It Couldn’t Be Me
This was the first reaction to the hacking. The website was still in its creation stage and the login password was pretty strong, how the hacker managed to penetrate the website? But then again, if hackers could penetrate websites and systems of governmental agencies and huge enterprises, what is a WordPress site to them?
Another question that came to mind was “Why this website?” It was still in its infancy and has yet to be promoted / publicized, how did the hackers manage to locate the website and hack it? I did a research later and found that bots (or robots), which are programs designed to constantly scan the web for vulnerabilities and once they found a weakness, they will exploit it.
The hacking was a wake up call! Can’t imagine the adverse impact it will have if the website has more users! For all practicality and intent, I don’t think any website could be 100% protected. What we can do is to employ some measures to make any hacking attempts a little more frustrating.
After the Attack
- Remain Calm And Don’t Panic: Take 3 deep breathes and calm down. Studies have shown that if you panic, your decision making ability is affected. Whatever happened has occurred, the main thing is to remain cool-headed and deal with the situation.
- Contact your web hosting provider: Perhaps, your website was not the only site that was hacked. It could be a security breach affecting many accounts. Your web hosting provider will be able to shed more light and they could guide and help you to restore the hacked site.
- Do a situation update: Take stock of what were affected, other than a defaced website. If sensitive information or data has been compromised, ascertain the damage and make a police report.
- Damage control: contact your customers and suppliers about the hack. It’s always better to let them know directly from you rather than when they access your website.
Prevention is Better than Cure
In a talk that also included details on the next two versions of WordPress, Mullenweg said, “We’re now up to 18.9 percent of the web running WordPress. … We’re going to see the number of people who have WordPress as part of their daily habits grow exponentially.”
Around 66 percent of those sites and blogs are in English. Monthly pageviews for all WordPress sites and blogs rose to a massive 4 billion in 2013.
(read more on: http://venturebeat.com/2013/07/27/19-percent-of-the-web-runs-on-wordpress/)
Almost 19% of websites are on WordPress and there are some basic measures we could take to minimize vulnerabilities:
- Update!Update!Update! WordPress routinely send out updates for enhancement, improvement and fixes bugs. Likewise for themes and installed plugins. Once you received notifications that a newer version is available, log into your admin panel and update the relevant WordPress version, themes and plugins accordingly. Sticking to a older version increases vulnerabilities of the website.
- Username. Change username from the default “Admin” to something else. Leaving username as the default “Admin” means the battle is already half won by potential hackers as only your password needs to be cracked.
- Password. For ease and convenience, we use easily remembered passwords. Adding complexity to our passwords equates to adding complexity to our lives. However, we need strong passwords for better protection, just like we have strong and sturdy locks on our gates or doors. Try having a mixture of capital letters, small letters, numbers and symbols for the password and use a word not from the dictionary.
- Two factor authentication. Do you know that other than having a username and password to access your WordPress site, you can also have password protection on directory / folder in your cPanel? Log into the cPanel, look under “Security” and click on “Password Protect Directories”. Then select on the relevant folders you would like to protect by creating a user and password.
- Back-up. Don’t forget to back-up your site as you can recover your site with the back-up copies you have. There are many WordPress plugins that allow you to schedule back-ups and one of them is UpdraftPlus. You can try their free version to get a feel of the workings of this plugin.
- Security. Installing a WordPress plugin for security will enable you to be informed of any hacking attempts on your site. Some of these plugins will also scan your website for vulnerabilities and notify you, through e-mails, to update any WordPress, themes and plugins whenever it is available. 2 security plugins come to mind are Better WP Security and Wordfence.
- Limit login attempts. Do you know that you can have a user locked out of your website if he / she enters the wrong username and / or password after X number of times whereby you can define X (for example, after 3; 5 or 7 attempts)? You can also state the time the user is being locked out (for example, 2 hours or 24 hours). Though limiting login attempts will frustrate any potential hackers, however, please be mindful that the parameters you set do not unnecessarily inconvenience your genuine users. You can check out this plugin for more information.
The above are just some simple measures that we could employ to make our WordPress sites a little safer. There might not be a foolproof plan to make our WordPress sites totally, 100% secure but what we could do is to make them a little more secure each day by keeping abreast of the developments and updates from WordPress and other technology sites / forums and the sharing of knowledge of best practices. Do you have other measures to improve WordPress security? If you have, please share.
Please remember: Our Site Security Is Our Responsibility!