When A Site Gets Hacked
On the morning of a big launch, a client contacted me with bad news: her site had been hacked. Her site is on one of the best hosts out there, that runs regular security checks, but when she had transferred her site from her old host to the new one, so also brought over some unknown vulnerabilities.
Sadly, I’ve seen this happen more than once, and despite my counsel to change their ways before something unfortunate happens, typically it takes something like this happening in order to convince a client to reform their ways.
Taking measures to make your site more secure isn’t difficult and doesn’t require immense amounts of technical savvy. You only need to follow these advice and tips.
1. Don’t use your website host for file storage.
Lots of folders on your hosting account makes it easy for a hacker to hide files and make them difficult to find. As a developer, I know what files are part of WordPress’ normal installation, but I have been on a client’s File Manager to clean things up or deal with some malicious code on their site and have had to go through tons of folders, making the process time consuming and confusing. Is ASC125.jpg a photo from an engagement shoot or a file that needs to go? It’s hard to tell.
If you need to store files or backups of old sites and you don’t want them on your computer, invest in cloud storage like Dropbox or Amazon S3. Keep your hosting account as clean as possible.
2. Run regular scans on your computer — even if you have a Mac.
Macs are not magically immune to every malicious file out there, though they are typically better than PCs. If you visit a website that’s infected you could inadvertently download an infected file. It has happened to me before, but I have virus scanning software in place to take care of the file before it becomes a problem.
Check out AVG Antivirus — it has free and paid-for versions for Macs, PCs, and Android devices.
3. If your WordPress administrator login is “admin”, change it.
Once upon a time, a WordPress installation defaulted to creating the “admin” username. These days, that username is the most hacked. If you’re still using that on your site, create a new user for yourself with a more complex username and delete the “admin” user (make sure to assign content to the new username so it’s not deleted).
4. Keep your plugins and WordPress version up-to-date.
Plugins, even ones from awesome companies we totally trust, can have vulnerabilities in them. Make sure you update your plugins and WordPress installation — and themes too! — at least monthly. If you’re concerned about how updates might affect your site (in rare cases I have seen certain items on sites stop working because of an update), hire someone you trust to help you. We work with a lot of our clients on a monthly maintenance package which takes care of all of this for them.
5. Get rid of inactive plugins you don’t need.
I get it: we all have that fear that the minute we throw something away is when we’ll need it. The nice things about plugins it that you can always upload them back again if you do. But right here, right now, if you’re not using it, delete it.
6. Consider added protection.
Wordfence is a great free starter security plugin that will help you restrict login attempts, block IP addresses and inform you when a plugin needs to be updated. There’s also a paid version of the plugin with more functionality, but most people really just need the basic version to start. If your site has been hacked before, you may want to consider stronger security, like Sitelock, which can block the login to your dashboard and access to your files to all IP addresses except yours. Honestly, if you’re running a business or website that’s your livelihood, you want to do what you can to make sure you never have an issue.
And if you find you need help, let us know. We like being there for people like that.