Hacked WordPress – it is nightmare of every blogger. Recently you can hear more and more news about people who got hit by hackers without any reasons. It is not that only top blogs are targets – anyone can get hacked and his site can be used to hack other websites. Is there anything you can do to minimize chances of such disaster? Of course, just stick to these few, easy to follow rules!
What to do to protect your WordPress blog?
Be ready for the worst – create a backup strategy, install good backup plugins and start backing up your website on regular basis. I advise you to try to recreate your website from generated backup – you can do it using a WAMP server on your local machine, no need to try restoring your blog on live website.
Use website optimizer – services like CloudFlare can not only speed up loading your sites, they can also protect you against abusive bots crawling your content, malicious attacks, vulnerability scans and DoS type attacks. Good thing is that there is free plan, so you don’t have to spend a penny.
Stay informed – you cannot react if you don’t know what dangers are. It is good habit to do weekly search for “WordPress vulnerability”, “WordPress attack” in the Google News. I also use Securiteam (and search the site for WordPress). You can probably automate the process with Google Alerts.
Stay updated – it is good practice to update WordPress regularly within the version. Don’t jump onto major version updates immediately – they are usually full of bugs and vulnerabilities. Wait a week or two. The same rule applies to plugins. Remember: if you get info about plugin vulnerability that is not fixed at the moment, turn the plugin off!
Keep your WordPress tidy – if you don’t use something, remove it. Remember that files from your plugins and themes can be accessed by attacker even when these components are not activated. In recent timthumb attack hackers were searching for script used in most popular themes – all the sites having these templates in wp-content/themes were vulnerable (doesn’t matter if theme was activated or not).
Fix most obvious issues – don’t use default admin account and limit number of login attempts (you can use this plugin to do it). Change your default database prefix from _wp to something more complicated. Use strong passwords made of upper and lower case letters, numbers and special characters.
Make sure you are using good hosting – your WordPress may be very secure and impossible to break from the outside, but what if other account on shared hosting box is compromised? If there is common security problem on the server, attacker can get access to your blog easily. This issue is very hard to prevent – the only way is to use good hosting provider (even if it costs a bit more).
Keep your computer healthy – if you log into your WordPress from infected computer, there is a good chance your login details will be captured, sent somewhere and may be used to get access to your blog. The only way to prevent it is to use good antivirus software and scan your computer regularly.
These are the rules I personally stick to and so far so good. If I am missing anything. let me know in the comments!