A blogger I know was hacked today, and it was pretty scary because I went to the blog and some nasty Malware tried to install on my computer, luckily, my PC is like a fortress and precluded the Rogue Spyware (full of rootkits and Trojans) from downloading, but still I spent some time scanning and making sure I was not infected which was annoying to say the least, I HATE HACKERS!!!
My Personal Computer Security Tools
All free and all work together beautifully to really protect my system from all the harmful crap that is found online.
Excellent Malware Removal
These detect and remove very difficult infections
- MalwareBytes
I use the free version to regularly scan for infections. - Hitman Pro 3
Free trial for 30 days, then only $19.95 a month (much cheaper than that useless Norton). Detects and removes rootkits, worms and other very hard to detect infections.
Anyway back to WordPress security...
Hacking of blogs happens all the time, and when it does it's a total pain in the you know what, and worse yet if the blogger has no backup. So I did some research and made some big security changes to my blog sites and wanted to share with you some of the WordPress security and hacking prevention tools that I found.
1. Backup your Data
You can really sleep good at night and have no worries if you ALWAYS BACK UP YOUR DATA on a regular basis! Whatever may happen to your blog, there is no better security than having a current backup of all posts, pages, plugins. comments and basically the entire blog, just imagine if you lose everything!
There are two easy ways to do this...
1. Use the WordPress Database Backup Plugin, to automatically create backups to your WordPress database on a schedule you choose, re: daily, weekly, monthly...etc and you can choose to have the backup emailed to you, downloaded to your server or downloaded to your PC. I choose email, it's easy and automated.
I have mine set to daily, some may think this is paranoid, BUT, you never know when you might get hacked or have some loss of data, and since I update my blogs regularly it is much safer to just make sure I always have the most current backup available.
2. Option 2 and one that I do on a regular basis in addition to using the plugin above is to perform a full backup via my hosting cPanel. Every hosting provider should have this and some actually do weekly backups for you, so just check what your host offers. A full backup via cPanel offers a complete backup of all the blogs and sites in your hosting account, hosting home directory, mysql databases and email accounts as well.
2. Lock Out Multiple Login Attempts For Hacking
Login LockDown - This plugin is really great and I just installed it on all my blogs.
Login LockDown records the IP address and time stamp of every failed WordPress admin login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery that hackers often use.
You can set the number of attempts allowed, lock out time, and other options, really excellent protection.
3. Change Admin User Name
Change Admin User Name - Another useful plugin for WordPress security that bypasses WordPresse's inability to allow administrators to change their username.
Often times when installing WordPress admin is assigned as the username automatically and hackers know this, so with this plugin you can easily change your username to something much harder to detect, such as:
aKD#@$LJ!#$^JGHQTI2356KJSD#@I$%H@#$I%H@#$THNAKSLD@#
If you have admin as your username you should use this plugin to change it immediately.
4. Passwords That Keep Those Scum Hackers Out
Your passwords should look similar to the above user name example, with a super long string, full of all kinds of characters, caps and small letters and numbers AND passwords should be changed on a regular basis, believe me, it is much easier, faster and much less stresful to change passwords than to recover a hacked blog.
5. Only Download Plugins from Known Sources - Thanks to John Sullivan for reminding us in comments that you should not download plugins from unknown sources, plugins are freeware and shareware, which are notorious for carrying nasty viruses, so just be sure the source where you download the plugin is the actual developers page and not a download from some other site or always go to http://wordpress.org/extend/plugins/ to get your plugins.
Get more WordPress security options at 10 Easy Tips To Keep WordPress Secure - this is a good guide, but be careful, a lot of the tips are based on modifying back end files, like .htaccess and if you don't know what you're doing you can mess up your sites configuration, ask you hosting for support, if you use Hostgator they are very helpful with these kinds of issues, as I am sure other hosting companies should be as well. And, whenever modifying any of the WordPress core files in cPanel ALWAYS make sure to make a copy of the original before editing.
If Your Blog Has Been Hacked
If your blog has been hacked, don't panic! Your first call should be to your hosting company, they will be your main resource for clean up, restoration and help. And read the guides below to learn more.
Additional Resources for Security and Hacking
- The best and complete step-by-step guide on how to clean a hacked blog
- FAQ - My Site Was Hacked
- What To Do When the Blog Is Cleaned
Follow Me on Twitter @: jsinkeywest
(7 comments)
Hi I don’t know you well but I like you because it always seems like your giving and thinking about others. Yes I heard about this happening to a VERY good friend of mine.I had/have a group blog and we were rolling Awesome when the disaster hit.The thing that got me is even after changing DB’s the BAckup was infected also so when I imported IT followed.When I started off fresh another DB it popped back up, I deleted the line of script from everywhere a million times it was all in wp-admin it was a nightmare. Then I had the site laying low new wp and db and HELLO it came back. I called my host and they couldn’t see anything and now I’m real leery about adding another wp back on that domain.
