Total Reading Time: 7 minutes.
I was sitting at my desk, finalizing a new post to share here on the blog when it happened. My phone vibrated. New message from a friend in San Diego. It was a picture, so (without reading the attached text) I took a look. It was…graphic. Like, “adult entertainment” graphic.
At first, I thought, “wow, I guess that’s where this friendship is going…” But no, it was actually a picture of my site. Well, kind of. He had clicked a link to a post I shared on my Facebook page (it was this one actually). Rather than the link taking him to the post as it should, it redirected him to the new ‘hardcore porn’ site.
And so I realized…
“I’ve been hacked!”
Someone was messing with my site and redirecting the traffic. The worries immediately started pouring over my mind.
How long has this been going on?
How do I fix this?
What if I lose my content?
The cherry on top: this was the latest in a series of recent ‘unfortunate events’. The ‘domino effect’ of disasters was in full effect. In just a few days I had: my car window smashed and $500’ish of my stuff stolen, denied multiple times to get a Visa from the Brazilian Consulate in time for the World Cup, and misplaced my favorite socks.
Now I knew better than to let this all get the best of me, but it still sucks. As the issues piled up, I continued to use my methods for dealing with the stress, knowing it was all temporary.
But here’s the truth: the website disaster is one I should have seen coming. It’s almost inevitable. If someone wants to get in, they will. And if you don’t follow the steps below, it’s very likely to happen to you.
Being a word nerd, I had done my research and already knew there were certain (additional) measures I needed to take to make life harder for the hackers out there.
Why didn’t I do any of it? The same reason we all don’t take preventative measures. It hadn’t happened yet, so I didn’t prioritize it. But honestly, I didn’t know how to get it done. The information I read was conflicting, and I needed to hire a pro to handle it.
I don’t want you to make the same mistake. If you have a WordPress website, I need you to take me seriously. It is very important that you follow every single one of the steps below. If you don’t understand any of the pieces, just post a comment and we’ll get it handled.
Listen, I read posts very similar to this one countless times, but I just didn’t take them seriously. I thought, “that’s them, that won’t happen to me. If it does I’ll fix it”. Ugh…so naive.
Again—please do this. You will save hundreds of dollars and prevent tons of headache (Disclaimer: If someone really wants to get in they will. None of this is guaranteed, but it will make your site much more secure than before.)
Below I’m going to outline the steps you must take immediately to prevent this from happening to you. I’m also going to tell you what to do if you’ve already been hacked.
Stopping Hackers and Keeping Your Content Safe
1. Download and Install UpdraftPlus Plugin
There are a lot of different ways to keep your websites backed up. I’ve tested many of them: Backup Creator, Backup Buddy, WP Database Backup, and more.
After thorough testing, UpdraftPlus plugin is my favorite, and I highly recommend you use it. It’s free, easy to use, and backs up everything.
You can set UpdraftPlus to automatically backup your site every 4, 8, or 12 hours.
2. Sign Up For Amazon S3
Long story short, Amazon S3 is the cheapest, easiest way to store data/content in the cloud. It’s an online file storage service. Think of it as a more powerful Dropbox.
You’re going to use Amazon S3 to store your website backups (which will happen automatically behind the scenes), through UpdraftPlus.
Note: S3 will cost you only pennies per month, it’s very inexpensive. If you start using S3 to host and stream your videos and/or downloadable content (a great place to do this), then you’ll start to see some charges. It’s all based on how much data is pulled from their servers.
3. Securing and Storing Your Passwords
Download 1Password (it’s the best, but there’s a cost) or Lastpass (free). Use this to create a secure password for your new WordPress login (see next step).
You should also use 1Password or Lastpass to store all your passwords, your personal information (to easily fill out form fields with one-click), credit cards and banking details, and all the other personal information you can’t remember. You should also begin to update all your old passwords to new secure ones.
4. Create a New ‘admin’ Level User for Logging Into WordPress
Simply log into WordPress, go to users on the left-side panel, and create a new one. Make sure to use a very secure password.
