Very few people in the course of human history have known the frustration of waking up to find the nonprofit website they manage hacked and covered in Viagra ads. (True story.)
Such is the nature of our world today. There are at least thousands — probably millions — of people and bots right now trying to hack into the websites of everyday people just because they can.
And we make it easy for them.
WordPress has made creating a website pretty simple — so simple that the platform now powers about one quarter of the whole Internet. The problem is a WordPress installation right out of the box isn’t very secure. A WordPress site owner needs to take specific steps to safeguard that website, and that isn’t happening uniformly across WordPress’ quarter of the Internet.
As such, hackers have made a real business out of interfering with the data on other websites. According to AP reporter Joyce M. Rosenberg, hacks to a company’s website cost on average $8,700 to repair.
So, here is what you need to know about recovering from a cyber attack and securing your own WordPress site.
Remove Mentions of WordPress
Interestingly enough, the very mention of the term “WordPress” on your website can create security issues.
Hackers and hacker bots can exploit known vulnerabilities in your website if they can identify what version of WordPress you’re running, what your theme is and what plugins you’ve installed. Remove any mentions of WordPress from your website, and any mentions of the theme and plugins you have installed.
As KeriLynn Engel of Elegant Themes suggests, “By changing some default permalinks, you may be able to protect your website against things like brute force attacks, SQL-injection and requests to your PHP files.”
Hide My WP: A Premium Plugin
Removing every mention or indication that you’re running WordPress can be both difficult and incredibly time-consuming. Instead, try the Hide My WP plugin, which automatically does the work for you and updates to counter new vulnerabilities as they appear.
However, there is no absolute method to hide the fact that you are using WordPress, and a competent hacker will be able to identify which version you are using by applying their knowledge of the differences between versions. Still, this little smokescreen between your website and a would-be hacker is a good place to start bolstering your security.
Back Up Your Data
Backing up your data should be your first stop-gap measure in the event of a hack. This lets you salvage whatever you have left of your website. And regardless of whether you have been hacked, ensure that you routinely thoroughly scan the backup files for viruses and malware.
By routinely backing up your WordPress site, you protect yourself from losing everything in the event of data corruption or a hacker’s malicious activity. And it’s easily done, as set out by the team at WordPress.org, with either manual or automated processes or plugins to do the work for you.
Here are three options for automating your backup:
- BackUpWPFree (no cost)
- VaultPress (prices start at $60 per year)
- BackupBuddy (prices start at $80 per year)
The Importance of Updates
Regular updates will apply constant fixes to security issues and hacker backdoors as they become known to developers. By ignoring these updates, you leave your database and information vulnerable to known threats. Bob Dunn, a WordPress coach and trainer, warns about security holes that open by running dated versions of anything WordPress related.
If your site has been hacked, it’s important to cleanly install a new version of WordPress. This should be one of your first steps to recovering and rebuilding your website. Do this by uploading a freshly downloaded WordPress via FTP, or by deleting and reinstalling a WordPress plugin on your web host’s control panel.
Keep an Audit Log
It goes without saying that vigilance and monitoring are innate to security, online and offline.
A WordPress audit log is a complete record of everything that occurs on your website, and is a logical ally in the fight against hackers. By allowing you to scrutinize all user activity, a log allows you to prevent a cyber attack by identifying anything suspicious before it becomes a threat to your security. And, in the unfortunate event of a hack, your log will help you recover faster, recover more thoroughly and identify what security holes need to be plugged.
In fact, audit logs are so crucial to internet security that plugins exist for your WordPress site. One that comes highly recommended is the WordPress Security Audit Log, created by WordPress security professional Robert Abela.
By installing this plugin, or something like it, as a player in your website’s security and post-hack recovery, you can monitor WordPress user activity and productivity to identify vulnerabilities or hacks (like added users) and work to correct them.
Change Your Administrator Name
By keeping the default administrator name for your WordPress account, you are doing half of a brute force hacker’s job. All that remains is for them to guess your password.
