Let me start this post with a confession. When it comes to web and blog security, I used to be cocky, really cocky.
I always believed that the people who get infected with viruses and malware use passwords like “password123″, and who are still running their website on a CMS (content management system) that hasn’t been updated in years. I always knew it could technically happen to me, but figured even thinking about it would be a waste of my time.
And then it happened.
On that fateful summer Tuesday, I got an email from a business school professor that I was designing a website for alerting me that the site had been hacked, and was now directing all of his students to pornography websites. The next day, I got word that customers were refusing to use the website that I had designed for St. Pete Bagel because their antivirus software kept going off whenever they viewed the homepage. Within a few days, it was the same story for virtually every web property that I had been managing, and this page started hunting my dreams:
Turns out, I was among the tens of thousands of victims who were hit by the TimThumb security vulnerability. I had received an email about the discovery of this security hole from the creator of the WordPress themes that I was using, but mistakenly assumed that only a small percentage of users would be affected, and that I didn’t have much to worry about. If I had actually read the email in full, I probably could have avoided the weeks of stress and hair pulling that followed.
Thankfully, all of the really nasty malware infections are now gone, but the experience was beyond painful, and taught me a valuable lesson, which is to never, ever assume that your website is immune.
Remember, it’s almost never personal. Your website didn’t get hacked because it’s your website; it was infected because software that automatically scans hundreds of thousands of random websites for identified security vulnerabilities tagged your site as a potential target.
In an effort to spare other WordPress website owners the horror that I went through, here are six tips for making your site into an impenetrable online fortress.
If necessary, let the pros handle the cleanup — I started by trying to remove all of the nasty malware code that had spread throughout my websites. I used Sucuri‘s free website malware scanner to determine which files were infected, and then got to work. It seemed easy enough; time-consuming and repetitive (essentially deleting chunks of the “bad” code over and over again), but after about an hour of cleaning, my antivirus finally stopped going off. Thinking I was in the clear, I went to bed, only to wake up the next morning with more malware warnings. I ran Sucuri’s scanner and sure enough, more infections!
Turns out, I had taken care of the symptoms, but the disease (i.e. the backdoor that had allowed the bad code to “sneak in” again) was still alive and raging. In situations like these, it’s important to inspect and clean literally every file; miss anything and you might as well start all over again (just like I had to).
I was on deadline to get these websites up and running within 24 hours, so I decided to stop playing superhero and let the pros handle it; I paid $89.99 and signed up for Sucuri’s monitoring and cleanup service. Every 6 hours, the Sucuri staff check my website for infections and malware. If something triggers the scan, they’ll log into the website and perform all of the deep cleaning on my behalf. I sent over my FTP login information and waited. After a few hours, I got a comprehensive email with a list of all of the files that had been cleaned and patched. I haven’t had a problem since!
Key takeaway: it’s better to be safe than sorry. I could have spent days inspecting and cleaning every one of the hundreds of infected WordPress files, but I realized that my time is valuable, and let people who clean websites for a living handle it.
Now that the website is clean, let’s look into how we can prevent re-infections.
Update, update, update — an update a day keeps the malware away. But seriously, if there’s nothing else you take from this post, remember this — updating your templates, plugins, and core WordPress files is the number one way you can keep your website infection-free.
New versions of WordPress contain bug fixes, stability improvements, and security patches for previously discovered vulnerabilities. The WP dashboard displays a warning when a new version of WordPress becomes available (same with select plugins and templates), and the updating process is pretty much automated by this point.
If you rarely log into your website backend, download and install a plugin like Update Notifier, which will send you a notification via email.
Be selective about your templates — on the topic of WP templates, it pays to be choosy. Specifically, be sure to select a template that is actively maintained and improved. When TimThumb became public, the folks behind Elegant Themes immediately got started working on an update. If the template isn’t available through the official WordPress directory, you may not receive automatic update notifications, so do your homework and become familiar with how the creator distributes updated versions.
Only use plugins you actually need — this is a big one. If you download a plugin that you don’t actually end up using, don’t just deactivate it; take the five extra seconds to completely delete all of the associated files from your WordPress directory. A preponderance of inactive plugins presents a huge security risk, especially if they haven’t been updated in a while.
Go ahead, log into your WP backend and do some plugin’ cleaning; I’ll wait.
Finished? Good, let’s move on.
Users and passwords — limit the number of users with administrative privileges, and instruct those that do have admin access to use a strong password. A strong password consists of:
- At least 8 characters
- Both uppercase and lowercase letters
- Special symbols (e.g. &, #, -)
- Phrases with no semantic meaning (i.e. the more gibberish it looks, the better)
Malicious hackers frequently try to take over WordPress websites by using brute force attacks; they literally keep trying password after password until they can get access. Don’t make it extra easy for them. All of this is equally applicable to your FTP accounts; if you don’t know how to change your FTP login info, contact your webhost or drop me a note in the comments section and I’ll try to help you out.
Oh, and since we’re talking about users, if you suspect your website has been the target of a malware infection, start by checking the Users page within the WP dashboard. If you see any entries that you did not create, remove them right away.
Watch your company — this is where I got burned bad. All of the websites that I manage are installed in the same directory on my server, which means that once one website got infected, it was only a matter of time before the malware started spreading and cross-infecting all of the other web properties. Indeed, this is ultimately why I ended up upgrading my account with Sucuri to include multi-site monitoring.
To get around this issue, just make sure to follow and implement the advice that I’ve provided above to all of your sites. Remember, vigilance is half the battle.
Waking up to find your website slapped with a big, red “Warning: Something’s Not Right Here!” sucks, a lot. It’s bad for your stress levels, your business, and the time that you’ll spend cleaning it up could have gone into things like customer service or writing a new blog post.
Still, it’s happened before, and it can certainly happen to you, too. I didn’t think so, and boy, did I pay the price. Be smart, and good things shall come.
Has your website ever been hacked? How did you deal with it? Share your stories in the comments below.