Site-hacked-featured-image

My WordPress Website Got Hacked…Now What?

Last week I got a panicked email from a previous client who I performed some website maintenance for last year.  Her hosting company had taken down her website because it had been hacked. She had received another email from her hosting company previously and ignored it.  Since she ignored them and to protect the other sites that were on the same server as her computer, they took it down.

Just knowing your website got hacked is enough to make you sad, but to add insult to injury, the email had so much jargon in it, I completely understood why she was so panicked, she couldn’t really understand it or what was happening.  I deciphered the email for her and let her know what she needed to do, but I also let her know if she should ever receive an email like this again, to take action quickly.

How to protect your WordPress website

First, let me say that if you receive an email from your hosting company saying your website has been hacked, contact them immediately.  Don’t ignore them.  

While there is no way to guarantee your website will not be hacked, there are numerous things you can do to lower your chances and protect yourself from this happening to you; this is also known as hardening WordPress.

WordPress runs over 30% of all websites.  As much as I hate to say it, with the WordPress websites that are hacked, many could have been avoided.  

Why do I say that many of the hacks could have been avoided?

There are so many things that you as a website owner can do to help keep down the chances that your website will be hacked.

Below are ways to protect your WordPress website:

    1. Keep your WordPress version up-to-date: Throughout the year, WordPress comes out with several version each year.  There are two types of releases; major and minor. Major releases are 1.0, 2.0, 3.0, 4.0, etc.  Minor releases are 1.0.1, 2.0.2.
    2. Keep your theme updated.  Your themes also have updates.  These updates are a combination of new features as well as making sure they are compatible with the latest version of WordPress.
    3. Keep your plugins updated.  Plugins are usually one of the easiest ways to have vulnerabilities on your website.  Make sure you do your due diligence and check out the plugin and the developer BEFORE you install any plugin on your website.
    4. Site login username.    When it is time to install WordPress, you are asked to create a username.  Make sure you NEVER use admin as your username. Yes, it’s easy to remember, but it’s also a hacker’s delight so stay away from this one!
    5. Secure Password: I tell my clients to think of their website password as their online banking password.  I’m sure when you created your password for your online banking account, you gave it some thought to make sure it was secure.  Do the same for your website. Also, change your password frequently.
    6. Be careful who you give access to.  One of the great things about WordPress is that you can have several users on a site all with different permissions.  Make sure to pay close attention to who you give access to and that you give them only as much access as needed. This is not the time to get generous and add extras.
    7. Change your login link.  The default link to login to WordPress websites is the domain followed by /wp-admin or /wp-login (for example www.yourdomain.com/wp-admin or www.yourdomain.com/wp-login).  Hackers know this so change it.  When you are installing WordPress, you can change the default link to login.  If you wanted to have your login as www.yourdomain.com/flowers, you could!
    8. Use WP Managed Hosting.  There are many types of hosting; two of the most popular are shared hosting and WP Managed hosting.  Shared hosting is for all websites built on any platform. WP Managed hosting is-yep, you guessed it, hosting for sites only built on the WordPress platform.  These hosting companies take security very seriously and work day in and day out to make sure your website is protected.
    9. Change your file permissions.  The files that make up your website have permissions.  These permissions allow for reading, writing, and executing.  These permissions are represented by three numbers or they may also be represented by the letters r, w, and x.  These numbers will determine what can and cannot be done with your website files. You want to limit as much as possible the permissions of the files on your website, but be careful because you can also run the risk of making your website not visible.  If you are not familiar with this, seek out assistance from your hosting company.
    10. Limit the number of times someone can log into your website.  When someone is trying to hack into your website, they will make numerous attempts, which means your login page will be accessed many times.  The Login Lockdown plugin will detect that an IP address is trying to access and attempt to login to your website within a certain timeframe.  If the number of attempts is exceeded, the IP address will no longer be able to access your login page for a specified period of time chosen by you.
    11. Have your site scanned.  One of the best ways to have your website protected is for your website to be scanned in the background so if anything is found it can be fixed.  That’s where Sucuri comes to the rescue!  The Sucuri plugin monitors your website for any funny business going on.  It can also remove malware and get your website cleaned if it is hacked.  It’s the best money you’ll spend!
    12. Backup your website. You backup your website so that if anything should happen to your website, you will be able to restore a fresh version of your site.  Unfortunately, many website owners have no backup system in place and rely on their hosting company to perform their backups. Make sure that you contact your hosting company to find out what exactly they backup.  If it’s just your database, you’ll be very unhappy if something does go wrong.
    13. Change your file permissions.  The files that make up your website have permissions.  These permissions allow for reading, writing, and executing.  These permissions are represented by three numbers or they may also be represented by the letters r, w, and x.  These numbers will determine what can and cannot be done with your website files. You want to limit as much as possible the permissions of the files on your website, but be careful because you can also run the risk of making your website not visible.  If you are not familiar with this, seek out assistance from your hosting company.

 

Of course, this list is by no means all-inclusive, but it does give you a lot you can work with to make sure your website is secure.

What would you add to this list?  Has your website ever been hacked?  Share your thoughts in the comments below!

 

 

filed away in

Lynn

Leave a Comment