Help My Website Has Been Hacked! – What Can I Do?
Help My Website Has Been Hacked!
Those are the six words - Help My Website Has Been Hacked! - that all website owners dread saying. But what does it mean, what does a hack entail, and how can you prevent them happening?
Hacking Problems - What Is The Problem?
Hacking is increasing and no-one is immune from hackers attacking their website. In fact, Forbes magazine estimate that nearly 30,000 websites get infected with some type of malware every single day. We’ve heard of the well-publicised large companies that have been hacked.
However, in reality most businesses affected by hackers are small businesses that don’t have sufficient protection against hacking. These include blogs and small company websites. So the question is, what are the problems, and what can you do about them?
A hack is simply someone gaining access to your website and then using it for their own purposes. They may change pages or delete whole sections of your website.
There Are Many Forms of Hack
There are, regrettably, many ways that a hacker can compromise your website. For example, hackers can try common usernames and passwords over and over until they get access. This method is called a brute-force attack.
Others use more sophisticated means – cross-site scripting, or attacking known vulnerabilities in the code on your system.
Once a hacker accesses your site, they often deface it. Defacement, a common hacking technique, is where a hacker puts up a banner or page supporting their political or financial aims. Alternatively, they could redirect your site to a porn site, or to a site selling Viagra or other merchandise.
Reinstating your site can be a costly and time-consuming set of activities. That is if it’s even possible. I have seen hacks recently where hackers have removed every single file on a site. Without backups, you will need to recreate your site from scratch.
So hackers can redirect your site to an undesirable site, or remove it all together. The question is, what can you do to counter these problems?
First Step: Detection - Free Malware Scanner
The security firm Sucuri have a useful free scanner that you can use to check the status of your website. The scan will show whether you have succumbed to many of the common hacks. And it can tell you if the biggest search engines currently blacklist your site.
My Suggested Preventative Solutions
You may be looking for a one-shot solution to prevent hacking. Unfortunately the situation is a little more complex than that. You need to protect your site against the most common problems that attract hackers. And at present, this involves selecting a number of different tools. Here are my biggest recommendations to prevent the hacking of a WordPress site.
1. Have A Robust Backup Regime
The most fundamental thing to have is a good, reliable automatic backup regime. Have one that backs up to at least one place away from your site. The disadvantage of keeping your backups on your site is that if you lose your site totally, your backups go as well.
I used to use my own backup system, but I now recommend VaultPress in preference. Why?
- VaultPress has several options, but I recommend their service that is just $9 per month.
- It's easy to set up and it’s very easy to restore a backup – one click and your site is back.
- VaultPress comes from Automattic – the creators of WordPress.
Their interface is clean and fast to use. It works, and it’s the best I’ve seen. You can sign up at http://vaultpress.com
2. Implement WordFence
WordFence is a free security plugin that protects your site in several ways. It prevents hacking attacks like brute force login attacks by locking out hackers. WordFence detects when someone (eg a hacker) changes core WordPress files, theme files or plugins from their issued versions. It then prompts you to restore the currently issued code from its database.
The free version now comes with a firewall that increases the level of protection you have. And I strongly recommend you implement their firewall.
WordFence will lock out hackers who try to guess your password to get into the WordPress backend.
WordFence is available via the WordPress plugin directory for free.
3. Use SiteLock
SiteLock has several features that you can select to protect your site. I like its SMART tool that automatically scans your site for malware, and, if it finds any, repairs it and sends you a message of confirmation.
If you bear in mind that manual malware cleanup can be very time consuming and expensive, SiteLock is like having insurance against malware attacks. It keeps your site running. Contact me here if you'd like to benefit from the services that SiteLock offer.
4. Purchase WordPress Maintenance
Many people don’t understand the vital importance of keeping the code on your site up to date. This means keeping your WordPress version, your theme and all your plugins updated to the latest version.
The main reason programmers update code is to repair recently uncovered vulnerabilities that could lead to hackers gaining access.
Recent WordPress versions auto-update to the latest version, but you have to update themes and plugins manually. Out of date plugins in particular are an issue. Most WordPress sites use several plugins to provide functionality. The problem is magnified by plugin authors releasing the nature of the problems fixed in a new version. A hacker encountering a previous version then knows what vulnerabilities exist in it.
I can provide you a service where I scan your site every day for out of date code.
http://alunloves.it/wordpressmaintenance
Summary
If you don't want to hear yourself uttering the words "Help My Website Has Been Hacked!" there are steps you can take to avoid hacking. They are:
- Have a robust backup plan
- Use the WordFence plugin
- Use SiteLock
- Buy WordPress Maintenance
It's important to note that nothing will make you completely hack-proof. The most determined hacker will probably get into any site. But it you make it hard for him, like any burglar, he will probably look at easier targets.
