Archive for the ‘wordpress security vulnerabilities’ Category


Help My Website Has Been Hacked! – What Can I Do?

Help My Website Has Been Hacked!Help My Website Has Been Hacked!

Those are the six words - Help My Website Has Been Hacked! - that all website owners dread saying. But what does it mean, what does a hack entail, and how can you prevent them happening?

Hacking Problems - What Is The Problem?

Hacking is increasing and no-one is immune from hackers attacking their website. In fact, Forbes magazine estimate that nearly 30,000 websites get infected with some type of malware every single day. We’ve heard of the well-publicised large companies that have been hacked.

However, in reality most businesses affected by hackers are small businesses that don’t have sufficient protection against hacking. These include blogs and small company websites.  So the question is, what are the problems, and what can you do about them?

A hack is simply someone gaining access to your website and then using it for their own purposes. They may change pages or delete whole sections of your website.

There Are Many Forms of Hack

There are, regrettably, many ways that a hacker can compromise your website. For example, hackers can try common usernames and passwords over and over until they get access. This method is called a brute-force attack.

Others use more sophisticated means – cross-site scripting, or attacking known vulnerabilities in the code on your system.

Once a hacker accesses your site, they often deface it. Defacement, a common hacking technique, is where a hacker puts up a banner or page supporting their political or financial aims. Alternatively, they could redirect your site to a porn site, or to a site selling Viagra or other merchandise.

Reinstating your site can be a costly and time-consuming set of activities. That is if it’s even possible. I have seen hacks recently where hackers have removed every single file on a site. Without backups, you will need to recreate your site from scratch.

So hackers can redirect your site to an undesirable site, or remove it all together. The question is, what can you do to counter these problems?

First Step: Detection - Free Malware Scanner

The security firm Sucuri have a useful free scanner that you can use to check the status of your website. The scan will show whether you have succumbed to many of the common hacks. And it can tell you if the biggest search engines currently blacklist your site.

http://sucuri.net/scanner

My Suggested Preventative Solutions

You may be looking for a one-shot solution to prevent hacking. Unfortunately the situation is a little more complex than that. You need to protect your site against the most common problems that attract hackers. And at present, this involves selecting a number of different tools. Here are my biggest recommendations to prevent the hacking of a WordPress site.

1. Have A Robust Backup Regime

The most fundamental thing to have is a good, reliable automatic backup regime. Have one that backs up to at least one place away from your site. The disadvantage of keeping your backups on your site is that if you lose your site totally, your backups go as well.

I used to use my own backup system, but I now recommend VaultPress in preference. Why?

  • VaultPress has several options, but I recommend their service that is just $9 per month.
  • It's easy to set up and it’s very easy to restore a backup – one click and your site is back.
  • VaultPress comes from Automattic – the creators of WordPress.

Their interface is clean and fast to use. It works, and it’s the best I’ve seen. You can sign up at http://vaultpress.com

2. Implement WordFence

WordFence is a free security plugin that protects your site in several ways. It prevents hacking attacks like brute force login attacks by locking out hackers. WordFence detects when someone (eg a hacker) changes core WordPress files, theme files or plugins from their issued versions. It then prompts you to restore the currently issued code from its database.

The free version now comes with a firewall that increases the level of protection you have. And I strongly recommend you implement their firewall.

WordFence will lock out hackers who try to guess your password to get into the WordPress backend.

WordFence is available via the WordPress plugin directory for free.

3. Use SiteLock

SiteLock has several features that you can select to protect your site. I like its SMART tool that automatically scans your site for malware, and, if it finds any, repairs it and sends you a message of confirmation.

If you bear in mind that manual malware cleanup can be very time consuming and expensive, SiteLock is like having insurance against malware attacks. It keeps your site running. Contact me here if you'd like to benefit from the services that SiteLock offer.

4. Purchase WordPress Maintenance

Many people don’t understand the vital importance of keeping the code on your site up to date. This means keeping your WordPress version, your theme and all your plugins updated to the latest version.

The main reason programmers update code is to repair recently uncovered vulnerabilities that could lead to hackers gaining access.

Recent WordPress versions auto-update to the latest version, but you have to update themes and plugins manually. Out of date plugins in particular are an issue. Most WordPress sites use several plugins to provide functionality. The problem is magnified by plugin authors releasing the nature of the problems fixed in a new version. A hacker encountering a previous version then knows what vulnerabilities exist in it.

