Help My Website Has Been Hacked! – What Can I Do?
Help My Website Has Been Hacked!
Those are the six words - Help My Website Has Been Hacked! - that all website owners dread saying. But what does it mean, what does a hack entail, and how can you prevent them happening?
Hacking Problems - What Is The Problem?
Hacking is increasing and no-one is immune from hackers attacking their website. In fact, Forbes magazine estimate that nearly 30,000 websites get infected with some type of malware every single day. We’ve heard of the well-publicised large companies that have been hacked.
However, in reality most businesses affected by hackers are small businesses that don’t have sufficient protection against hacking. These include blogs and small company websites. So the question is, what are the problems, and what can you do about them?
A hack is simply someone gaining access to your website and then using it for their own purposes. They may change pages or delete whole sections of your website.
There Are Many Forms of Hack
There are, regrettably, many ways that a hacker can compromise your website. For example, hackers can try common usernames and passwords over and over until they get access. This method is called a brute-force attack.
Others use more sophisticated means – cross-site scripting, or attacking known vulnerabilities in the code on your system.
Once a hacker accesses your site, they often deface it. Defacement, a common hacking technique, is where a hacker puts up a banner or page supporting their political or financial aims. Alternatively, they could redirect your site to a porn site, or to a site selling Viagra or other merchandise.
Reinstating your site can be a costly and time-consuming set of activities. That is if it’s even possible. I have seen hacks recently where hackers have removed every single file on a site. Without backups, you will need to recreate your site from scratch.
So hackers can redirect your site to an undesirable site, or remove it all together. The question is, what can you do to counter these problems?
First Step: Detection - Free Malware Scanner
The security firm Sucuri have a useful free scanner that you can use to check the status of your website. The scan will show whether you have succumbed to many of the common hacks. And it can tell you if the biggest search engines currently blacklist your site.
My Suggested Preventative Solutions
You may be looking for a one-shot solution to prevent hacking. Unfortunately the situation is a little more complex than that. You need to protect your site against the most common problems that attract hackers. And at present, this involves selecting a number of different tools. Here are my biggest recommendations to prevent the hacking of a WordPress site.
1. Have A Robust Backup Regime
The most fundamental thing to have is a good, reliable automatic backup regime. Have one that backs up to at least one place away from your site. The disadvantage of keeping your backups on your site is that if you lose your site totally, your backups go as well.
I used to use my own backup system, but I now recommend VaultPress in preference. Why?
- VaultPress has several options, but I recommend their service that is just $9 per month.
- It's easy to set up and it’s very easy to restore a backup – one click and your site is back.
- VaultPress comes from Automattic – the creators of WordPress.
Their interface is clean and fast to use. It works, and it’s the best I’ve seen. You can sign up at http://vaultpress.com
2. Implement WordFence
WordFence is a free security plugin that protects your site in several ways. It prevents hacking attacks like brute force login attacks by locking out hackers. WordFence detects when someone (eg a hacker) changes core WordPress files, theme files or plugins from their issued versions. It then prompts you to restore the currently issued code from its database.
The free version now comes with a firewall that increases the level of protection you have. And I strongly recommend you implement their firewall.
WordFence will lock out hackers who try to guess your password to get into the WordPress backend.
WordFence is available via the WordPress plugin directory for free.
3. Use SiteLock
SiteLock has several features that you can select to protect your site. I like its SMART tool that automatically scans your site for malware, and, if it finds any, repairs it and sends you a message of confirmation.
If you bear in mind that manual malware cleanup can be very time consuming and expensive, SiteLock is like having insurance against malware attacks. It keeps your site running. Contact me here if you'd like to benefit from the services that SiteLock offer.
4. Purchase WordPress Maintenance
Many people don’t understand the vital importance of keeping the code on your site up to date. This means keeping your WordPress version, your theme and all your plugins updated to the latest version.
The main reason programmers update code is to repair recently uncovered vulnerabilities that could lead to hackers gaining access.
Recent WordPress versions auto-update to the latest version, but you have to update themes and plugins manually. Out of date plugins in particular are an issue. Most WordPress sites use several plugins to provide functionality. The problem is magnified by plugin authors releasing the nature of the problems fixed in a new version. A hacker encountering a previous version then knows what vulnerabilities exist in it.
I can provide you a service where I scan your site every day for out of date code.
http://alunloves.it/wordpressmaintenance
Summary
If you don't want to hear yourself uttering the words "Help My Website Has Been Hacked!" there are steps you can take to avoid hacking. They are:
- Have a robust backup plan
- Use the WordFence plugin
- Use SiteLock
- Buy WordPress Maintenance
It's important to note that nothing will make you completely hack-proof. The most determined hacker will probably get into any site. But it you make it hard for him, like any burglar, he will probably look at easier targets.
