As we all know, hacking is a huge issue and as a website owner you are likely to fall into one of three categories:
1) You’sve been hacked in the past and know just how frustrating it can be
2) You have actually been hacked but you just don’t realize it yet
3) You are a little complacent with a “probably won’t happen to me” mindset
I don’t know which of these apply to you but I’ll admit here that I’ve been in all 3 camps at various stages of my web business 🙁
Providing a complete guide on website security is well beyond the scope of this blog post but what I would like to do is share with you some simple steps for prevention, monitoring and resolution that you can put into place to reduce the risk.
Firstly, to stress the importance of this let me share just some of the things that I’ve personally experienced:
- Defacement – One of my sites had a “Hacked by XXX” message on the home page together with a ghostly video playing
- Redirection – One site was redirected to a very unpleasant site that would certainly not be suitable for kids
- Deindexed – I’ve had a site temporarily deindexed by Google with the loss of around 3,000 unique visitors per month
- Spam – An account on my server had an email spam script injected into it so it appeared that I was sending out mass spam emails
- Brute force attacks – I’ve had thousands of attempts to gain administrator access to my sites from robots using random usernames and passwords
I actually feel quite embarrassed about sharing all this because clearly it makes me look unprofessional and neglectful.
The truth is though I just simply wasn’t aware of some of the things I’m going to share with you in this blog post, so it left me as a sitting duck, just waiting for an attack.
Of course, it isn’t possible to eliminate the risk but only reduce it. An awareness and some simple steps is a great place to start:
1) No Default Username
If like me you use WordPress to build most of your sites then make sure you change the default administrator username “admin” to something else.
To be clear, no user should have the username “admin” in your WordPress site. Ever!
Robots will try combinations of the “admin” username and passwords to try to gain access to your WordPress dashboard by brute force.
Here’s a screen capture from my email notifications telling me that this has been happening to my sites in just the last few hours:
By the way, this is no big news – On a typical day my sites lockout 20-30 “users and hosts” (read: robots) as a result of failed brute force attacks.
I’ll share the free tool I use to perform these automatic lockouts and deliver the email notifications shortly, so do keep reading…
2) Strong Passwords
I’m sure everyone has heard of this.
The robots we mentioned above use “obvious” passwords for brute force entry attempts which come from built in dictionaries (available for free if you search Google!).
So if your password is “flowers” or even something like “flowers2014” then you are leaving yourself very much open to attack.
You should use strong passwords which look like this: 2A43%^fjsdSTo”1-
The only problem of course is how on earth can you remember these passwords?!
The answer is you don’t, you instead use a password manager.
Personally, I use LastPass. Completely free and just such an amazing time saver. I shared this with you in a previous blog post if you want to find out a bit more before going ahead.
It’s very important to always keep the software you have installed on your site updated because a lot of upgrades contain security patches.
In terms of WordPress this means regularly updating WordPress itself, themes and plugins.
You can either do this manually by logging in regularly and doing a bulk update using Dashboard > Updates or it enabling automatic updates using a plugin.
A good one is Advanced Automatic Updates but there are others if you go into your WordPress Dashboard and search for “update” in Plugins > Add New > Search
4) iThemes Security
iThemes Security is a great free plugin which will allow you to improve the security on your site.
The options can look daunting the first time you install it but it has a simple wizard which will guide you through the recommended settings.
Amongst other things I use it to lock out and ban IP addresses that are attempting brute force login attempts. You can also have it send you email notifications of when this happens (which is the screenshot we discussed above in the first section).
Sucuri is great and I highly recommend it.
Basically there are two parts to it:
Part 1: Free Website Security Scan
If you go to their site and enter any website URL it will check for malware, blacklisting and out of date software.
Note: Over time I have noticed some false positives here, i.e., clean sites which are fine but are flagged as infected. Also, the blacklisting results can be a little out of date. Obviously nothing is perfect but better to be safe than sorry and generally I’ve found it a really invaluable tool.
Part 2: Continual Monitoring and Unlimited Cleanups
One option is just to use the free website scan service above. However, if you wish to have your sites continually and automatically scanned (E.g., every 3-6 hours) then you might want to consider signing up for their premium service.
What really sold me on this is that unlimited clean ups are included. So in other words if you get hacked:
i) You’ll get an email notification from Sucuri which indicates one of your sites has been compromised.
ii) You click on “Request Malware Removal”, enter your FTP details (your host will provide these if you don’t know) and click “Submit Request”
Easy, simple and as I said there is no limit on the number of times you can do this.
Thankfully I’ve only had to use it once but their service was excellent and my site was clean within about 3 hours following my request (although they state up to one working day in their guidelines).
I also like the peace of mind it gives because the reality is that a large percentage of people who are hacked just don’t know because there are no visible signs. So using Sucuri you know if there’s a problem you’ll get notified and be able to get a fix really quickly with minimal effort on your part.
