Monday is usually my spot in our publishing schedule, but I’m giving it up today for a good reason.
Last week Nate Hoffelder of The Digital Reader alerted me to a widespread attack on vulnerable WordPress sites. Since my site, and those of many other authors run on WordPress, this is a serious situation you should pay attention to.
The attacks, which have affected over 2,000,000 WordPress pages in the past few days, was reported by, among others, Ars Technica: “Virally growing attacks on unpatched WordPress sites affect ~2m pages.”
Here’s one thing they said:
“Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours.”
In this context, Nate suggested some immediate steps you can take that will help guard your site.
A Fact of Life Online
Listen, hacking and malicious attacks and bots that plant malware are simply a fact of life online. If you want to build a site that attracts readers, builds your mail list, performs as a media center or, like in my case, provides your income, you need to learn to address these issues.
Over the years I’ve spent time and money on making my sites more secure, hiring services that monitor sites, and moving my blog hosting to a fully managed environment.
On the day you wake up and discover you site is offline, or hacked until it’s unrecognizable, that’s the day you’re going to say to yourself, “Why didn’t I do those things when I could?”
Start today. Although some of these steps are simple, they will all help you stay online, in business, and productive. Here’s Nate’s article on the subject.
WordPress is the most widely used website platform, and it powers a quarter of all websites. That immense popularity means that developers are constantly adding new software options, but it also means that hackers are always looking for WP sites with lax security.
Here are 5 steps you can take to make your website more secure.
1. Don’t use “admin” as a username.
Did you know that the first account created when a new WP site is set up is usually named “admin”?
Hackers know that fact, and it is why they always try to hack that account on any WP site they attack. It doesn’t matter the age of the site or how active it is, hackers will always target the admin account first.
That is why you should never use that account.
- Solution: Make a new account with administrator privileges, give it a unique name, and then change the permissions for the account named “admin” so that it is no longer an administrator. Change it to a “subscriber”.
2. Use a strong password.
Every year web security experts list the most common passwords, and every year hackers use that list to try to gain access to your website. So if you have an easily guessable password like “12345”, “qwerty”, “password”, or “12345678”, you should change it right away.
- Solution: Luckily, WP will suggest a secure password for you, so all you need to do is visit your profile page on your site, scroll down to where it says “New Password”, and click the button to generate a new password.
Copy the suggested new password so you don’t lose it or forget it, and then scroll down to the bottom of the page and click the “Update Profile” button to finish the process.
3. Disable your web designer’s account on your site.
Did someone help you set up your site? Do they still have an account on the site?
If you answered yes to both questions then you should consider disabling that account right away.
This may come as a surprise, but even a pro will sometimes be careless and use an easily guessable password. In fact, I just helped a client clean up their site after it had been hacked through the old web designer’s account. A hacker had found that account, guessed the password, and gained complete access to the site.
- Solution: Change the web designer’s account so that it is no longer an administrator for the site; instead, make it a subscriber. But don’t have to delete the account, because if you work with the designer again you can always restore their privileges.
4. Keep WordPress updated.
Did you know researchers are finding new security holes in software all the time?
Developers are constantly patching their software to fix the issues, but hackers are also on the lookout for sites which are behind on updates. If hackers find you missed a critical security update, they will pounce without mercy.
- Solution: Check your site every couple weeks, and install any available updates.
5. Install a firewall plugin.
You wouldn’t dream of browsing the web without a firewall, anti-virus, and anti-malware software running, would you?
Of course not; that is just web safety 101, and the same is true for your website. A firewall plugin will alert you to someone trying to hack your site, and it can also tell you if a hacker has already gained access and is making changes.
- Solution: Install either Wordfence or Sucuri plugins – and don’t forget to go through the full set up process.
My recommendation is Wordfence; I like its email notifications. But Sucuri is also good in that it has the better malware scanner.
Start thinking about the security of your site today. And let me know in the comments:
Has your WordPress site been hacked? How did you solve your problem?