How do I block Hackers in WordPress?
In December of last year this site was hacked and blacklisted on Google. They had every right and at the time I had little understanding of how sites were exploited and how once a site is infected it is almost impossible to clean it up. When users tried to visit this site it was blocked at the browser level meaning that Firefox, Chrome and Safari all have partnered with Google to block sites that are spewing out malware.
I was alarmed and upset obviously because this is my business and as a web designer I have a reputation to uphold. How can my clients trust my design and their site’s security if I can’t even keep my own site from being hacked? To be honest, most of my areas of expertise are in design. I understand and write in CSS code and HTML, I use Dreamweaver, Photoshop, Illustrator and InDesign with ease, but I had become lax in the area of security because I had not been previously hacked.
Because of these exploits, I have spent hours and hours restoring my site and helping others setup secure processes on their sites so they don’t get hacked. In this process I learned that websites are constantly being hit up by robots that are scanning and trying to logon to your site. I setup Sucuri Security plugin which will alert you each time someone tries to login to your site and I was surprised at how every site was getting attacked by random login attempts.
So what did I do?
I first of all changed all of my passwords and made them much more difficult. It is too easy to become lazy and make passwords the same or relatively simple words to remember.
Secondly, I installed Sucuri on all my sites as well as Wordfence. Sucuri will email you the IP Address of the person/robot trying to login to your site and you can block that IP Address with Wordfence.
Third – Deactivate and Delete all plugins that are not being used. Why have plugins activated anyway that aren’t in use?
Fourth – Change the wp-admin login folder to something else using a plugin that allows you to alter this folder. Most hacking tools are going to look for common mistakes and will start with the standard way to access your website. With over 72 million websites using WordPress it is probably super simple to write a script that says to go and look for all sites that follow the pattern http://www.yoursite.com/wp-admin and then to use “admin” for the username and a few common password combinations. As a designer I have been surprised at how many of my clients will use similar passwords like asdfzxcv or 1234Password – any sequence on the keyboard that might seem complex to you is probably the simplest for a program to figure out.
These were some of the quickest and easiest fixes that I did for my site and as new hackers try to access my site I get alerts from Sucuri. These 30 minutes or so of preventative measures can save you hours and hours of headache from a hacker.
Also, you should keep good backups of your site and save your posts offsite in a Word Document. When your site is hacked, depending upon the number of pages you have, it can be very difficult to clean up the infection. So, what I recommend is storing a good clean backup at least every 30 days and then if you have to delete your entire site and start over you can. And since you may lose some of your posts, you can repost them if you have them in a word document. Content for some users is going to be more important than others. I know some clients that pay 100’s of dollars each month for SEO rich content that actually drives good traffic to their website.
This was a hard lesson learned and as I continue to learn more about web security and best practices I will continue to keep you updated.