We get comfortable and think no one can log into our site. I think I got it from demo in a off beat plugin if someone knows PHP it’s easy to embed all kinds of things on your site.I think post like this are sadly GREAT because they keep people’s awareness up, I use that DB backup plugin and if it was as easy as importing to a new DB I wouldn’t really sweat any scripts but when your backup is infected you have a serious problem. The one thing that was scary about the whole thing is how this thing replicated itself and refused to die
All you tips were on point Thanks
.-= John Sullivan ´s last blog ..The 500 Comment Post =-.
@ John
Hey John, thank you and thanks for stopping by, those self replicating viruses, usually they rootkits, are truly horrid, they are like a cancer that just keeps coming back. And I imagine that if your database is infected that makes things much more difficult, that is why I mention those two plugins, I think prevention is much better than clean up. Thanks for mentioning the fact about NOT downloading plugins from unknown sources, will edit the article to reflect that one.
Follow Me on Twitter @: samudary
(1 comments)
Awesome security tips JR!
Many bloggers are clueless to the fact that a hacked site can be extremely devastating especially when there is no backup plan. WordPress is an open source software, so hackers know everything about the system. That’s why it is really important for us to do everything possible to remain secure.
Here is a post I published recently on my blog with some additional extreme security steps that I think you may find useful: http://samswebguide.com/2010/04/11/5-additional-extreme-steps-to-secure-your-wordpress-blog/
Keep up the good work!
.-= Robyn from Sam’s Web Guide´s last blog ..5 Additional Extreme Steps to Secure Your WordPress Blog =-.
@ Robyn
Thank you and thanks for another great resource.
Follow Me on Twitter @: DennisEdell
(35 comments)
Excellent advice indeed, all of it.
The part about where to download plugins from is very important. I try to mention it on every plugin post i read.
.-= Dennis Edell | Direct Sales Marketing´s last blog ..YES it is Time for ME to TWEET! What’s my username? Part 1 =-.
@ Dennis
Thanks D, yes I often just download plugins without really paying attention where the link is, well no more of that!
Follow Me on Twitter @: AussieSire
(43 comments)
Great list JR. I’ve used the backup plugin for quite some time now and I’ve set it so it sends me backups in the email, only because I know if I set it manually I would forget to do regular backups.
Hackers are a pain, I’ve had several sites hacked so I know first hand how devastating it can be, This is an important post so I’ve given it a Tweet to spread the word.
.-= Sire´s last blog ..Tips On Having A Photo Blog And How Photos Can Inspire A New Post =-.
@ Sire
Thanks mate! I HATE hackers too, they are a useless waste of space.
Follow Me on Twitter @: smartbloggerz
(3 comments)
I think WordPress is right now in their most secured state..Also, Nowadays I don’t find any kind of hacked wordpress blog which proves the point.. But that doesn’t mean that you should not take security measure from your side.
Also, the situation of an hacked wordpress blog only arises if you are having some kind of problems/fights with any other person/group etc.
Interestingly, yesterday there was a brute force attack on my VPS server…Some automated bots were trying to find my server root password(which is very tough ha ha..) but thankfully, VPS servers have an added advantage of brute force protection which automatically locks the access to the server when such attack is detected..
.-= Typhoon´s last blog ..Three Simple But Useful FireFox Hacks For Google Analytics =-.
@ Typhoon
Interesting to hear, I agree with you about WordPress it is very secure right now, and yes I have seen hosting servers get attacked and then any sites they host. What is a VPS server?
Follow Me on Twitter @: netaccountant
(3 comments)
I got the same setup as you on my local machine… great minds etc…
I have added 2 other security layers to the wp-admin folder access, one is HTTP Authentication and the other IP based restriction – I am the only person who needs access to the administration folder so the little hassle of setting this up is no hassle really
.-= Tom@NetAccountant´s last blog ..How to secure your WordPress wp-admin folder =-.
@ Tom
LOL, of course, re: great minds! Those are two layers are good ones, I am considering doing the same.
Follow Me on Twitter @: webcreationUK
(6 comments)
For computer protection I do weekly malware scans, but not only with antivirus but with hijackthis also, it’s a great tool.
Also, I have an Internet security product installed and Prevx which works great.
Follow Me on Twitter @: rayjasper0211
(1 comments)
Hi Jr, thanks for the general information. I used to install WordPress and even create and designs, i had no idea that it could be also be hack. This will add to my plug ins that i would like to add for the the site. Backing up also necessary, coz there are times that i had trouble i used my back up files to get back to my original settings. Just be sure, take the precautions, security level, to protect your files and sites from this hackers.
.-= Ray Jasper Palmer´s last blog ..BankrollMob’s WSOP FREEROLLS: Yesterday’s winners (19/4) =-.