Contact me here for a no-obligation chat about WordPress security.
Features To Look For In a Backup WordPress Plugin
You have a WordPress site, and you're considering a backup WordPress plugin. You've finally decided that it's a good idea to backup your WordPress blog. Now if anything goes wrong you have a copy somewhere at least you can put somewhere else.
But what features should you look for in a WordPress backup plugin?
I've seen many plugins that overload you with features. Tell you it'll backup to Amazon S3, that it will backup to Rackspace, they add all kinds of features. But do you need all these features or do you just need a backup plugin that simply works?
Backup WordPress Plugin Requirements
If you are looking for a backup plugin, here are a few things to consider. Find a company that's got a good reputation in the market and is reliable, with good support. You want them to be around next year in case you have problems.
You may want automation and the ability to backup away from your website. One of my clients had her entire site wiped. If this happens to you and you store backups on your site, you've lost all your backups.
Find one that is easy to use. Some backup plugins require a detailed knowledge of WordPress's database structure and organisation. What's the point in having the best backup plugin in the world if you can't use it, if you don't know what to do?
If you can't find a backup plugin where you can just click on one button then it's useless to you. When you're looking for a backup solution look for those that show screen shots or videos of it in action. Do you have to go through a ten step process, do you have to confirm every step of the way, or can you click on one button and now your WordPress blog is safely backed up?
Finally, pick one that can restore your site somewhere else if you have to.
Backup Frequency
How often should you back up your site? Realise that you're not going to just make one backup of your site and not use it ever again. You should take a backup of your site at least once a month, if not several times a month, and it shouldn't be a chore. It should be something where you go in, you click a button and now you have a copy. Make sure your backup plugin is easy to use.
Can It Restore?
Next, make sure that your backup can actually restore. It sounds silly for me to say that your backup plugin should also restore. But you'd be surprised at how many WordPress plugins simply don't work or are out of date. What you should do is install a backup plugin and immediately take a backup. Then go and install a new blog and see if you can restore that same blog somewhere else.
You'd be surprised at how many backup plugins won't restore. You might be backing up your site every month but if something goes wrong you're in the same situation as if you had not made a backup. Check your backups complete successfully by restoring to a test site.
Can It Clone Your Site?
Your backup plugin should also have the ability to clone your site somewhere else. What's the difference between restoring and cloning? Cloning means that you can backup your site on one location and go to a different website or a different folder and put your site in that new place. All the links, all the information, everything will work just fine.
Why is cloning so important? Because if you want to restore a site you might want to restore it in a different location first just to make sure you don't destroy your original backup, your original site.
Once you can clone sites it means that if you have your site set up exactly the way you want it you can customise your theme, plugins, settings, memberships, all that stuff. Back it up and restore it or clone it in a new location and now you have saved tons of time for yourself.
Backup WordPress Plugin Requirements Summary
When you're looking for a backup WordPress plugin make sure it's one that's easy to use which means clicking one button - or get one that's automatic. In that way your backups can successfully restore and that you've cloned these sites onto other locations.
Buy it from a reputable company that can provide support if you need it.
If you'd like to chat about your specific WordPress backup requirements, contact me via this contact form: Contact Alun
How Often Do You Need To Take A WordPress Backup ?
For many people taking a WordPress backup is a tedious job. Though with a decent backup system it can involve clicking just one button. But of course you have to remember to log into your site, backup the entire site and download the file.
I'm going to assume that you understand the need for having a WordPress backup regime. So that you are backing up your WordPress site frequently.
But really how often do you need to be backing up your site?
WordPress Backup Frequency
The easy answer to that is that you should be backing up your site as often as you update it. How often do you update it? That is how often you should backup.
If you update daily, backup daily. If you update monthly, backup monthly. If it's somewhere in the middle, then decide whether you're going to backup either weekly or monthly.
But make sure that you always backup before and after an upgrade to your WordPress software or before making a major change to your website.
How Often Do You Update Your Blog?
Go back and look at your blog posts and find out how often you update your site. I know people at first will often start updating their WordPress blog on a daily, or even more frequently than daily, basis. Then they'll run out of ideas or they'll run out of content and then die down to perhaps once per month or once a week of updating.
With my blog I normally update it about once per week. Just make it part of your routine and maybe even after making any posts, click the button and backup your blog. That way if the worst happens you at least have everything up until you're more recent blog post.
This presupposes you have a backup plugin paid for, installed and configured.
You might have a multi author site or might update on an irregular basis and if that is your situation I would highly recommend that you add a recurring reminder to your calendar.
