74.jpg)
Just before Christmas, my Forty First website which is built on WordPress was hacked. I didn’t even realize it had been hacked until it was pointed out to me even though I regularly update my site, but had seen no warnings. It was someone who had come to my site using the Safari browser who had found it as they received a warning from Safari not to access my site. None of the words or images had changed, but a malicious script had been added to the site, which could cause malware to harm visitors’ computers. You can see an image of the warning below.
Not having experienced this before, panic set in and I found myself unable and with no idea how to fix it. Thankfully Louise put me onto Debbie Mahler of MICE Training & Technology who has been sorting it out over the Christmas period and has given me lots of advice, some of which I’ve passed on below. Hopefully the problem will finally be resolved this week. The malicious script has been added somewhere in the database used by WordPress so the code within database needs to be thoroughly examined to find and remove it.
Not being an expert on web or WordPress security, it was soon pointed out to me what could have caused the site to get hacked and these holes have now hopefully been closed, but it’s something anyone with a site built on WordPress needs to be aware of.
1. I had left my login username as ‘admin’ which is an easy entry point for hackers. I’ve now changed my username and my old admin login is now a subscriber to the site.
2. Two plugins have been installed which help to identify security problems and also reject anyone trying to hack in. One of the plugins is WP Security Scan, the other called ‘Bad Behaviour’. The Bad Behaviour plugin helps to block access attempts. I’ve now installed it on this site and if you scroll to the footer of this page, a note will tell you that over 1500 access attempts have been blocked in a week – this shows how prolific hacking is!
3. Make sure your password is a mixture of lower case, upper case and a few unusual characters to make it as secure as possible. I think it’s worth updating the password regularly as well.
4. If you don’t manage your WordPress site yourself, make sure your web developer is aware of the above and actively ensuring your site doesn’t get hacked!
Website hacking is a growing problem and even if you’re not a techie, you need to be aware that it can happen and ensure appropriate steps are taken to ensure it doesn’t. I can tell you from experience that dealing with this sort of thing is a real headache and I don’t want my site to be hacked again!
Very useful advice Sam and consistent with what I have heard about WordPress security risks. A question though: I’m wondering why you didn’t just delete the default ‘admin’ user rather than setting their access level to ‘subscriber’? Is there some value in leaving admin there as a functionless decoy? I’ve been deleting admin altogether once a new user with administrator privileges has been created.
There’s a load of stuff on more advanced security measures such as changing default wp- table names here:
http://blogsecurity.net/projects/secure-wp-whitepaper.pdf
Funnily enough I discovered the other day some odd symbols on my homepage, and when I looked at the code I found a whole load of ‘invisible’ spammy links had been added to it! I re-uploaded the page and changed the logins, so I hope that’s all I need to do, although I don’t know for sure. I’m not sure how this happened, it’s not a WP site, but I now think I need to check some of the other sites I have with the same webhost to check it hasn’t happened there. Thanks for the warning about WP, I’m in the process of moving to a WP platform so I’ll make sure I choose a complicated password!
Thanks for your comment Rob. Actually I’ve now deleted the admin username altogether, my only reason for leaving as a subscriber is that I had a couple of posts and comments attributed to admin, and wasn’t sure if I’d lose them, but saw that WordPress asks if you want to attribute them to another user. Thanks for the link, I’ll check it out. Not being very up to speed on WP and website security I was quite amazed to find out how much of this hacking is automated!
Thanks for your comment, it was my .htaccess file that was hacked and I’m still unsure how it got hacked, so hope it wasn’t via the web hosting I use (same as yours!). When you set up your new WP site, set up a new administrator as a different user name from admin and then delete the ‘admin’ user altogether! If I find out any more will pass it on!
There are plugins such as Akismet (http://akismet.com) for WP which detect and block spam and automated hacking attempts. Now when I see the spam emails which I get daily offering to place links to my sites on thousands of blogs, I can see how they are trying to do it. Though of course in many cases there won’t even be a real service on offer, it’s just an attempt to get your credit card details off you, but that’s another story.
Yes, we already have Akismet installed and I’m always amazed at how much spam it catches. Not only has this whole hacking experience been a headache, but it’s really opened my eyes as to how it’s all automated and how much of it goes on!