My colleague has a great tech related wordpress blog, the other day we did a few minor fixes in the template.
All was well till evening, when he logged in at night he realized that the blog pointed to a different domain. The blog was hacked and the hacker pointed it to a different domain which obviously belonged to the hacker.
Being a tech guy he could restore it in the next 30 minutes, but what do you do if your blog is hacked and you are not a tech guy.
WordPress probably is one of the safest blog systems out there. But the code is open source, which means that everybody can see the code and they can find security holes. So if they spot a security hole, they might be able to hack your WordPress account and erase every single blog post. In my colleague’s case the blog was not erased but it pointed to a different domain.
There have been numerous cases where blogs have been completely erased with no back up and bloggers have had failed attempts to talk to their web-host to provide daily back ups for their blogs. The backups webhosts provide, will only be restored if the web host’s system fails. Which has nothing to do with hacking.
You cannot avoid a hack attack completely but you can certainly take preventive measure to secure your wordpress blog
Below are seven tips you can take to secure your blog from being hacked
1) Upgrade to the latest WordPress version :
– A majority of the blogs that are hacked run on an outdated wordpress version, whenever there is a new WordPress version, you’ll be notified in the admin panel, upgrading to the latest WordPress version takes only one click and a few seconds.
2 ) Avoid using relatively new plugins
– There have been cases where wordpress plugins have had security issues, some plugins are not as secure as they should be resulting in vulnerability and security issues with wordpress. Use only plugins that have been tried and tested on other blogs.
3 ) Update plugins regularly :
– Just like the wordpress version upgrade you’ll also find that upgrades for plugins are available via the wordpress admin. Ensure that you use the latest plugin updates for your wordpress blog.
4 ) WordPress database back up plugin :
I don’t want to use the export function in WordPress twice a day, so I get a plugin to do it. This plugin will send you an email twice a day. It backups comments, posts and whatever is needed to get the blog to run again and everything is done automatically.
I want to make clear the importance of making automatic backups. You never know when you are hit by an attack. Lots of these attacks, are not related to you personally, but some hacker may just want to show their friends that they can hack a blog. And if that happens there should be preventive measures taken to get your blog up and running.
The same hacker will not hack your blog again, this is just an assumption but you never know, so just keep backing up your files.
Normally when people attack your blog, they will only delete the posts, comments etc. (what is placed in the database) and that is only what this plugin is backing up.
But to be sure, you can copy all the files from your FTP server down to your computer. This should only be done when you make some themes changes/plugin changes (adding a new theme or plugin) not that often, because all posts are located in the database.
Just connect to your FTP server and then copy every file that is on your webserver. It is recommend that you do this as often as possible depends on how frequently you update your blog. If you update your blog 3 – 4 times a week then you should take a full backup every week.
The WordPress blog plugin I have been talking about is called WordPress Database Backup the download instructions are on the page.
5 ) Protect your WordPress admin folder :
– Hackers can use automated bots to try and crack your password, the automated bots will keep guessing your password by using a script till it succeeds to login.
What you need to do :
– Restrict access to wp admin folder by IP address : You can restrict access to your wp admin folder via the IPs you or your team of writers use with the help of .htaccess file. There is one drawback in doing this, you will have to keep changing your .htaccess files if your internet provider assigns you dynamic IPs.
– Login Lockdown plugin : The Login Lockdown plugin records IP address and timestamp for every failed wordpress login attempt. If it records failed login attempts from the same IP range in a short span of time, it will restrict login from the entire range. You can also restrict login entries after certain attempted login attempts from certain IPs.
– Ask Apache password protection : Ask Apache password protection plugin adds a second layer to your admin login folder, you can define a user id and password for the second layer. If you need to access the wp admin folder, you ll need to know the second layer protection login and password.
6 ) Have a complex user id and a strong password:
– WordPress by default assigns you ‘admin’ as the login id and not a lot of bloggers change that as it needs to be changed from the .htaccess file.
Admin as a login user name is very easy to hack as most blogs have login as the user name. I recommend you to change the admin login name to make it difficult for the hacker. You should also have a strong password that is alpha numeric.
7 ) Use SSH / Shell access instead of FTP access :
– FTP access does not have the required encrypted mode to avoid restricting to your wp admin folders, if someone happens to get hold of your FTP login password it could spell disaster for your blog. Try to use SSH to transfer, upload, edit your files everything is encrypted.
Do you have any more plugins or tips to secure wordpress blogs ?