Jacob Nicholson of InMotion Hosting knows the importance of changing your WordPress admin username for security, and he provides an easy, thorough guide on how to go about adding this layer of protection to your website. This is an imperative step in the event that your website has been hacked, and should follow a clean and fresh WordPress installation.
To change your default user name, just create a new administrator user, and use the new account to delete the original default administrator.
By having weak passwords for access to the admin side of your website, you’re leaving your WordPress open to be hacked. Brute force hackers use algorithms to guess passwords to gain access to the control panel, and if your passwords are weak they’re much more likely to succeed.
Apply standards of password strength across the board for you and all users of your WordPress. Adrian Spiac of Cozmoslabs believes that short or weak passwords are among the most common methods hackers use to breach the security of WordPress sites. Ensure that you enforce password strength policies or use a trusted plugin that governs password strength for all users in your database. And if you think you’ve been hacked, change all passwords immediately.
Use a Web Application Firewall
A WAF, or web application firewall, is an Internet-based firewall that protects web applications and servers from cyber attacks that ISPs cannot prevent.
When speaking of a cyber attack against his own organization, Barracuda Labs, Executive Vice President Michael Perone highlighted the power and importance of a WAF. After their firewall was left in passive mode, a script was able to compromise lead and partner contact information. Had their WAF been online, this would not have been possible.
And these firewalls are commonly integrated into WordPress sites to protect against vulnerabilities and malicious scripts, adding yet another layer of security to your website.
Abela, the creator of WordPress Security Audit Log, underscores the power of WordPress WAFs in analyzing web traffic before it reaches your website. If a malicious script attempts to access your domain, chances are the firewall will block its access and protect your data.
As there are many web application firewalls on the market, it’s difficult to know which one is right for your website. Depending on your business, website purpose, website size and potential vulnerability, one of these ten popular WAFs should fit your needs. Take a look at each WAF’s ease of integration into your existing architecture and ease of use.
However, like all software, WAFs aren’t foolproof. In fact, a WAF can be circumvented by a hacker if they know your IP address Nor will a WAF address other security issues such as weak passwords and configuration issues. But, and especially if you have already fallen victim to a cyber attack, a web application firewall should form a part of your strategy for website security.
The Risks of Plugins: A Case Study on JetPack and Twenty Fifteen
WordPress is popular because it is customizable, which is made possible by themes and plugins. These mostly third-party add-ins range in purpose, design and complexity, and in many cases are hard to certify as not entirely malicious. In fact, it is common that plugins present serious vulnerabilities to WordPress users.
Take, for example, the JetPack plugin and the Twenty Fifteen theme. The former has more than one million active installations, and the latter is installed by default. Both have been found to present a serious security threat to WordPress users.
David Dede, a malware researcher with Sucuri, has written extensively on the threat. Dede found that the vulnerability stemmed from the plugins’ leveraging of the genericons package, which contained an insecure file, “example.html”. Significantly, the vulnerability was a XSS (cross-site scripting) flaw that executed an attack directly in the browser, and so was undetectable by firewalls.
But once discovered, the JetPack and WordPress security teams came up with a fix, according to Jeff Chandler of WPTavern, who also reaffirmed the solution. While a manual fix is to remove the vulnerable file, updating WordPress and the affected plugins will patch the security flaw and leave a site more secure.
The key takeaways here: Update plugins and themes regularly, and only use plugins from trusted developers.
The Backdoor Hack
In the event that your WordPress has been hacked, there must exist somewhere in your database a backdoor or security flaw that has permitted access. If you’ve done everything above, then it’s time to look a little more closely for something more sinister — added code.
Added code will often be something that appears innocent, but will give a hacker access to any PHP code that they desire. This code will often be hidden in themes, plugins and uploads to survive WordPress updates. WP Learning Lab explains this in detail and shows you how easy it is to close that backdoor:
“It is very simple to do by merely deleting the file or the code that any threat is found in. Users can also use malware scanners that are available. Once the cleaning is done it is always advisable to run your browser in incognito mode and check if the threat comes again or not.”
Use a Professional
And if you still aren’t sure about the security of your WordPress site or are unable to recover from a hack, contact a professional.