In this session we discuss how to prevent your site from being hacked. Outdated plugins, themes and WordPress versions are always the cause of the problems so they should always be updated even if they are not activated. We discuss how to prevent vulnerability in the WordPress core files thus eliminating the potential for failures.
Now let’s talk about prevention. Really, the prevention falls into 2 main categories. One of them is keeping your site up to date because obviously, it had to be the case with this one that the way the site was accessed was through a security flaw some place in a plugin or in a theme or some place in a WordPress core file or something like that. When there’s a vulnerability, everybody throws together patches. But if you don’t install that patch then you give yourself the opportunity to be hacked through that vulnerability.
What you want to do is make sure that you’re always updating your plugins, your themes and WordPress. You want to make sure that you delete plugins and themes that you aren’t using. I see this all the time where I go on to somebody’s site and they have a whole bunch of themes in there that they’re not using and a whole bunch of plugins that they aren’t using. Because they aren’t using them, they say to themselves, “Well, I don’t really need to update that plugin.” And so maybe the plugin’s been abandoned by its author. Maybe the plugin has a vulnerability that you haven’t updated for.
Even if the plugin is not activated, you still need to make sure that it’s kept up to date and the same thing is true with themes because it’s not the fact that it’s active that causes the problem. It’s the fact that there are files with vulnerabilities in them that somebody can access. So you want to delete all of those plugins that you aren’t using because every single plugin you’re using has some potential for failure, some potential for somebody accessing your site if there’s a vulnerability there. Every one you delete, you reduce incrementally the chance of a problem.
Now you also want to go through and look at your plugins and make sure that those plugins have been regularly updated. Not that you have regularly updated it but that you go to WordPress.org and you see that the site itself was last updated, some time in the last year or two. If the plugin hasn’t been updated in 2 years then you should find a replacement for it.
You should not be using old plugins because those old plugins themselves retain the ability to have security vulnerabilities. Those security vulnerabilities, if they aren’t fixed by plugin author then you don’t see the need for an update, blah blah blah. Make sure that every plugin that you’re using has been updated by its author some time in the last couple of years. If it hasn’t been then go find something to replace it.
Actually, I just worked on a site here for a client where they were using some plugins that weren’t even on the WordPress repository. It’s some Joe Blow out there had written and then abandoned in 2008. He wrote a plugin for WordPress in 2008 and this person was still using it today. It hadn’t been changed since 2008. So 4 years later, WordPress has changed dramatically since then. WordPress security has changed but this plugin hasn’t changed.
The next step is to make sure that you perform a regular automatic updates. We all know what this is like and so does this person that has the site. She knew she was supposed to be doing backups but she didn’t do backups. If you don’t know exactly what I’m talking about then you should watch one of the videos on my site.
You should buy BackupBuddy and you should configure it so that it will do regular automatic backups. I have plenty of videos on the site on how to do that. So you need to have regular automatic backups set up on your site and you may as well use a plugin that is very easy to restore your site in the midst of a crisis and BackupBuddy is that one, as far as I’m concerned.
Next, you want to use strong usernames and passwords. You know, it takes a username and a password in order to get into your site, into the dashboard. So if they know your username then they’ve got half of it down and all they have to do now is try and crack the password. Your site’s really only as secure as the username and password that you are using both on your site and on your hosting account. So you want to make sure that you use strong usernames and strong passwords.
A strong password is not your pet’s name or your kid’s name or there’s a birthday or your boat’s name or you know, anything like that. A strong password is a non English word with uppercase, lowercase letters, numbers and special characters. It should be something like that. It should be something that cannot be guessed.
When you’re using strong usernames and passwords, you want to make sure that you don’t display the usernames on your site or at least you don’t want to display the admin username. If you come over here to users for a second and look at all users and right now, I’m signed in as byobrick, here’s my username, byobrick. Display name publicly as… well, you definitely don’t want that. You want to do you know, something else. So change your nickname to Rick or whatever. Change your nickname so it’s not your username. Change your display name so it’s not the admin username. So you’re not telling a hacker what ½ of the combination is, okay?
Finally, use something like Sucuri.net. Sucuri.net is really the perfect way to protect yourself. They have this service that they will regularly monitor and check your site with. Any event that you are actually hacked, they will help you clean your site up. So not only do they block it but if while you are using them, you still get hacked, they’ll help you fix it. This is really an invaluable resource available to you and if you’re a BackupBuddy user then you’d have this discounted ability to use it. I strongly recommend you use something like this to protect your site from this kind of hacks because this has been the year of hacks.
Now Sucuri.net has some very good resources. There’s a great resource here on how to protect your site and it includes a lot of things. One of the interesting things they said here was that over 78% of malware cases that they deal with are attributed to outdated core applications, plugins or modules. That means an outdated version of WordPress, an outdated version of a plugin or an outdated version of a theme. You want to make sure that this is really one of the biggest things you can do. Anyway, a link to this post will also be on the site here but if you go to sucuri.net, they have all kinds of good resources here for you so I strongly recommend them.
That’s it. If you follow those steps, you can both restore your site and also recover from being hacked. I hope that you all take this to heart and protect yourself.