5. Delete the ‘admin’ Default User
Once you’re logged into the new user you created in step 4, delete the admin user that was created by default.
Why? This is how a lot of hackers get you. ‘Admin’ is not a very hard username to guess.
Also, delete all other users you may have created in the past that you no longer need.
6. Download and Install Wordfence Security Plugin
After thorough testing, Wordfence Security is the best security and performance plugin you can get. And it’s free — boom!
- Make sure you sign up for email notifications
- Go to the plugin settings
- Within the ‘Alerts’ menu, check the boxes for:
- Alert on critical problems
- Alert on warnings
- Within the ‘Scans to include’ section check all the boxes except ‘Enable HIGH SENSITIVITY scanning’
- Within ‘Login Security Options’ menu, change:
- Lock out after number of failed logins to: 3
- Lock out after number of forgot password attempts to: 3
- Save your changes
7. Update, Update, Update
Every single time you receive a notification from Wordfence Security to update your plugins, themes, or WordPress—DO IT.
The number one reason a hacker is able to infiltrate a website is because a piece of the site becomes outdated—and therefore—vulnerable. I was hacked because I didn’t update the OptimizePress 1.0 theme on one of my sites (not this one).
Because all my websites are linked through the same Hostgator account, a hacker can easily insert their malicious code or malware into all my sites.
So, as soon as you see an update notification (on any of your WordPress sites), do it.
8. Download and Install Securi Security Plugin
“Sucuri SiteCheck will check your site for malware, spam, blacklisting and other security issues like .htaccess redirects, hidden eval code, etc. The best thing about it is it’s completely free.”
I copy-pasted that from the Securi plugin page. That’s a pretty good summary of what it does.
After installing, go into the plugin settings under ‘1-click Hardening’ and select ‘Harden’ on the following settings:
- Remove WordPress Version
- Protects Upload Directory
- Restrict wp-includes Access
- Verify PHP Version
Leave the other settings ‘not hardened’.
Perform a scan periodically. Put it on your calendar to scan once a month. If you feel something might be wrong with your site, or you want to make sure everything is clean, just scan.
9. Download and Install Akismet Plugin
If you don’t already have Akismet plugin, get it right away. I’m pretty sure this is one of the most downloaded plugins for WordPress, but it’s worth mentioning.
Akismet will block your site from comment spam.
10. Bonus: Permissions and How to Manage All Your Sites
First of all, call your hosting company (or submit a support ticket) and have them verify the permissions for all files and folders on your server. Files should be set to 644 permissions and folders should be set to 755 permissions — this is the WordPress default and standard.
After I got hacked, I had to hire someone to clean up the malicious code, and set up some protection (everything you see above).
If you’re like me and have multiple websites, it’s hard to make sure every little piece is updated at all times. Chris Moore, hacker-destroyer extraordinaire, recommends a free tool called InfiniteWP.
This is a beautiful, easy way to get a high-level overview of all your sites. You can easily update themes, plugins, etc. all with one-click. It will save you a ton of time.
What To Do If You’ve Been Hacked
If you think a hacker may have gotten into your site, you should still follow all the steps above. Nonetheless, it’s important to make sure your site gets cleaned up.
If you have someone in your rolodex already that can do this for you, and you trust them, have them handle it. If you don’t know anyone, go directly to Chris Moore (he can handle a lot of different technical issues). He solved everything in just a few hours, was very thorough, and didn’t charge extravagant fees.
I asked Chris if we could offer a discount to our readers (you), and he has agreed! Make sure to use coupon code “WILG” when checking out on the site or refer Chris to this article directly.
That’s it! If you follow steps 1 through 9 above, you will be much safer.
I can’t stress enough how important it is to follow the steps above. Don’t bookmark this post for later—do it today! Then you can bookmark it after 🙂
Do you have any friends with websites of their own? Do them a big favor and please send them this article. They will thank you for it.
Photo credit: Hacker — CC License