classified as an outright disaster.
If your website is running wordpress, hacking is often of the malware variety. And it’s much more common than you might imagine.
With about 5 minutes of work I found a local business infected with malware. Their website is currently running a WordPress that is a few versions out of date. Here is an example of the search results returned:
Basically what you can see here is that a new, undesirable meta description has been injected into the site. The result? When a potential new customer searches for this gym, this is what they see. Not the ideal first impression and it probably decreases the likelihood of anyone clicking on that search result.
How To Reduce The Odds Of Your Website Being Hacked
As they say, a ounce of prevention is worth a pound of cure. So what are a few ways you can reduce the chances of your site being the victim of an attack?
Let’s look at some simple things you can do. Before we get started though, let me begin by stating that I am not an expert in WordPress security. There are a ton of resources and individuals out there that know infinitely more than I do.
This article isn’t about how to clean up your MySQL database or pick through your functions.php file trying to find a piece of malicious code. This is about five simple steps you can take in order to minimize your risk.
Let’s get started!
1. Back-Up Your Website
The simplest step of all.
- Before updating anything, always perform a full backup. The more frequently you add content, the more frequently you should back your site up.
- Keep a backup on your server as well as a second copy in either DropBox or Google Drive. Also, don’t simply overwrite your previous backup with a new version unless you’re sure it’s clean. Keep 2-3 versions on file and rotate.
2. Keep Your Core and Theme Files Current
Most of us would never dream of driving our car for 2 years without a proper service or oil change. Yes, there are people who do and I’m sure their mechanics love them.
Don’t be that person.
If you’re running a WordPress website, it’s going to require some regular maintenance. There is no way around it. You don’t have to do it yourself, you can pay someone like me to do it for you (plug) but one way or another, you need to get it done.
3. Pick A Secure Username & Password
By default, WordPress assigns a username of “Admin”. A username of Admin is akin to having the name “John Doe”. Everyone in the world knows it.
If you’re just about to install WordPress, use something other than admin. If you’ve already got WordPress setup, Create another administrator with a name that not so easy to guess and get rid of the old one.
Lots of people use something like their name or their company name. Go one step further and make your username something that’s difficult to guess. Throw in a few numbers and symbols. A username of JiM5Bak3R7! is a lot harder to guess than JimsBakery.
Your password should be even more difficult to guess. Use random characters including lower case, upper case, numbers and symbols. 12 characters minimum.
There are lots of great apps available that will categorize and store your usernames and passwords. There is no excuse to get caught using the same password for 10 different accounts.
Regarding Usernames and Passwords:
If your blog displays the Author Meta information as a link above or below each post , it’s relatively easy for someone to figure out what your username is. Here’s how:
Through your personal profile settings, there is a field called “Display name publicly as”. You’ve probably selected that your name should be displayed as either your first or last name, maybe both. When you read a post, you may see your name displayed as the author. However, by hovering over the author name you will see a url displayed at the bottom of your browser. Unless it’s set up properly, the url will display your username. Thats’s 50% of your login information right there.
In the post meta, you’ll see your display name. If you hover your cursor over the author link you will see that the it actually displays your admin username. You can fix this pesky little problem by doing the following:
Log into your hosting control panel and then phpMyAdmin. In the table called “your prefix”_users you’ll see a field called “user_nicename”. By default, this is the same as your username. If your username has “admin” privileges, then your admin username is now displayed publicly as you see in the above pictures. Change the “user_nicename” field to be the same as your display_name field which you’ll see at the very bottom of the field list.
Now when a visitor hovers over your author name, they will see your display name instead of your admin login.
Note: If you’re not comfortable poking around you database, get someone to do it for you.
There are two alternatives to changing your database:
- Remove the author link from your blog posts and make the name static.
- Set up a second user profile that only has author privileges. Save your admin profile for actual admin work.
4. Select A Secure Theme and Framework
Your WordPress theme and framework are the building blocks of your website. In most cases, when I pick a starting point for a project I begin with the Genesis Framework from StudioPress. Built on a child / parent relationship, it’s the safest and easiest way to modify your theme and keep your core files up to date and secure.
In addition, make sure your framework/theme is updated on a regular basis with security fixes. The last site I had to repair, was using a theme that had not been updated in several years. The developers personal website wasn’t even active in the event that I wanted to request a clean set of updated theme files.
5. Install This Plugin
This free plugin allows you to set a limit on the number of failed login attempts that a particular IP address can make before being blocked from further attempts. Many of these attempts are automated, brute-force attacks. If you’re wondering how often this could possibly happen, take a look at the small snippet of failed login attempts for a website. You can clearly see how popular it is to try logging in with the username of “admin”. Keep in mind, this is only a partial record over a 48 hour period.
There you have it. In less than 20 minutes, you have made your website more secure than probably 98% of the sites out there. Remember though, secure doesn’t mean bulletproof. Keep an eye out for anything on your website that looks suspicious by doing the following:
- Google your site every now and then to see what comes up. If it looks like your unexpectedly in the viagra business, you have probably been hacked.
- Login to you Google Webmaster Tools and review any messages.
- If you notice a sudden change in keyword rankings, buckle down, do some research and figure out why it might be happening.
- Watch out for a rapid decrease or increase in traffic – either one can indicate a potential problem.
- Scan your site periodically using Securi SiteCheck.
- Take not of anything that is unusual – For example if people stop receiving your emails or they are ending up in spam.
Keep in mind that the above steps are just a few of the ways to harden your security. We haven’t even touched on things like tweaking your .htaccess file, picking a better database prefix or checking your current file permissions. Like anything in life, the most important thing is to just get started.