According to Google, there are almost 10,000 newly hacked websites every day. The trouble is, most site owners don’t take security of their website seriously until they get swamped by complaints about viruses, automatic dialers and other harmful software.
The problem can be caused by a malicious program (malware) that’s been installed on your web server, harmful code in blog comments or techniques like SQL Injection that involve tricking login forms into allowing access to password protected areas.
Whatever the method, if it happens on your site it’s your reputation that takes a nosedive and it’s your problem to fix.
What else happens if your site is hacked?
Aside from the danger of losing all your content – and the time and expense of fixing the problem – Google will blacklist your site.
That means no one using Google Chrome (the most popular web browser) can visit your site. Instead they’ll see a nasty warning about how dangerous your site is.
Because Firefox uses the same site blacklist as Chrome, Firefox users will also be shown an unsafe site warning you see below instead of your content.
Depending on the severity of the risk, your site will either have a This site may harm your computer warning added to its Google search results or be completely removed from the index.
Basically, it’s bye-bye website and revenue until you get rid of the malware.
The thing is, as a web developer I’ve seen this scenario enough to know two things:
1. It causes a lot of stress to the website owner.
2. Most of the time it could have been prevented by following some basic steps.
How to protect your website
Most of the time malware, viruses and other nasties gain access to your site through security holes, so plugging those significantly reduces your risk.
Here are the most common security issues and how to fix them.
1. Don’t use Admin as a username
Because hackers prefer the easy way of doing things where possible, they’ll often try to login with the username Admin. That means if there’s an active account called Admin, they already have half the information they need to force their way into your site.
In the past, WordPress automatically created an Admin account when first installed. So if your site has been online for more than a couple of years, check to make sure it doesn’t have an Admin account. Even if it’s not being used by anyone, it’s still a security risk.
To delete the account, go to Users > All Users. If you’re currently logged in as Admin, you’ll need to create a new login and sign in with it before you can delete the Admin profile.
2. Don’t use an obvious password
What’s an obvious password? Here are a few: 1234, god, work, ilove and master.
Where did I get these from?
They’re a selection from the top 30 passwords stolen in the recent LinkedIn security breach, where a Russian hacker stole 6.5 million passwords and posted them on a web forum.
These same words turn up continually in lists of stolen passwords. Hackers know there are literally millions of people using these passwords, so these are the ones they try first.
If you’re using any of these as your password you should change it ASAP.
3. Use a strong password
Hackers often use a technique called brute force to gain access to password protected areas.
In a nutshell, this means using automatic software to guess your password. Since it’s automated, a huge number of passwords can be tried quickly – which is why it’s often successful.
Because the software uses a dictionary to generate passwords, don’t use a real word as your password. Instead, use random letters mixed with numbers and punctuation characters until the password strength indicator in WordPress admin shows you’ve created a strong password.
4. Don’t leave your login details on a Post-It note stuck to your monitor
Just sayin’ because you’d be amazed the amount of people who do that.
5. If your site has multiple authors, make sure they’re following these guidelines
Also, don’t leave accounts open for people who no longer need them. If you want to keep an author name active to maintain bylines on posts, change the password for the account by going to the Users > All Users page.
6. Don’t use a free WordPress theme unless it’s from an official WordPress site
There have been plenty of cases of unscrupulous directories giving away free themes containing hidden links to harmful sites.
The idea is that website owners using the free themes are unwittingly creating thousands of links back to a site that otherwise wouldn’t get any. If you need a free WordPress theme, get it from WordPress.org which vets themes before they go online.
Or better still, go the more professional route and get a premium theme.
7. Keep WordPress updated
When new versions of WordPress are released, it’s sometimes for new features but usually for security improvements.
WordPress is the single most popular online publishing system. That means when a security flaw is found, every hacker and his cat is on the net using software to find sites using the old, unsafe, version of WordPress.
Not keeping your copy updated is like leaving your front door unlocked. When new versions are released, update as soon as possible.
In the past, it was a pain to update, but now it’s easy. Just click the link that appears across the top of the admin area whenever a new version is available.
You don’t need to do anything technical.
If you’re worried about something going wrong in the upgrade process, make sure you’re making regular backups so you can safely “rewind” if needed. See, “How to make automatic backups” below.
8. Keep your plugins updated
A similar thing applies to plugins – they’re often updated for security reasons.
Go to the main Plugins page in WordPress and you’ll see an upgrade notice next to any that need updating.
To update, just click the link. Again, there’s no technical knowledge required.
9. Keep all your sites updated
Don’t forget about the sites you may have that you rarely work on – they need to be kept updated too.
10. Don’t use cheap or free hosting
If you’re using hosting that costs a dollar a month – or God Forbid – free hosting, you’re asking for trouble because the pile-it-high, charge-very-little approach means the web hosting company can’t afford to put effective security measures in place.
If you’re the technical type, or need to pass information on to your web developer, take a look at these advanced tips from Smashing Magazine.
Alternatively, try this free plugin which performs many of those tasks for you.
How to make automatic backups
Sooner or later, something’s going to go wrong. That’s life.
Losing all your blog content because of a hacker, server failure or database crash is not something you want to risk happening.
For more information on making backups, see my post here. The shortcut for non-technical types is to use a service like Backup Buddy for a set and forget system that can also be integrated with Dropbox, Amazon S3 and other services.
Site hacked? Here’s what to do
If your site has been hacked, or you or your visitors are seeing warnings about malware or viruses you can resolve the problem with these three steps.
1. Get your website scanned to see if there really is a problem. Sometimes there are false alarms. You can get an instant scan from the service I use Website Defender – there are free and paid accounts and you can get a scan with either.
2. If there is a problem with your site, take the steps recommended by Website Defender to clean your site.
3. Report the problem as fixed to Google, so they can restore your site to their search engine rankings. To do this, you need to either submit a Site Reconsideration Request or submit an update via Google Webmaster Tools.
Using Webmaster Tools is a much quicker way of getting your site reconsidered, usually taking around six hours. Just go to the Malware section and follow the instructions.