Are you using WordPress? If so there are some major security issues. It takes time to sort our a hacked site. However it is easy to make your site a lot safer.
There are four key things you need to do.
1. Make sure you have created a backup and keep up to date.
2. Keep your WP and plugin up to date as hackers have time to target older versions.
3. Remove “admin” from your WP, it is one of the defaults so an easy target
4. Install 4 free security WP plug ins
This will add an order of magnitude of safety to a standard wordpress set up. For the ultimate wordpress safety go here. http://www.wordpresssecuritywp.com/(One of our sites) It costs $15 (~£10)
1st4SEO manage the security of all managed wordpress websites to the highest level and stay in touch with the latest threats.
The most important thing is to have a backup that you can go back to if a hacker gets hold of your site.
1. Back Up WordPress
a. BackUpWordpress Plugin (Free)
b. Flip Me Clone ($67 – affiliate link)
a. BackUpWordPress will back up your entire site including your database and all your files once every day. It has several advanced options for power users.
Features
• Super simple to use, no setup required.
• Uses zip and mysqldump for faster back ups if they are available.
• Works in low memory, “shared host” environments.
• Option to have each backup file emailed to you.
• Works on Linux & Windows Server.
• Control advanced options by defining any of the optional Constants.
• Exclude files and folders from your back ups.
• Good support should you need help.
http://wordpress.org/extend/plugins/backupwordpress/
whilst this is free and easy doing the back up, the reinstallation takes a bit of time and expertise. 1st4SEO use the following software, however it involves a one off charge of around £42 ($67)
b. Flip Me Clone – Affiliate Link
We use this product as it is far easier and quicker to use.
- Backup your entire WordPress install
- Installs WordPress for You!
- Clones all of your WordPress Settings, Plugins, Posts, Pages, Themes, Widgets…EVERYTHING!
- Restores your Site Configurations to precisely what they were
- Clone your site on another domain without having to create a new database
It costs $67 (~£42)
2. Update WordPress and Plugins
Every time you post, or every month update your WordPress and plugins. This is crucial as the majority of hacks are via older versions of WordPress or its plug ins.
3. Remove Admin from your WordPress blog and Database.
As admin is a is a common way that hackers have broken into websites. Hackers often try this route. Many people leave the original set up of “Admin”. Of these 4 key steps it is the most technically involved, but follow these instructions and you should not have a problem. Of course make sure you have an uptodate backup.
Change the password. Use a random password generator to create a strong password or construct one with numbers and characters, not your sons name or password123! Google random password generator or use this one.
http://www.random.org/passwords/
If you have “Admin” as a user do the following to it. You will have to edit the name from your SQL database.
a. First of all from WordPress admin panel, add a new administrator with a strong password.
b. Finding your “Database name” and removing your “WordPress username”. Delete Admin from the admin panel so that articles are transferred to another user.
So that you can remove the name of your sites database, Go to find the database name that your site runs off we need to do the following:
1. Login to your hosting providers Cpanel
2. Click the folder named file manager,
3. Select the wordpress site your are going to change
• Scroll to file labelled “wp-config.php”
• Now just right click on the file and select “View” to view the .php document inside.
You will see something like:
—————————————————————————————-
// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘Admin’);
/** MySQL database username */
define(‘DB_USER’, ‘Admin’);
/** MySQL database password */
define(‘DB_PASSWORD’, ‘XXXXXX’);
—————————————————————————————–
You need to change the DB_NAME and DB_USER if you have admin rights
Changing Your Sites Username and Password
The next steps I will show you will take you through changing your username from “admin” to a more secure password that you can remember easily. To do this log into your hosting account and browse to “databases”
Now click on the icon labelled “phpMyAdmin”
You will now be able to see your database in the left hand column of the screen.
Sselect and click your database name that you identified above, then navigate to the folder labelled “wp_users” and click on it.
You can see that under wp_users there is “user_login if you haven’t made any changes one of your usernames will read “admin”. So to stop the hacker from easily hacking in and prevent them from altering your site any further you need to delete it.
4. Wordpress Security Plugins
a. Install Login Lockdown (if not already installed)
This is a simple but effective plug-in.
Login LockDown records the IP address and timestamp of every
failed login attempt. If more than a certain number of attempts
are detected within a short period of time from the same IP
range, then the login function is disabled for all requests from
that range. This helps to prevent brute force password discovery.
Currently the plugin defaults to a 1 hour lock out of an IP block
after 3 failed login attempts within 5 minutes. This can be
modified via the Options panel. Admisitrators can release locked
out IP ranges manually from the panel.
b. Install WordPress Firewall 2 (if not already installed)
This WordPress plug-in investigates web requests with simple
WordPress-specific heuristics to identify and stop most obvious
attacks. There exist a few powerful generic modules that do this;
but they’re not always installed on web servers, and difficult to
configure.
It intelligently whitelists and blacklists pathological-looking
phrases based on which field they appear within in a page request
(unknown/numeric parameters vs. known post bodies, comment
bodies, etc.). Its purpose is not to replace prompt and responsible
upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.
c. Install Secure WordPress (if not already installed)
Secure WordPress beefs up the security of your WordPress
installation by removing error information on login pages, adds
index.html to plug-in directories, hides the WordPress version and
much more.
1.Removes error-information on login-page
2.Adds index.php plugin-directory (virtual)
3.Removes the wp-version, except in admin-area
4.Removes Really Simple Discovery
5.Removes Windows Live Writer
6.Removes core update information for non-admins
7.Removes plugin-update information for non-admins
8.Removes theme-update information for non-admins (only WP
2.8 and higher)
9.Hides wp-version in backend-dashboard for non-admins
10.Removes version on URLs from scripts and stylesheets only
on frontend
11.Blocks any bad queries that could be harmful to your WordPress website.
The above plugin removes WP version numbers.
Many hacks today are caused by WordPress version numbers. Sites
are easily hacked because WordPress version numbers are publicly
accessible by doing a simple search on Google. All a hacker would
need to do is run a search for the WordPress version number and
be able to find a hack for that particular version.
The easiest thing for you to do to prevent hackers accessing your
site this way is to remove you WordPress version number
I hope this helps. If you want further levels of security or to recover from hacking go to WordPress Security.