Last week I got hacked, not once, but twice. Although I have always been quite good about security and also had a security plugin installed, the hackers got in through an older unused theme on one of my sites, and from there got into most of the sites on my server, which has over 20 sites on it, at least 10 of which I care about. After I thought I had it taken care of, they got into one site again through an old backdoor that survived the restoration. Backdoors are pieces of code that a hacker hides in your files to assure that they can keep getting in.
The following is what I learned from it all, how you can avoid being hacked, and how your life can be made much easier when it happens to you. Note that I wrote “when.” If you do this long enough you are likely to get hacked at some point. It normally is not “if” but “when.”
The Top Two Must Have Things That Helped Me
Two items not only prevented the hack from being worse, but also made my life much easier when dealing with it. I honestly think any serious wordpress blogger should have both of these. Disclosure: I am using affiliate links here.
(1) A good host: My host is Wired Tree. As a host that offers only VPS level servers and above, they are not the cheapest host you can get, but you also get what you pay for, and what you pay for here is awesome customer service. When I has hacked, the host very promptly offered up a number of backup points and restored the entire server. They then ran malware scans, and provided extra monitoring. When it was found that a backdoor for the hack survived the process, they did it again and added material to my .htaccess file to allow me to take only the single problematic site offline while only I still had access to it. They also temporarily upgraded my memory limits for free while I was using additional resources to get things locked down and in line. They stayed in constant contact with me the whole time, promptly responding to all questions.
I have other sites on three different servers with Hostgator, who is my choice for shared services. But I can tell you right now that they would have had very, very slow response times and probably would have left me restoring my own backups in many cases. I know they would not have temporarily increased resources for me. I still like them the best for cheap hosting, but as I previously stated, you get what you pay for and their customer service has been lacking some lately. Now, that is with what I think is still the best shared host. I can only imagine what it would have been like with a shared host that isn’t often recommended.
(2) Sucuri: I adore Sucuri. This service offers a free plugin and scan (more on that later), but the premium service is what is key for real protection. With a premium Sucuri account, you can get regular automated scanning, not just of the public files, but also of all of your server files (highly recommended). If there is a problem, you can be sent email and text messages. Sucuri will then clean your site for you as part of your membership. I have had Sucuri find and clean hacks several times in the past and they cleaned things pretty quickly and painlessly.
With my last incidents, I knew of the problem within an hour because Sucuri scans caught it. Because it got throughout my server, I had my host do a restore instead of having Sucuri clean things and I did my own search for back doors and think I found them. But now I will go back and have Sucuri look at the quarantined site to make sure it really is clear before I do anything further with that site. So if I missed something, they will find it. If only one site had gotten hacked, I would have just had Sucuri clean it from the get go for me.
Preventing Hacking, What You Can Do
Aside from having a good host and Sucuri, there are some key steps to take to prevent hacks. Here are the top few:
(1) Keep everything updated, not just WordPress, but plugins and themes: I have normally been good about this, but it was an old theme on a site that was my downfall. Always quickly update WordPress and Plugins. Also keep your themes updated. Those updates are what close the holes that allow hackers in.
(2) Avoid old free themes and untrusted plugins: Premium themes are much less likely to have vulnerabilities and are more likely to be updated to respond to issues. I use Studiopress Genesis on most of my sites. They are highly respected and provide quality products. On other sites I use Sahifa through Themforest. Read plugin reviews so that you know what you are getting and, if the author does not regularly update it, look for something else.
(3) Kill all unused plugins and themes: Disabling a plugin or theme does not remove a vulnerability. If you are not using it, delete it and all of its files.
(4) Use a security plugin: I already was using the Bulletproof Security Plugin, but it did not prevent the hack. I find that particular plugin to be confusing and hard to set up, so I may have had it misconfigured. After the hack I found the free iThemes Security plugin. This plugin is very powerful, easy to set up, and easy to understand. I have also used iThemes in the past for other services and trust them. With this plugin, you can change your login url to something random, set the site to lock out suspicious IPs, and lock down the ability for writing files to certain areas of your site. It will also do scheduled database backups. One note: If you set this plugin to check for changed files it will use a ton of server resources and send you a lot of email. I turned that feature off after a couple of days of monitoring.
I also installed the free Sucuri plugin. This will also add some protection, do basic scans from inside your dashboard, and send you all sorts of email alerts. A warning on those alerts, they can freak you out once you see just how often bots are trying to do things to your site, even with things locked down pretty well. Note that for full server side scans, you still need Sucuri premium.
If you don’t want to add a security plugin, there are things you can do to your .htaccess file for protection. I’m not going to try to list them here, but you can find them with web searches and if you have a good host they will happily help you with that. (Wired Tree helped me with it).
(5) Keep good backups: A good host will have multiple backups of your server, but don’t count on that, especially if you are on a shared server. Do your own as well. Keep in mind too that just a database backup is not going to have all of your content. Anything you upload, such as photos, will be in your wp-content/uploads files. So you need to back that up too. There are various backup services out there. I have previously used iThemes BackupBuddy. I now tend to manually do full zipped backups that I download to my computer each month.
(6) Do not use Admin or your site name for your login or Password for your password: You are making it much easier to be hacked through brute force attempts if you do these things. Have complex user names and passwords and don’t publish under your admin account name.
(7) Run virus and adware checking software on your personal computer regularly: Various forms of malware can sniff out your passwords.
(8) Try a service such as Cloudflare: Cloudflare is a CDN service with a free service level that also has some security features to block known bad actors. Sucuri also offers a similar firewall service.
After the Hack, What to Do
If you get hacked, get the site offline and use Sucuri to clean it and/or contact your host. I believe Sucuri will clean a site even if you sign up for their membership after the fact. If you need your server restored, contact your host. If you only restore to a backup point, keep in mind that your site could have been hacked before that date and backdoor left in somewhere. Also, it won’t address how the hacker got in to begin with. So you have to assume the worse and take a number of precautions.
(1) Make sure you really are clean: This is where Sucuri is awesome, because they can do a complete clean for you. If you try to find problems manually, you will need to look in all sorts of places. Here is article with some good advice on that.
(2) Look for extra users added to your sites: I did this quickest by checking the database users table and deleting the user that the hacker added to them.
(3) Change all logins and passwords: This isn’t just for your wordpress installation, it is also for your server and ftp accounts.
(4) Get new WordPress security keys: Your .wpconfig file contains keys that essentially allow you to stay logged into your site. If a hacker gets logged in, they can stay that way even after you delete things and change passwords because of the cookie left on their browser. Changing these keys kills that. The Sucuri plugin will change the keys for you.
(5) Go through all the steps to avoid getting hacked in the first place: Pay particular attention to themes and plugins. If it is old, outdated or untrusted, kill it and get something new and well supported.
Hacking is very frustrating, but it can be avoided and dealt with. Here are the top services that I particularly like and recommend again (these are affiliate links):