There’s nothing worse then investing thousands of dollars and countless hours into a WordPress website then ending up having it hacked, ruined and blacklisted from search engines. Yes. If your website is infected with malware and Google detects it. They will display a nasty malware notice and possibly remove your website from their search results completely.
WordPress being the most widely used platform in the world also makes it the most likely to be targeted by hackers. Hackers often hijack neglected WordPress websites for things like sending spam emails, serving up malware, link building and even credit card data skimming.
I recently had a local Anderson SC website owner come to me with issues on his WordPress website. The WordPress CMS website had crashed, wouldn’t load and had the dreaded “Cannot Establish Database Connection” error.
After a brief consult I took on the job as a one hour exploratory consult. Going into situations like this, it’s almost impossible to tell what’s happened to the website until you actually take a look. The most common cause of database errors are corrupted third party extensions that have broken and most of the time, these errors can be easily fixed under a hour or two. Other times, you occasionally find the WordPress website that’s been neglected and has been hacked.
Most hacked WordPress websites I come across. The cause of the hack likely isn’t a skilled super elite hacker penetrated the site to steal sensitive data but is more likely the WordPress website owner simply neglected their website, did not follow best security practices and simply used weak passwords. To make matters even worse – if you’re neglecting your website. It’s very likely you don’t take weekly or even monthly backups of your website which makes the situation so much worse!
In the case of this local Anderson South Carolina WordPress website – While I still don’t know exactly what happened. I have a pretty good idea that the site was neglected, out of date and used weak passwords. The website was unrecoverable and infected beyond repair. They are looking at a completely new build.
Keeping your WordPress website secure really isn’t hard. It just requires a hands on approach and a little common sense. Don’t throw your time and money away or end up like my recently hacked Anderson SC website client. A few simple steps can keep your WordPress website running smoothly!
Keep your themes, extensions and core WordPress UP TO DATE!
It goes without saying. Most WordPress websites have a minimum of three 3rd party modules and extensions. With more extensions and functionality comes more opportunity for security holes and exploits. Hackers often exploit vulnerable code in modules to gain access to WordPress websites. The extension developers usually push out security fixes but they don’t do anyone any good if the website owners don’t update them on their end! WordPress itself has a auto-update feature which I highly recommend leaving on.
I also recommend updating any third party modules every week and making it part of of your weekly maintenance routine. If you’re keeping regular backups – keeping your WordPress up-to-date is pretty risk free and is the first step in ensuring your website stays secure.
Use strong admin passwords & install Wordfence
The next most common WordPress security issue is weak passwords and brute force attacks. People have habits of using easy to remember passwords like “administrator’, ‘password’ or even their birthdays. Hackers take advantage of weak passwords by brute forcing admin passwords to gain access to WordPress websites. Using a strong password with letters, uppercase’s, symbols can go a long ways!
Another step to preventing brute force attacks is by using a module called Wordfence. Wordfence is a free (with a premium paid option) that prevents brute force attacks. As in. Its capable of locking and blocking IP address after X many failed login attempts. It also includes a security malware scanner, a full featured firewall. WordFence is a great all around plugin and there’s no reason you shouldn’t have it on your website.
Use a secure password manager
Most people are afraid of using long complicated passwords because they aren’t easy to remember. This is where a password manager and digital vault suite like LastPass comes into play.
LastPass can be installed on any web browser and the platform is completely encrypted and secured. You can use a master password login and use LastPass to remember all of your passwords and even auto fill out forms for you. There’s no reason to use weak passwords!
Dont use admin as the default username
Most one click WordPress installers use ‘admin’ as the default username. If your user name is admin then any attacker has half of the work already done for them. Now all they have to guess is a password to have access to your website! You have a few options here.
1. Create a new username and delete the old admin one.
2. Use a Username Changer plugin
3. Update username from phpMyAdmin
Disable admin dashboard editing of core files
WordPress by default lets admin users edit core php files of the CMS. If a attacker were to gain access to your WordPress admin then they could edit and execute php code directly from the WordPress admin. To disable this feature you can add these two lines below to your wp-config.php file.
## Disable Editing in Dashboard
This edit blocks the edit feature of php template files from the WordPress dash board.
Keep weekly backs of your WordPress website
Keeping regular backups of your website is another no-brainer in ensuring your WordPress website stays functional. This needs to be done on a minimal of two levels. First. Your hosting company should offer you a automated backup service. I highly recommend Nexcess for website hosting as they are a American owned company with a high level of customer support. They also offer easy to manage automated backup of your WordPress website.
I personally backup my own website every Sunday night and keep a minimal of 3 hosting level backups at all times. This includes all of my files, databases, settings and entire installations. If anything ever goes wrong. I can easily revert back to a functional version of my website.
Another great second level WordPress backup option is Updraft Plus. Updraft plus is another free WordPress extension with a premium option. The free option is great! It can take scheduled backups and completely mirror your WordPress site. Manual backups are just as easy and complete website restores can be made with a click of a button.
A another great habit is to have actual physical backup copies of your website. About twice a year I do a complete export and clone of my website and store it on a physical hard drive. This ensures no matter what happens. I’ll always have my website and I’ll always a version that I can revert back to.
Keep your computer virus free!
Another huge issue with keeping your WordPress website secure is ensuring that your own computer is secure. Keyloggers are a real threat and if your computer gets infected with a virus or malware – The hacker responsible could have a full log of your every keystroke. Keystrokes that likely include ALL of your passwords and personal information.
Windows 10 computers have built in virus detection but I would highly recommend using a software based firewall like Zonealarm and having a third party virus scanner like Panda or AVG installed. You can never be to careful and having extra security provides a little bit more peace of mind.
Recovering your WordPress website
Clemson Web Design does offer website recovery services. The extent of which I can recover your WordPress website highly depends on the backups and preemptive steps that you took to keep your website secure. A professional website is a investment. If you don’t have the time or technical expertise to keep your investment running smoothly, give me a call and we can discuss a monthly retainer to keep your WordPress website running smoothly! Less downtown equals more exposure! Give me a call.