6) PC Security
To keep your sites clean you need to have a clean computer. If there’s a nasty password stealing malware program running on your PC then none of the other website security steps are going to make much of a difference!
As you know there are countless anti-virus and malware programs available. I am certainly no expert so I’m afraid I can’t tell you which is best to use. However, I can tell you what I use which is the following:
AVG – free.avg.com
MalwareBytes – https://www.malwarebytes.org
I use just the free versions of each I find them really good. But again whatever you have installed just make sure you use it!
As I mentioned this is far from a complete guide on security but hopefully it’ll help you significantly tighten up your security quickly and easily. If you are a GHG member and would like to know more then check out the mini-video series “Website Lockdown: How To Secure Your Site From Hackers” in the Basecamp section.
Did you find this useful? Please LIKE/TWEET/SHARE and drop a comment below with your thoughts. Perhaps you’ve been hacked yourself? Either way it’s always great to hear your views so please fire away… 🙂 Cheers, Rob
Thanks for such an honest and eye-opening post, Rob!
Having just set up my first blog, I am definitely going to ensure that I don’t leave any doors open. Thanks for sharing something which, although not directly about making money, could certainly save a lot of time and money in the long run!
My pleasure Keith and you’re absolutely right on the saving of time and money. Especially time actually – it can really drag you down if you are open to attack, get hacked and are not sure what to do.
Good luck with the new site 🙂
Really useful, I have much of this in place but did not realise how brute attacks worked. Need to step up my security some more.
Thanks for your comment Bob and great to see you here on the blog too, glad you found it useful 🙂
Yes I was hacked…
I was so dismayed as I thought it would never happen to me, until it did.
Great advice you give, and I empathize totally with anyone who gets targeted. I ‘lost’ around 20 sites, so big ouch!
Thank you for sharing that Darryl. It sounds very painful and I know it can be hard not to take it personally. I’m sure you’ll be stronger for it going forward though so on and up!
All the best, Rob
Rob, the fact that you’ve had thousands of brute force attacks doesn’t make you unprofessional; just the opposite. Everyone has had those attacks. The difference, what makes you more professional, is that you KNOW you’re being attacked, because you’ve put something in place to monitor for this type of behavior. Good for you.
One other tip is to add two-factor authentication to your sites, particularly if you’re the only person who logs in. Plugins like Clef or Google Authenticator are very easy to set up and use.
Thanks Glen, much appreciated. Excellent tip on the two-factor authentication too. I actually use that on this blog to protect the WordPress login page. Great to see you here on the blog 🙂
Great advice, as usual!
Hope you’re enjoying Cornwall, and all this beautiful weather!
Glad you enjoyed it Stephanie and yes, very much enjoying life on the coast.
Thanks for your comment 🙂
I find the free plug in Limit Login Attempts very useful. It does what it says on the tin. (I appreciate the wordpress directory comes with a warning, not updated for 2 years but all works well.
Also sends you an email if the number of attempts are exceeded. I set to 3.
Hi Paul, the iThemes Security plugin includes this feature too and it bang up to date so you might like to try that as an alternative. It’s an important feature as you say, thanks for commenting and pointing it out 🙂
Indeed. On my last Blog I installed some plugins to stop brute force attacks, and quite frankly I was stunned at how many attacks I had. Even for my Blog which didn’t even get any traffic to speak of, it was crazy.
About 5 times per week, every week, I’d get mails informing me of an attack where they tried at least 5 attempts to hack in each time. As you say, every time they used “Admin” which thankfully I already knew was a bad user to leave on my WP site.
I hope people heed your warning and get protected if they value their work.
I know exactly what you mean Simon – it’s a real surprise to see all the failed attempts and I remember being exactly the same.
Thanks for sharing your thoughts and taking the time 🙂
WordPress Security has been an issue for years and its not getting better anytime soon.
I have been hacked in the past, and i got so frustrated by the experience i set out to become an expert at Wp security. I now run my own wp security site doing this for clients. You would be amazed at how many have NO IDEA what they are doing when it comes to Wp security.
A great post with solid ideas but only the tip of the security nightmare that is WordPress. Any security no matter how basic is better than none.
Thanks for your comment 🙂 It’s interesting to get your views given your speciality in this subject. From what you say it sounds like WordPress is more at risk than other content management systems?
Really good article Rob. Thanks. I’m definitely going to implement these things on ALL my websites. I had no idea on some of this! Thank you for sharing it.
Thank you Deb, great to hear you found it useful. You’ll lower the risk significantly if you do that so well done on the affirmative action 🙂
Thanks Rob. That explains why I had an email I sent to you bounced back – I was welcoming you to Bude. Sorry you’ve had these problems and thanks for the tips.
Hi Bill, Glad you found them useful and good to see you here on the blog 🙂 Cheers, Rob.
