Went to login into my blog to have a quick check in. Couldn’t login in and had a minor panic.
After a bit of frantic Google searching, decided to have a peek over at my web host (Go Daddy) to see what was going on (*note to self, always check with web host first before assuming the worst ) and sure enough, they had locked all users out of WordPress sites until further notice due to a major worldwide hacker attack. OK cool, I can live with that.
Shifted into work mode.
I help to manage the social media presence for a fairly large Canadian web host and boy was there a deluge of inquiries and tweets waiting. Concern and panic all over the place.
No small business owner or entrepreneur wants to put their lifeblood (and yes, we’re talking about your website here folks) in jeopardy.
It’s never pleasant to be hacked. It’s happened to me before when one of the small affiliate websites I set up was shut down by my host due to hacker infiltration. Wasn’t a huge deal and I didn’t have a ton of content up there. But still. It could have been a much, much bigger deal. The lovely Natalie from Suitcase Entrepreneur had her own nightmare experience that’s worth reading about (including some great tips from her – check it out here).
Ever since that website hack experience, I’ve had doing up a post about WordPress website security on my list of blog topics. In light of the events last week, I figured it was time to get it posted.
So here are the basic steps that you should take to secure your WordPress website…
Update the version
Prior to being hacked myself, I didn’t really pay much attention to the whole “update your WordPress to the latest version” message that would show up at the top of the screen logged in. I didn’t really think it was that important and most of the time I didn’t bother. Bad move. Installing these updates is important and had I done so on my other site, it most likely would not have been compromised. These updates involve updates to security settings. So click on that update whenever you see it.
Update the plugins
Same goes for your plugins. Keep those updated too. One popular plugin that has been causing some problems is the WP Super Cache that helps with site speed. If you’re running that one, it’s recommended that you make the switch over to Quick Cache. (Don’t know how to install plugins? The next section has a resource to help you).
Login Attempts plugin
One of the best things about WordPress based sites is the gobs and gobs of free and totally awesome plugins available (yay, open source!). One of them is the Limit Login Attempts plugin that controls what happens when someone tries to login and fails. There is a really fantastic video tutorial on how to get this done here – if you don’t know how to set up a plugin on your site, this makes it really easy to understand.
If your username is admin… change it pronto! This is a default setting and many hackers use this knowledge to get in. This weakness was being specifically targeted in this attack. This is the default.
And remember not to make it something super obvious. Your username for login and how you show up in your WordPress profile, such as when you are leaving responses to comments on your blog, are not connected. So your username for login is not public and definitely should not be something easy to guess, such as your name or your business’ name.
I thought my password was pretty good. It had a capital letter. And a symbol.
I’ve since pumped it up big time. It’s got a bunch of symbols. A bunch of numbers. A bunch of caps. A bunch of random weirdness basically. Yes, it’s not easy to remember. But that’s the whole point. This is a minor inconvenience compared to losing your whole website.
This is a great resource for creating a strong password.
I am very non-techie (better than I used to be before starting my own small business, but still a bit naive I think ) and I made the incorrect assumption that my web host had me covered. When I dealt with the small affiliate site going down, I have to admit that I was a little surprised that my web host was not just simply going to recover it for me. Website backups are not included in web hosting plans. You have to make your own arrangements or pay for the service.
For WordPress, there are of course some fantastic plugins that can help. My friend Francisco over at SocialMouths wrote a great post with options for backing up your WordPress site here.
What if I don’t run on WordPress? Or manage my own website?
A lot of the above still applies, such as having strong passwords etc… It’s just general good security common sense. If you’re completely hands off with your website, then check in with your web guys to make sure that they are covering your bases in terms of backups and security. Don’t like the answer they give you? Don’t feel confident in their abilities? I’m happy to set you up with a web team you can trust… since I trust them myself with my own site and sites for my clients. Just contact me.
So these are just some of my basic tips for keeping your WordPress website safe and sound. Do you have any others? Please share your knowledge in the comments… for the benefit of us all!