As we all know, hacking is a huge issue and as a website owner you are likely to fall into one of three categories:
1) You’sve been hacked in the past and know just how frustrating it can be
2) You have actually been hacked but you just don’t realize it yet
3) You are a little complacent with a “probably won’t happen to me” mindset
I don’t know which of these apply to you but I’ll admit here that I’ve been in all 3 camps at various stages of my web business 🙁
Providing a complete guide on website security is well beyond the scope of this blog post but what I would like to do is share with you some simple steps for prevention, monitoring and resolution that you can put into place to reduce the risk.
Firstly, to stress the importance of this let me share just some of the things that I’ve personally experienced:
- Defacement – One of my sites had a “Hacked by XXX” message on the home page together with a ghostly video playing
- Redirection – One site was redirected to a very unpleasant site that would certainly not be suitable for kids
- Deindexed – I’ve had a site temporarily deindexed by Google with the loss of around 3,000 unique visitors per month
- Spam – An account on my server had an email spam script injected into it so it appeared that I was sending out mass spam emails
- Brute force attacks – I’ve had thousands of attempts to gain administrator access to my sites from robots using random usernames and passwords
I actually feel quite embarrassed about sharing all this because clearly it makes me look unprofessional and neglectful.
The truth is though I just simply wasn’t aware of some of the things I’m going to share with you in this blog post, so it left me as a sitting duck, just waiting for an attack.
Of course, it isn’t possible to eliminate the risk but only reduce it. An awareness and some simple steps is a great place to start:
1) No Default Username
If like me you use WordPress to build most of your sites then make sure you change the default administrator username “admin” to something else.
To be clear, no user should have the username “admin” in your WordPress site. Ever!
Robots will try combinations of the “admin” username and passwords to try to gain access to your WordPress dashboard by brute force.
Here’s a screen capture from my email notifications telling me that this has been happening to my sites in just the last few hours:
By the way, this is no big news – On a typical day my sites lockout 20-30 “users and hosts” (read: robots) as a result of failed brute force attacks.
I’ll share the free tool I use to perform these automatic lockouts and deliver the email notifications shortly, so do keep reading…
2) Strong Passwords
I’m sure everyone has heard of this.
The robots we mentioned above use “obvious” passwords for brute force entry attempts which come from built in dictionaries (available for free if you search Google!).
So if your password is “flowers” or even something like “flowers2014” then you are leaving yourself very much open to attack.
You should use strong passwords which look like this: 2A43%^fjsdSTo”1-
The only problem of course is how on earth can you remember these passwords?!
The answer is you don’t, you instead use a password manager.
It’s very important to always keep the software you have installed on your site updated because a lot of upgrades contain security patches.
In terms of WordPress this means regularly updating WordPress itself, themes and plugins.
You can either do this manually by logging in regularly and doing a bulk update using Dashboard > Updates or it enabling automatic updates using a plugin.
A good one is Advanced Automatic Updates but there are others if you go into your WordPress Dashboard and search for “update” in Plugins > Add New > Search
4) iThemes Security
iThemes Security is a great free plugin which will allow you to improve the security on your site.
The options can look daunting the first time you install it but it has a simple wizard which will guide you through the recommended settings.
Amongst other things I use it to lock out and ban IP addresses that are attempting brute force login attempts. You can also have it send you email notifications of when this happens (which is the screenshot we discussed above in the first section).
Sucuri is great and I highly recommend it.
Basically there are two parts to it:
Part 1: Free Website Security Scan
If you go to their site and enter any website URL it will check for malware, blacklisting and out of date software.
Note: Over time I have noticed some false positives here, i.e., clean sites which are fine but are flagged as infected. Also, the blacklisting results can be a little out of date. Obviously nothing is perfect but better to be safe than sorry and generally I’ve found it a really invaluable tool.
Part 2: Continual Monitoring and Unlimited Cleanups
One option is just to use the free website scan service above. However, if you wish to have your sites continually and automatically scanned (E.g., every 3-6 hours) then you might want to consider signing up for their premium service.
What really sold me on this is that unlimited clean ups are included. So in other words if you get hacked:
i) You’ll get an email notification from Sucuri which indicates one of your sites has been compromised.
ii) You click on “Request Malware Removal”, enter your FTP details (your host will provide these if you don’t know) and click “Submit Request”
Easy, simple and as I said there is no limit on the number of times you can do this.
Thankfully I’ve only had to use it once but their service was excellent and my site was clean within about 3 hours following my request (although they state up to one working day in their guidelines).
I also like the peace of mind it gives because the reality is that a large percentage of people who are hacked just don’t know because there are no visible signs. So using Sucuri you know if there’s a problem you’ll get notified and be able to get a fix really quickly with minimal effort on your part.
6) PC Security
To keep your sites clean you need to have a clean computer. If there’s a nasty password stealing malware program running on your PC then none of the other website security steps are going to make much of a difference!
As you know there are countless anti-virus and malware programs available. I am certainly no expert so I’m afraid I can’t tell you which is best to use. However, I can tell you what I use which is the following:
I use just the free versions of each I find them really good. But again whatever you have installed just make sure you use it!
As I mentioned this is far from a complete guide on security but hopefully it’ll help you significantly tighten up your security quickly and easily. If you are a GHG member and would like to know more then check out the mini-video series “Website Lockdown: How To Secure Your Site From Hackers” in the Basecamp section.
Did you find this useful? Please LIKE/TWEET/SHARE and drop a comment below with your thoughts. Perhaps you’ve been hacked yourself? Either way it’s always great to hear your views so please fire away… 🙂 Cheers, Rob