Rob- blo*dy good article and very apt! Security is now the no 1 issue at any major company let alone us and our sites. Thanks for this
very imformative infact you wont beleave it have problems now i had a virus on google chrome i have bt/mcvee scanning do you think thats enought rob or should i use won of those freebess you have mentioned bt not shifting it but i do like what you have put and also you use it yourself cant get better recomendation then that thanks rob
Good article Rob. I had one of my sites infected with malware last year and Google weren’t allowing access to it or something. I got a phone call from a security company linked to my hosting service and they offered a one-off removal for $200 or a yearly protection package for $500.
I couldn’t afford that even if I had wanted it but I ended up over at Fiverr.com and bought a gig from a guy who said he could remove said virus and he did within 24 hours, plus gave me a WordPress plugin to stop it returning. Needless to say I’ve learnt my lesson on security since that episode!
Thanks for covering this. I learnt this the hard way too.
I ended implementing a regime similar to yours, I included BruteProtect even though some of the iThemes measures cover that too. You have included a couple of things that I don’t do so I’ll be getting on to that today.
The only way that I’ve found to approach website security is to assume that it’s insecure so that you keep checking new things and it all changes every week.
My pleasure Peter and wise words there too.
Thanks for taking the time to comment and let me know what you think 🙂
Someday (hopefully soon!) WordPress will include some of the more common security measures so that a plugin will not be required to do basic site security.
However, until that day, we’re on our own!
The security plugin I prefer and use for all my client sites is All in one WP Security and Firewall. It’s free, it’s thorough, and highly configurable, yet simple to use.
Totally agree Mark – it’s really such a fundamental thing that it should be built in Thanks for the recommendation on the plugin too, much appreciated 🙂
Your GHG Membership site is so loaded with virtually all the relevant tutorials, tips, very latest tips and alerts that I always ask myself, “Have you checked the GHG Members ‘library’ before looking elsewhere and throwing money away on information that is ALREADY available for FREE in the Members Area?”
I wish new members of GHG would bear this in mind, because the temptation to try something similar for a fee is so great that those desperate for a ‘quick solution’ and with a little extra cash to spare can easily fall into that trap and get disappointed and frustrated over and over again.
My advice to anyone so tempted is: ” You’ll be lucky to get a better teacher than Rob.”
You are very kind – thank you for your lovely comment! Really glad you are enjoying the material in the members area and as you know, do get in touch when I can help 🙂
Nice useful post on security! people tend to ignore the security of their sites until something goes wrong, im guilty of this too :/
Will definitely be implementing some of these SUPER security tips on my websites from now on 🙂
Thanks Raj – glad you enjoyed it 🙂
Hey Rob, cool list! So just to be clear…what were you using to monitor these Brute Force attacks, where they send you an email about it whenever it happens?
Actually Rob, one additional question. It sounds like you like Securi, but it also sounds like, as you mentioned above, it can give off some false positives.
Is there any concern that Securi can be giving off a false positive, and when you tell the plugin to clean up your infested site, it’s really an unnecessary request because your site may already be clean?
Hi Sam, Good to see you on the blog & thanks for your comment 🙂
Yes, I’m using Securi and all of my false positives have actually been “site not found” errors – in other words the server has temporarily not responded when Securi tried to check it. You can actually find out that this is the error when you get notified so really I suppose it isn’t a “true false positive”! Anyway, it’s no trouble really and if you did request a clean then nothing would be found and no changes would me made.
Hope this makes some kind of sense!
You mentioned how you get updates about brute force attacks on your site….which one of these things you mentioned tells you about these brute force attacks? And when you get them, do you need to do anything about them, or is it just helpful to know what is happening overall?
The brute force notifications come from the iThemes Security plugin. There isn’t a lot you can do apart from limit repeated failed login attempts to your site which is a facility that the plugin gives you.
Hope this helps Brian and thanks for your comment 🙂
Acunetix secure wordpress is a good security plugin I found. It scans your system for vulnerabilities and tells you what to do to rectify them. Some of the file changes suggested can be a bit techie if you don’t really know what you are doing, but most of the stuff like changing default database table prefixes are easier to do, and stuff like file permission changes as well can all be done in the dashboard. Here is some of the results of a scan on my site – note the username ‘Admin’ you were talking about:
-You have the latest version of WordPress.
-Your database prefix is not wp_.
-Startup errors are not displayed.
-User admin was not found.
-The .htaccess file was found in the wp-admin directory.
-Your currently used User to access the WordPress Database holds the appropriate rights to interact with the database.
-The index.php file was found in the wp-content directory.
-The index.php file was found in the plugins directory.
-The index.php file was found in the themes directory.
-The index.php file was not found in the uploads directory! You should create one in order to prevent directory listings.
Finally I’d suggest doing full server back up every month. I have one account on one domain hosting and 2 on another so I just back these up after making sure all my sites are up to date and working.