Follow Me on Twitter @: NedCarey
(2 comments)
I am kind of paranoid about my site being hacked because I wouldn’t know what to do about it. You suggestion of contacting my hosting company seems obvious but I am not sure I would have even though about it.
I already use Spybot, I’ll check out the others.
.-= Ned Carey´s last blog ..A Base Hits Beats A Home Run =-.
@ Ned
Oh yes, hosting is always the first go to source, and remember that often times it is the hosting server that can be the source of the hacking and Malware infection.
I think often WP version upgrade will also keep hackers away from your site.
After 2 of my blogs were hacked months ago, I’ve been allotting time creating back ups and also changing my log in info often. I always think about the stress and hassle it could cause me if one of my site get hack again.
Follow Me on Twitter @: mariosotojr
(2 comments)
I had one of my blogs hacked once it was a complete nightmare luckily my hosting company helped me out bringing my site back up. I’m glad that I had some of these plugins installed but not all now I use all these plugins in all of my blogs. I feel safer and better that I use them.
.-= Mario @ halloween super affiliate´s last blog ..Halloween Super Affiliate – How To Make Money With Halloween Niche =-.
Follow Me on Twitter @: sonlinebiz
(3 comments)
I’ve never really liked Avast. It frequently let known viruses through. I believe in Kaspersky, Avira and AVG. I’m presently using the free version of Avira as it works wonders without slowing down my system resources and load time
There are some good plugins out there that will help secure your wordpress blog too. Search for security vulnerabilities in plugins.
Follow Me on Twitter @: webmaster_serve
(9 comments)
Keep backup regularly and keep your WordPress and plug-ins up to date. A good backup can cover for a ton of other issues by making it possible to revert back to how things were before your site crashed.
UK Webmaster forum recently posted..Godaddy New Customer Coupon Codes for September 2010
Ensure use of anti spyware or malware protection on your computer.
JR I know this a wrong place to ask but why don’t you use googleads on this site or doesn’t it work for you?
Nigeria News recently posted..RT Briscoe Nigeria Vacancies- Company Treasurer
It is good to take back up of your data for future security.The WordPress Database Backup Plugin,is the best for this purpose.
Good article with a lot of good information, thank you! If you are interested I wrote an article on WordPress security and touched on some points you may have missed here: http://www.itutorblog.com/2011/06/how-to-secure-wordpress/
paullstanley recently posted..paullStanley wrote a new blog post- How To Secure WordPress
Follow Me on Twitter @: Boomajoom
(23 comments)
Valutpress also offers some security help, but it’s a paid solution.
Thank you, very helpful. I’ve been looking for free ways to keep WordPress secure.
Right on, I use Adware, Malware Bytes and that is all I need. As long as you are a responsible surfer and can recognize danger and avoid it I find I don’t have any problems. Since there was a big hack on WP sites I have not had any issues although I have 2 plugins running.
I feel safe.
Thanks for the recommendations
@ Jackie
I am extra paranoid to as far as my blogs go, I have login lockdown enabled, which 2 do you use?
After I experienced that huge hack about a year ago I installed a number of protection plugins. Here is what I remember: paranoid, which I uninstalled as it kept sending me emails. Antivirus, which is still installed. WP security scan, which I still have installed. There were 2 or 3 others that I can’t remember. I have relaxed since then and don’t worry too much about it.
I have a file on my blog and I can type in the URL and it will clear all the php code on my blog. All the code64 stuff.
@ Jackie
Thanks
Getting hacked is a nightmare which no blog owner would ever want to experience. Hackers are really deadly parasites and they do their home work well before trapping their preys. We being on the receiving end should try our best to be well informed about how to protect our system with the latest tools.
RT @imstrategies: New blog post: How To Secure WordPress Blogs & Prevent The Hacking of Your Blog http://bit.ly/cOo8Ys
RT @imstrategies How To Secure WordPress Blogs – Prevent Hacking of WordPress Blog | JR's Internet.. http://bit.ly/aoMVQ7
RT @AussieSire: RT @imstrategies How To Secure WordPress Blogs – Prevent Hacking of WordPress Blog | JR's Internet.. http://bit.ly/aoMVQ7
RT @imstrategies How To Secure WordPress Blogs – Prevent Hacking of WordPress Blog | JR's Internet.. http://bit.ly/aoMVQ7
How To Secure WordPress Blogs – Prevent Hacking of WordPress Blog by @imstrategies ~ http://bit.ly/aoMVQ7
How To Secure WordPress Blogs & Prevent The Hacking of Your Blog http://su.pr/1hUEWA
News Update: How To Secure WordPress Blogs and Prevent Hacking of WordPress Blog http://ow.ly/177Qow
RT @proactivedefend: How To Secure WordPress Blogs and Prevent Hacking of WordPress Blog http://ow.ly/177Qow
How To Secure WordPress Blogs – Prevent Hacking of WordPress Blog … http://bit.ly/au0cU1