Having someone attempt to hack into your website is as likely to happen as it is to rain sometime this year.
Most everyone I know has had one of their websites hacked. Mine (hosted on hostgator) have been hacked three times, and on Godaddy and Synthesis once.
It’s a big pain in the butt unless you do a little planning and take out a bit of insurance.
If you are serious about developing your online business then you need to treat it as one. It only costs a couple of extra dollars and a little time to secure your site against hackers.
If you are not interested in the technical side of running a blog, that’s no issue if you are willing to spend a few dollars a month to have it managed for you.
Ten Steps to Secure WordPress From Hackers
Planning for “Worst Case Scenario” would be someone got into your website and put a virus or malware on your server.
You will know this happened when you get an email from your hosting company telling you your site had been removed or quarantined or you went to your website and saw a big red sign like this one.
Maybe you were going to login and ended up on a Russian Porn site.
Oh no!
Recovering from a hack takes more time and money than preventing one. Not to mention how long that phone call will be from your relative as you try to explain why the naked people are doing on your website.
Knowing the different methods used by hackers can help.
Potential Origin of Malware and Redirects
* Your own personal computer may have already been infected with malware. With this the hackers have been recording your login information.
* Another site on your shared hosting server was hacked and they infected the entire server.
* You have uploaded the malware from a plugin.
* You installed a theme with the malware.
* Hackers have programs that will repeatedly try to login to your site. Running random series of passwords until they finally gain entry. This is called a Brute Force Attack and happens to most websites every day. If you are curious about how many times hackers try to access your site this way you can start recording and reviewing your “Raw Access Logs”.
There is a plugin too that will limit the number of login attempts and notify you.
Once a hacker gains access to your server or files then you are in for a skittle bowl of an adventure. Most of the harm caused can be recovered, but it can cost and take a long time. Time is money too. For as long as your site isn’t accessible you are losing sales and leads.
Steps to Prevent Hacking
1. Start with a reputable webhost. One of the (many) issues with using small hosting companies is their lack of security, support, and resources.
You can minimize the risk of shared hosting by choosing to be hosted on a dedicated server or VPS. This will require you to be a little more techie than the average bear, but if this interests you and you want to spend the extra dough, then the security, speed, and other versatility’s are worth it.
Another alternative to shared hosting is “managed” hosting designed specifically for WordPress sites. This website is hosted on one now (Synthesis). I was hacked on Synthesis and they uploaded a bunch of linked pages linking out to spam sites. Basically turning my site into an unwilling cog in a linkfarm. Although I pay for Sucuri who are supposed to pay attention to stuff like that – they missed the hack and I had to tell them I was hacked. On the upside the Synthesis people had the backups going back to a day before the site was hacked. The lesson here was; you can’t just rely on a “security” service. You also need backups and people to manage it if you don’t know how.
You can still feel secure on a shared server though. There is a lot more prevention measures you can do.
2. Choose a username other than the default “Admin”.
When you are installing your site for the first time with Hostgator you get to choose your username and more. I prefer to choose just letter jumbles that can’t be easily guessed. Like this YwHChokiafyx.
If you have already been using the default “Admin” the directions are here on how to change your wordpress username.
3. Use really strong passwords with random letters, numbers, and symbols like this one. y%-dq~&D.Kf*KRr
4. Use a Captcha code for your login. Most have settings for your comments too which will help with spam. The more steps you add to getting in, the less likely you will be hacked via a Brute Force Attack.
5. Assign all your posts to an “author” or “contributor”. The reason for this is because the author name is readily attainable.
You can also see the author’s username if you click on the name in the Post Info at the top of your post.
When you click on the authors name, all the posts assigned to that author are listed in a blog roll and in your browser you will see the username.
Your source code is also visible to anyone who knows how to right-click their mouse.
The name of the author on the posts is available in your source code too.
By assigning a different user with no administrative access to the site except for the ability to post, you minimize the risk of the hacker from finding out the name of the admin user.
To do this, just add another user and give them “contributor” access then assign ALL the posts to that user.
6. Be cautious installing new themes. Free themes from the WordPress repository are fine, but be cautious where you get your free ones from.
7. Stay updated. Whenever your WordPress requires updating you will be notified. Don’t leave your site out of date and vulnerable.
8. Be aware of free plugin’s. Free plugin’s from the WordPress repository should be fine. Update your plugin’s when they notify you of an update.
Sometimes plugin’s purchased will require a new installation in order to update your software. When you purchase your plugin be sure the developers have a good and current email address so they can notify you of updates required.
9. Hide your files – sometimes the hackers will cruise around trying to get a look at your files. You can block hackers out by disabling directory browsing.
10. Backup, backup, backup. Make sure your work is backed up EVERY TIME you make changes.
When you buy your hosting you choose to opt-in or out of their backup service. Its a cheap addon for the peace of mind you will get. I’ll also recommend you back-up your work every time you make changes too since the hosting service backs up only once a day and if you are putting a lot of work into your site you want to keep your changes.
You can backup your work by downloading a copy of your database through your phpMyAdmin. Then through your FTP download a copy of your wp-content folder plus any other files/folders you stored images or information.
Or you can do this more simply by using a backup plugin.
Another good reason for backups is because it will save your behind when you do ninny things at 3am like I did once. I was installing a new WordPress site and overwrote all my files because I picked the wrong folder.
Screwing up can be really easy to do when you are messing around with the files! – well, to clarify, easy for me anyway šÆ
Fortunately after the panic subsided, I was able to restore the site entirely!
Can a Website be Hacker Proof?
No – All these tools won’t 100% prevent a skilled hacker from taking over your site if they are determined on doing so. But it will prevent the opportunist hacker who is lurking about for a weakly secured site.