How much thought do you devote to protecting your WordPress website? [sc name=”pod_ad”]I want to share something that happened to me this week. I came home from a nice lunch with friends to both an email and urgent voicemail message from a client saying someone had hacked their website and their URL redirected to a porn site. This is a relatively large client of mine that gets a decent number of visitors to their website each day, so there was a good reason for the panic.
When I heard the message and the panic in my client’s voice, my only thought was to get this problem fixed ASAP. But I wasn’t worried because I know I have measures in place for exactly this sort of thing. But more on that later.
WordPress is the most popular CMS in the world. That popularity also makes it the most popular choice for hackers. Fortunately, WordPress is on the ball and releases regular updates to patch any new and existing security holes. But, security as a whole is a reactive process. Patches are only issued once a security vulnerability is known. At its core, WordPress is incredibly secure, but the massive ecosystem of plugins and WordPress themes makes it more vulnerable to security holes. That’s why you should have measures in place for protecting your WordPress Website and those of your client.
It’s not good enough to rely on what your web host provides as part of your hosting package. You need to have your own measures in place. Those measures need to include both a security plugin and a backup plugin.
Step 1: A WordPress security plugin By installing a WordPress security plugin, you’ll get access to additional features that WordPress doesn’t have right out of the box, including things such as:
Site, file, and malware scanning Protection from brute force attacks Regular security scans, monitoring, notifications Site firewalls Overall security hardening Sadly, a lot of site owners don’t think about security for their WordPress website until it’s too late. And once a WordPress site is compromised, there’s not a lot they can do besides notify visitors and try to clean up the mess if possible.
If only there were something they could’ve done to prevent the site from being hacked in the first place. Oh, there is. Installing a top-ranked WordPress security plugin is the first step in securing your WordPress website.
Top-ranked WordPress security plugins All In One WP Security & Firewall Wordfence Sucuri Security SecuPress Free iThemes Security Pro (This is the plugin I use on all my sites) Google Authenticator – Two Factor Authentication Although not a security plugin, the Google Authenticator plugin is a great addition for protecting your WordPress website. It’s something that should be installed on every website. Google Authenticator adds an extra level of security by adding Two Factor Authentication every time someone logs into the WordPress website. iTheme Security Pro, my security plugin of choice comes with Google Authenticator as part of the package. I’m unsure if the other security plugins mentioned above also include Google Authenticator.
Step 2: A WordPress backup plugin Every WordPress installation should also have a backup solution. Not one provided by your web host, but one you implement and control yourself.
There are too many instances where web host provided backup solutions either take days to provide you with the backup of your website, the backup is outdated, or in some cases, it’s corrupted. Don’t take any chances with your WordPress backups and install a top-ranked WordPress backup plugin such as one of these.
Top-ranked WordPress backup plugins Duplicator BackWPup BlogVault VaultPress(part of Jetpack) BackupBuddy (This is the plugin I use on all my sites) So how did my story end? First off, let me tell you that I wasn’t surprised that my client’s site got hacked. I had seen increased login attempts on it lately numbering in the 10,000s. If a determined hacker wants into a website, there’s only so much you can do to stop them. So I wasn’t surprised when it got hacked, but I also wasn’t worried.
The first thing I did was wipe the site. I logged into my cPannel, went to File Manager, found the directory for my client’s website and deleted everything in the folder. That immediately solved the first issue of the site being redirected to the porn site since there wasn’t a site anymore to do the redirection.
Then it was a simple matter of downloading the most recent backup from the cloud drive I send all my client site backups to and using BackupBuddy, reinstalled the entire site from the backup. In all, it took me less than 10 minutes to get the site back up and running.
After reinstalling the site, I changed the password for the database as well as all User passwords and made sure WordPress, the installed theme and all plugins were updated. Only then did I call my client. When he answered and immediately started asking…