I have four blogs and once upon a time three were hacked. They were redirecting to sites that were for X-rated viewing. This not only happened once, but three times! The same redirect and they happened around the same time during each month. How did this happen?
Bad security. It’s really that simple.
I’ve set up many WordPress sites for many people and have taken the necessary security measures for their sites, yet I did not follow my own rules on my own blogs. Lesson learned. And a very expensive one at that.
The first time it occurred, I paid a company to clean out the code on my sites. It was quite costly. The second time it happened, I decided to handle it myself simply because it was just too expensive to have the same company do the cleaning again for me. But, it seemed no matter how much cleaning I did on my sites, the same thing occurred yet again a third month. There was a backdoor and I couldn’t find it.
What did I end up doing? Frustrated, upset and dejected, I decided to find a new host for my sites since my hosting plan was up for renewal. I simply lost confidence in the host I had been using for two years even though I had great customer service experiences with them.
Knowing that WordPress is an open source as are the plugins, you need to take extra steps to setup security for your blogs. Here’s 5 Steps you can take to lower your risk of getting hacked. If you’ve been hacked, you can still follow these steps:
- Install WordPress manually instead of using the 1-click install features provided by your host. A friend of mine actually recommended this. When you use the 1-click installs, in many instances it’s a software feature provided by a third party not your host. It’s also important to note that manually setting up WordPress allows you to name your databases and usernames yourself as opposed to letting the 1-click install do it. If you need step-by-step instructions on how to manually install WordPress you can go here
- Install “SALT” security keys into your WP_config.php file to help ensure better encryption. Go here for an online generator
- Prevent people from seeing your directory listings by editing your .htaccess file. You can do this by simly adding: Options -Indexes to the rootfile
- After you’ve installed WordPress, when you’re walking through the installation process, DO NOT use the generic “admin” username for your login. I’ve never used “admin” as a user, but I never deleted the profile either. A friend of mine reminded me hackers could use this username to hack into your site
- Install a security plugin. Sift through all the plugins available and choose one that has active updates from the developers. You want to make sure the plugin you choose doesn’t put you at risk in the future. One plugin that has had good ratings is WordFence. This plugin allows you to setup lock outs and scans your WordPress files for risks.
One last note. If you’ve been hacked and need help cleaning out your code I recommend using Sucuri to protect your site. This is not the company I used (whom I wouldn’t recommend), but will in the future and a friend of mine has used them. Their packages are inexpensive, they offer unlimited cleanings and they do a great job.
After doing these 5 steps myself with each of my sites, I’ve thus far been hack free and receive notices when someone has been locked out from unauthorized login attempts.
Need help setting these security settings up? Feel free to contact me.