by Rachel Smith
23 October 2015
There’s nothing like that sinking feeling you get when you learn your site has been hacked. And if you have a WordPress site, it may well happen (or have happened) to you; according to Sopho Labs around 30,000 websites in general are hacked every day.
How will you know? Well, maybe your site just won’t load, or loads but is painfully slow. Or, you may receive a ‘phishing’ complaint via your ISP, where users are being redirected to a fake site designed to steal their data. Or your entire site may have been replaced with a message telling visitors it’s ‘malicious’ or risky to visit – or you may visit your site and instead find a porn site that would make your mum blush. All great for business, right?
I know firsthand how annoying it can be as I have a popular site called Letter To My Ex. The site pretty much runs itself as letter-writers provide most of the content, but it gets a lot of traffic and is hacked regularly. And after fixing it and spending far too many hours on the phone with my ISP and developer, I’ve learned a few tricks to keep it safe. They’re not foolproof, but they’ll certainly help prevent yours from becoming a target.
1. Choose a reliable hosting package. Hint: it’s not the bargain basement hosting package that costs you $2.50/month. Ideally, you want to choose a host that spreads the load of the sites they host over multiple servers (preventing your site from becoming slow or going down), guarantees uptime above 98 percent (which most good hosts do) and offers daily back-ups (even though you may have to pay to restore your site via your host’s back-ups, it’s good to have as an option). You also want a host that offers accessibility to the backend so you can create new email addresses, change passwords etc, and provides free, 24/7 phone support and technicians who can mobilise in a crisis. After all, it’s your business we’re talking about!
2. Install a backup plugin. I use Backup Buddy. It’s not free (it’s $80/year to back up 2 sites, or $100/year to back up 10), but it’s one of the easiest back-up systems I’ve used for WordPress and makes restoring your site a breeze too (provided you have backed it up regularly). It’s also much cheaper to restore your site this way rather than using your host’s back-ups, as some can charge $100-200 to restore after a hack.
3. Update all your plugins regularly. Old or out-of-date plugins offer easy back-door access for hackers, so download patches when they’re available – and deactivate and delete any plugins you aren’t using. The same goes for your themes. Even if you’ve downloaded a theme and aren’t using it, make sure it’s updated.
4. Update WordPress. This is a no-brainer. Sites running on old versions of WordPress are notorious for being hacked.
5. Use Wordfence. It’s a free WordPress plugin which offers another layer of security for your site, and with a quick scan can identify any problems or malicious code.
6. Change your WordPress login password. You won’t be able to change your username on WordPress (and experts say you should never choose ‘admin’ as your username, but if you have – you can’t do anything about it anyway), but you can and should change your password regularly. Make it long and hard to crack. Use a mixture of letters, numbers and symbols, and caps and lower case as well.
7. Change your FTP password. Even if you never use FTP, it’s a known gateway for hackers into your site and after being hacked it’s essential to change it when you’re cleaning up everything else. You can usually change your FTP password via your hosting site, or ask them to help you.
There are other ways to secure your site which involves inserting certain code in the core files, but I would definitely ask a developer to help you here if you’re not comfortable coding yourself. (And backing up your entire site before you do anything like this is also absolutely essential.)
Do you have any tried and tested strategies for sidestepping hackers? We’d love to hear from you in the comments.
Thanks for this Rachel, all good tips. I haven’t done it – I know, I should – but you can also enable two factor authentication on sites that are actually hosted at WordPress.