Set your reminder either on every Monday morning or the first of every month put an exact time where you're supposed to log into your blog, click the backup and save it somewhere safe. Trust me, you'll thank me if anything goes wrong with your WordPress blog at some point.
When Else Should I Take a WordPress Backup?
In addition to these weekly or monthly backups, be sure to back up your site both before and after an upgrade to WordPress itself. It doesn't happen often, but every now and then, when you upgrade your WordPress software, backup. That way, if a few little things go wrong and if your blog is completely trashed at least you have that backup.
Even if you're not updating, you might be about to make a major change to your blog. For example you may be changing the theme, changing the navigation or changing the content around. In these cases it can't hurt to make one simple backup before anything is touched.
I've been in a situation where I've broken my WordPress blog. I changed too many things and broke it. Then I needed to spend some time carefully updating the WordPress code to recover the site. It would have been much easier to just take a backup, then I'd have a known state to go back to.
WordPress Backup Frequency Summary
Always take a WordPress backup before and after you upgrade and when you make a major change to your site. In addition make it part of your weekly or monthly routine. And remember to back up your blog more often if you update your blog more frequently.
And if you want advice on practical and reliable backup solutions - contact me via my contact form: Contact Alun
WordPress Security Tips – Avoid The 3 Biggest Problems
Want some usable WordPress security tips? Hacking is on the increase. You only have to watch the news to see that even major corporations are not immune. If they can be hacked so easily, what chance do you have?
Do you know the three biggest security barriers that block so many WordPress website owners? The ones that leave their websites - and business - at risk?
If you're a WordPress website owner who wants usable WordPress security tips and also wants to avoid these barriers to good WordPress security, read on ...
Barrier No. 1: Thinking You Won’t Get Hacked
Perhaps the most pressing problem with security is denial. Believing that that you won’t get hacked – that it just happens to other people. The unfortunate fact is your website probably will get hacked at some stage.
So the first of my WordPress security tips is: the choice is to take preventive action now or pay the price in having your website totally disappear tomorrow. And if you rely on your website for revenue, exposure or credibility, where will that leave you?
Why is it a barrier?
Thinking you won’t get hacked is a barrier because it prevents you from taking the action you need to take.
What is the real problem here?
Let’s be honest here. If you don’t take responsibility for the security of your websites, then regrettably, it will cost you in terms of money, reputation and time. And most probably all three.
How do you get around this problem?
You get around this problem firstly by adjusting your thinking. It probably will happen sooner or later, so it’s best to put steps in place to cope with it without impacting your business.
Then you need to assess the risk and then taking appropriate action. To assess the potential risks you can research the prevalence of hacking online. You can discover the results of your website being hacked. And you can see how often it happens these days. Then you can assess what steps you need to take to prevent these types of action.
How do you deal with this if you’ve already been hacked?
If you've already been hacked, there may be things you can do about it. Your hoster may have a single backup of your site, taken in the last week. If this is uncorrupted and hack-free, then you could be in luck. But don’t rely on it. It is not a replacement for a robust backup strategy.
In the worst case, if you have no backups and neither does your hoster, you may be faced with getting your site recreated from scratch.
Barrier No. 2: Not Putting Basic Protection In Place
Why is this a barrier?
You don’t leave your house door unlocked when you leave your house, do you? Yet so many people have insecure passwords, no firewall and no protection against brute force hacking attacks.
If you leave your site in this state, the sad reality is that you will get hacked, sooner or later.
What is the real problem here?
If you have no real protection, easy to guess passwords and no backups, it’s like leaving your door wide open. It’s inviting hackers in.
How do you get around this problem?
You get around this by at least taking the most fundamental steps toward security. I’ve blogged about these issues before, but in summary:
- Don’t use Admin as your administrator username.
- Have hard to guess passwords (WordPress will generate these for you).
- Keep your WordPress version, themes and plugins up to date.
- Install a security plugin like WordFence.
For more detail on each of these, check out my other articles on security on my blog: http://wptrainingnow.com/blog
How do you cope with the problem if you've already been blocked by it?
If you've already been hacked, then this how you get started again. First, take a deep breath and don’t do anything precipitative.
You first need to establish the extent of the hack. You can use the free scanner from Sucuri: http://sucuri.net/scanner . This will let you know if there is any malware on your site. If there is malware, at least you know in which direction you need to go. You will know that you have to get it cleaned up. But you need to be cautious - just because there is no malware does not mean you have not been hacked!
Secondly get in touch with your hoster, as if your site has been defaced, you will need them to take it offline. Your hoster will then either be able to clean up your site, or recommend specialists to do this for you. A word of warning - this may well be chargeable. Two reputable specialist cleanup organisations are Sucuri and SiteLock.
Barrier No. 3: Not Having a Robust Enough Backup Strategy
Why is it a barrier?