I can provide you a service where I scan your site every day for out of date code.

http://alunloves.it/wordpressmaintenance

Summary

If you don't want to hear yourself uttering the words "Help My Website Has Been Hacked!" there are steps you can take to avoid hacking. They are:

  1. Have a robust backup plan
  2. Use the WordFence plugin
  3. Use SiteLock
  4. Buy WordPress Maintenance

It's important to note that nothing will make you completely hack-proof. The most determined hacker will probably get into any site. But it you make it hard for him, like any burglar, he will probably look at easier targets.

Contact me here for a no-obligation chat about WordPress security.

Read More...

WordPress Security Practices – Thwarting The Hackers

Here's a short video on WordPress security practices. It covers what you can do to improve the security of your WordPress website. We all know that hacking is on the increase and you risk losing your entire site in a hack.

But is there really anything you can do to prevent a hacking attack? Watch my short video and decide for yourself!

WordPress Security Practices

Here is a summary of the actions YOU can take today to improve the security of your WordPress site.

  1. Keep WordPress up to date
  2. Keep your plugins and theme updated
  3. Avoid brute force attacks

Once you've watched the video, it may be obvious what your next steps are. In that case, just get those things implemented today, and harden the security of your site.

On the other hand, it may be that you need a little advice on the best way to go for you and your site. As WordPress security can be a complex issue, I'm happy to help you out.

If you'd like a no-obligation chat about the security of your site and how it can be improved, contact me, Alun Richards, here: http://wptrainingnow.com/blog/contact

 

Read More...

Avoid WordPress Security Vulnerabilities – Quick And Easy Tips

wordpress security vulnerabilitiesWant to know how to avoid wordpress security vulnerabilities? Here's a quick security question for you. If you have a WordPress site and the username and password you use to gain access to it are Admin and Test (or password!, are you at risk for your website being taken over?

The answer is yes. What is said is you can have all security measures, all the fancy security plugins in place, but if your password is something that they can easily guess then you are leaving the door wide open.

That's why it's important to have a secure and hard to guess WordPress login and password. What can you do? Make sure your username is not the name Admin or Adminstrator, change that WordPress password regularly and use different passwords than you use for other WordPress or FTP sites.

Don't Use Admin As a Username

By default, when you set up WordPress it uses it with the username Admin, which means that when you login you type in the username Admin and some password. But this is giving the hackers half of the information they already need. If they already know that you are using this Admin, all they have left to guess is the password. And don't use something obvious like your first name, your first name and your last name or the title of the site.

But if your username is something meaningful to you but not obvious to strangers, now they don't know where to start with the username. And now potential intruders they are guessing about two different factors - your username and your password.

That's why even though WordPress, by default, sets your username as Admin, the first thing you should do is create a new user account and name it your first and last name, save it and then delete that original Admin account, that will cut down on a lot of automated attempts.

Change Your Password Regularly

Something else that is easy to do is change your WordPress password regularly. For example, once per month. This means that you are always thinking of some new thing to type, and some new password that someone might never guess, because you are changing it every month. You would be surprised at how many passwords consist of someone's name, child's name, or pet's name but if you are changing a password on a regular basis, adding in letters and numbers to it, now that's a password that no one will guess which means that no one will have access to your site other than you and the people you choose.

Finally, set different passwords than other WordPress blogs you own. Set a different password other than your email address or your FTP account. The problem with setting the same password for different accounts is if someone gets access to your WordPress site, now they have access to your website, your other WordPress sites, your email, your FTP, and so on. But if you use different passwords for WordPress, for email and for FTP that means if someone happens to gain access to your WordPress they don't have access to your other accounts.

WordPress Security Vulnerabilities Summary

In this article, we've looked at a number of common WordPress security vulnerabilities. We've seen that setting a secure WordPress login and password is easy. We've covered why you don't want to use Admin as your username, and the importance of changing your admin password regularly.

We saw how we must use different passwords for multiple WordPress blogs, for your email account and for your FTP account.

If you've read this article and want to know the next steps to keeping your WordPress website secure, why not request a chat about your security and perhaps how I can help you? Just fill in the form on http://wptrainingnow.com/blog/contact , and I'll be in touch.

Read More...