I hate that I have to write this post. I hate that there are mean bad people who spend their time trying to find vulnerabilities in WordPress.
Yesterday I spent the evening helping my friend Rachel of Running Rachel recover her blog because we suspected that it may have been hacked. Whenever she visited her site with Internet Explorer (IE), it redirected her to spammy looking sites. Fast forward two hours and lots of fiddling and googling later, I found that the cause of the problem was the Badgeplz.com Instagram widget she had on her site, so I deleted the code from her sidebar and VOILA! No more hanging, and no more redirects.
The unfortunate part was that we suspected her site had been hacked. If we had taken the time to PREVENT HACKING then we wouldn’t have had an issue. As well, if we had a current back up of her site we would have found out rather quickly that it wasn’t hacked and that the problem was elsewhere…. Ahhh the lessons I learned that I’m now going to share with you:
How to Prevent Your WordPress Blog From Being Hacked
- Use a Sucuri safe theme like Headway (affiliate link).
ALL of my own sites have been designed with Headway because it’s really easy to use – you just drag and drop boxes to create the layout you want. The Headway theme uses the proper APIs provided by the WordPress.org project thus avoiding direct database manipulations, and other actions that could make your theme vulnerable to SQL injections, XSS and CSRF attacks. (Trust me, vulnerable = bad).
- Keep your WordPress Core and Plugins Updated.
WordPress is one of the most targeted programs by hackers because it holds the keys to so many millions of websites. This puts a target on your back, and therefore your website has a great likelihood of being hacked. A WordPress update is your software’s way of helping you fix the problem before it starts. If you ignore the update, you’re ignoring the solution to a problem that is already out there ready to attack.
- Use strong passwords for all entry points.
I’m surprised to find out how many of my friends use the WordPress admin password generated by WordPress during the initial install. The WordPress admin password generated during install time is normally pretty strong (consists lowercase and uppercase letters with numbers and symbols) so there is nothing wrong with that. However I’m totally shocked to find out how many of their ftp/cPanel passwords are not that strong. It gets even better… one friend wasusing her partner’s name as the password (Did I mention that her partner’s name is mentioned on her blog’s ‘About’ page?)! The ftp/cPanel password for your domain is equally important as your WordPress’s password. If someone can access your cPanel then that person can delete your WordPress database from the cPanel->Databases->MySQL Databases. Anyway, the bottom line is to use strong passwords for all entry points not just one.
- Backup Your Data
I can’t stress this enough… always keep backups of all your important files. I always backup my WordPress Database and WordPress files in case of emergency. What would you do if you lost all your blog’s content? Eeeek! Use a backup plugin like BackUpWordPress that backs up both your database AND your files. Knowing your site has been backed up will help you sleep better at night.
- Secure your blog with Better WP Security.
Almost an “all-in-one” security plugin for WordPress. This plugin takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.