This is a barrier because no matter what preventative measures you have, hackers may still be able to get through your protection.
What is the problem here?
If you don’t have a robust backup strategy, if you get hacked, you can lose everything. It's the reason cars have a spare tyre in the boot. You will eventually get a puncture and if you have no spare, your journey is over. If you do have a spare, it's just a case of swapping the tyre out.
It's exactly the same with backups. You just use the backup to overwrite your hacked site, leaving it clean and ready to use.
How do you get around this?
You need a backup strategy that backs up your site on a regular basis, and that holds those backups away from your site. That way, if your site is totally wiped – and this does happen – you can restore from the last viable backup that your backup system has available.
The alternative – storing your backups on your site is convenient until you lose your entire site!
How do you proceed if you have no backups?
Sadly in this case you may well be looking at rebuilding your site from scratch. And this will undoubtedly involve time and money.
Of course, you may not have to start from nothing. You may still have your hosting, your autoresponder account and some of the content of your site held locally on your PC. So it may not be quite as painful as recreating it absolutely from scratch.
Summary: WordPress Security Tips
Now you know the top three WordPress security tips that WordPress website owners can benefit from. You know what the biggest problems are, and you know how to build momentum again if you've already been stuck down by one of these problems.
If you’ve been affected – or just want to make sure you’re not affected, I'd like to invite you to cut to the front of the line to find the protection you need for your website. I’ll give you a free security consultation, identify your potential liabilities and recommend changes.
All complementary – just contact me here: https://www.wptrainingnow.com/blog/contact/
WordPress Backup Entire Site – Why You Need Backups
Why have WordPress backup your entire site? I'd heard about backups and the importance of having a backup strategy for many years before actually having one. I regretted waiting as long as I did, because in the meantime I lost websites and I lost files.
If I had simply run a backup every week I would not have had to worry about lost information. I wouldn't have to worry about getting hacked - and my goodness this is on the increase! All my content would have been safely stored in a backup somewhere.
If you are hesitating about getting a WordPress backup strategy, or even hesitating about buying a WordPress backup plug in, consider the time wasted. Consider the leads and payments coming in everyday to your business. Consider the hard earned content that you spent a lot of time creating such as video. Now think - if you spent two minutes a week backing up your WordPress site then that's time well spent. You're safeguarding against anything that might have gone wrong.
You Don't Backup Your Site?
On the other hand, if you don't backup and you have a website online for three years. Then the site for some reason goes down and you don't have that site. Now you've lost three years of your life. Is it worth it to put in two minutes a week to save three years of your life? I think it is and if you have that attitude then you really won't mind getting a backup plugin, using a backup plug in and creating backups on a regular basis.
Do You Take Money Via Your Site?
Are you selling products or using WordPress as a shopping cart or as a membership site? Then you need to make sure that people who have paid for things still get access to them. If someone is paying me on a recurring monthly basis and the site goes away, not only have I lost my site, I've lost my monthly recurring income.
In many cases there's no way to get it back. If someone is paying you on a recurring basis and there is a certain transaction ID and a certain number associated with that person paying you month after month. It's very difficult to set up the site exactly the way it was and associate that person paying monthly to that user account they had on your WordPress site.
Why Not Just Backup?
On the other hand, if you had made a WordPress backup after that person starting paying you monthly then you can restore that backup. Now when they're paying you monthly they still get credit for those payments they are making for you.
Have you ever recorded a one hour or two hour, or a three hour video only to accidentally delete it or find out it wasn't recording properly? I have and it's even worse when it's the best video you've ever made. To have it come out perfectly and be online, and everyone loves it but then you accidentally delete it or something happens to it.
If however, you've backed up that video and restored it later, you can get it back and it'll never go away. You'll never lose it no matter what from this point in time forward.
WordPress Backup Entire Site
There are several options that are open to you. There are many backup tools, some free, some technically quite complex and more suited to programmers than bloggers. The free solutions don't have any support, so if you find you have a problem, you're on your own. Not really what you want when you need to restore your site urgently.
So what do you need? I recommend a solution that backs up your entire WordPress site. That way, if you're hacked you can just replace everything at once. I recommend having your backups offsite - preferably at more than one location. Having at least one copy offsite is vital, as if your hosting account is compromised, you can lose everything - backups and all.
I use two backup solutions and I'm happy to advise what's the best solution for you. But the first step is up to you. And it is ...
Decide To Have a Backup Strategy!
Go ahead right now and decide to get a backup strategy - because you know you need it. You know that otherwise you're going to waste time, you're going to lose money and you're going to lose your best content.
If you'd like a chat about the best way to get this implemented, just contact me here:
http://alunloves.it/contact