Contact me here for a no-obligation chat about WordPress security.
WordPress Plugin Security Vulnerabilities
This post is about WordPress plugin security vulnerabilities. It’s great having WordPress plugins that extend the functionality of your WordPress site. They allow you to do many useful things – duplicate Pages or Posts, lock down your membership content, SEO your posts and many other things.
Realistically, no WordPress site can afford to not benefit from the functionality that plugins bring.
But there’s a problem.
What Are WordPress Plugin Security Vulnerabilities?
Many WordPress sites have a whole host of plugins. And they get updated quite frequently. Sometimes the reason for this update is to add functionality, sometimes it’s to work with a new WordPress version. But most often they’re updated when the authors discover vulnerabilities in them.
As a result, when you manage a WordPress website, you have to ensure all your plugins are up to date. If they get out of date, you’re leaving potential security holes in your site. Holes that hackers can exploit.
Don’t Hackers Just Guess Your Password?
Many people think that hackers gain access by guessing your username and password. And yes, this does happen. You can protect yourself against this by having hard to guess passwords and not having ‘admin’ as your username.
But more frequently, hackers make use of plugin vulnerabilities in your out of date plugins.
So Why Are Plugins Vulnerable?
Let’s have a look at the components of a WordPress site. As well as the core WordPress files, you have a Theme and you have one or more (often a lot more) plugins.
A WordPress site has one version of WordPress, which may or may not be current. Most sites now auto-update WordPress when a new WordPress version is released. So now, unless your WordPress version is seriously out of date, WordPress auto-update will cope with WordPress core updates.
WordPress Themes
You will have one active theme, and this may be a free theme or a paid theme. I always recommend getting a paid theme from a reputable developer who updates his theme regularly and offers support if you can’t get something to work.
With free themes, you’re on your own. If it breaks, tough luck – you have to fix it yourself (are you any good at PHP coding?
Reputable vendors of paid themes – like WooThemes – offer support that you can call on in times of difficulty.
WordPress themes don’t get updated that often, and you’ll normally stick with one – as this determines the look and feel of your site.
That leads us to plugins.
WordPress Plugins
Many sites have a whole host of plugins, each of which providing a piece of needed functionality. Because the average site has so many, there are many opportunities for a plugin to get out of date and have vulnerabilities. Hence the need to keep them regularly updated.
And unlike WordPress core files, plugins do not get updated automatically.
This in turn means that if you manage a WordPress site, you need to log into it regularly to check if any plugins need updating. The alternative is to leave your site exposed to hackers.
How Often Are Plugins Updated?
I manage many sites on behalf of my clients and myself. Every single day I see multiple cases of plugins that need to be updated. Often I will need to update plugins on sites twice or three times a day.
So What Should You Do?
If you don’t want – or are unable – to log in to your WordPress site every day, I provide a service to do this for you. It will also take care of your WordPress core and any theme updates – though these require updating far less frequently.
Next Steps To Address WordPress Plugin Security Vulnerabilities
If you believe that I can help you with keeping your WordPress websites up to date with your WordPress plugins as well as WordPress core files and your theme, contact me here.
Free Essential WordPress Plugins Online Training
Free Essential WordPress Plugins Online Training
So many WordPress plugins have been released in the last year it's hard to keep up. There are now over 44,000 plugins on the WordPress plugin directory alone! But the thing is, many are now essential to your site.
But which ones are essential? And how do you know?
Let's start with two classes of essential plugin: ones to make your site more secure, and ones to speed up the loading speed of slow sites.
But which plugins should you chose and why? You can end up in a much bigger mess than when you started out!
Ask Yourself:
- Do you know how to protect your site?
- And what you should protect against - and how?
- Do you know which plugins make your site run faster?
- Which ones actually make a difference?
- And how would you know whether they make a difference?
Preventing your site from being hacked should be your number one concern. There is a huge number of WordPress sites being hacked currently. Forbes reported Sophos Labs as saying it's 30,000 sites A DAY!
The question is, do you have to have special secure hosting, and premium, paid security plugins? Do you need to spend a fortune on a webmaster? Do you need a security consultant on retainer?
I suggest your first step is to watch this online training I've prepared for you. That way you can decide what's right for you.
Essential WordPress Plugins Online Training
On this free online training, I'll show you two things:
- How to secure your WordPress site, so that you are unlikely to be hacked.
- How to speed up your WordPress site - and know how much faster it is!
I'll show you the plugins that make a difference, and how to install them.
Reserve Now
My FREE online training is available now.
Click on the graphic or the link below to reserve your seat.
ps grab this now, while it's still available - I don't know how long it will be up, but when it's gone, it's gone!
