All Posts, Blog, WordPress
It’s been about four years now that we’ve been working exclusively in WordPress when building websites for clients. We switched over to it as a test with some websites that needed the ability to make content updates on a regular basis, then found it to be so much more resourceful than how we were building our regular HTML websites. And now WordPress sites take up about 26% of websites built on the internet. Pretty cool right?!
For those of you using WordPress though will want to make sure you’re always using the latest version of the platform. There are a few quick reasons why:
- New Functions and Features – With the version updates usually brings new functionality that makes the commonly used tools and options even easier for content creators. Image galleries are easier than ever before, content formatting is better, and so are the themes.
- Security and Patches – Typically you’ll see these in the incremental updates to the versions, but these are always important to pay attention to. Because WordPress is open sourced and community driven, input from users of the platform are actually taken into account when issues are found. Yes even the small little hiccups matter to the developers because they’re able to track and culminate all of that data and package fixes that are then pushed through these updates for all to enjoy.
What does this all mean? Don’t neglect your website. You may be one of the many owners that have several pending updates waiting for you to take action. Before you make those updates, be sure to read what is changing. It helps to understand this because there could be a reason why you shouldn’t update or possible test to see first if the updates will be compatible with your current theme, plugins, and custom settings.
You’ll want to check with your web consultant if you’re not sure, or you can always contact us and we can help with that too. Probably one of the more important things is to be sure and make a backup of your website prior to doing any updates. This could help in case something goes wrong or breaks, and then instead of troubleshooting, you can just restore a backup and then work out a plan for how to move forward.
All Posts, Security, Web Design, Web Development, WordPress
Probably a phrase that no one in the community ever wants to utter. I bet you’ll probably stop reading this post temporarily just to take a look at your website to ensure that it is still up and in-tact. Some of you may even clear your cache and refresh to be double sure. Does this type of thing happen often, yes! Does this happen to anyone or just you? If you’ve been hacked before it sure feels like it was just you out of the millions of active websites on the interwebs. You can’t feel too bad about it, it was probably bound to happen if you have never thought to make the necessary steps to keep your website secure.
So what do you do now that your staring at some ugly graphics and text that reconfirms the obvious that your website has been hacked? Check out this list of options below:
Contact Your Hosting Company
Inform them that your website has been compromised so that they may be able to take steps to isolate the problem to a specific server or files before it spills over into your neighbors yard. Most websites operate on shared servers. This means on any given server there could be multiple websites of all types sharing space. Kind of like the electrical box outside your house.
Protect Your Own Computer
Once you’ve learned that your website has in fact been hacked, trying to navigate around it may not be wise as files may be compromised. Clicking on links or images may unload spyware or malware to your local computer that may wreak havoc on your home/work network and systems.
Pull Up A Backup of Your Database or Website
This of course is considering you set a plan for backups to your website on some type of regular basis. We use a plugin called WordPress Database Backup from Austin Matzko, however that plugin hasn’t been updated in a while. So I’d suggest BackWPup by Inpsyde. There’s a host of options including backing up to your Dropbox account. You can also perform your own backups by heading over to the Tools section, then clicking on the Export option and saving that to your local computer. Now if you do have a backup, you’ll be using the same plugin for backing up (in some cases) and choosing the import feature, or using the native import feature through the Tools section in your WordPress dashboard.
Get A Fresh Copy of WordPress
Go to WordPress.org and get yourself a fresh copy of whatever current version is out at the moment. There are a few files however that you’re not going to want to alter as they will consist of vital data pertaining to your website.
- wp-config.php (contains your database, host, password, and more)
- wp-content (FOLDER) (this is where your themes and plugins are stored)
There are a few files that you should delete regardless if your site is new, hacked, or not:
- wp-admin/install.php
- wp-admin/install-helper.php
- wp-admin/import.php
- readme.html
- wp-admin/upgrade.php
- wp-admin/upgrade-functions.php
If you’re not sure, make a copy while your in your FTP to your server side and rename the parent folders to :whatevername.old” or “whateverfile.php.old”. This way when you upload new files you won’t overwrite the preserved ones and you’ll still have fresh files loaded where compromised ones may have been.
Change Your Database Password
This same password is listed in your WP-CONFIG.php file so you’ll need to go through your host control panel to edit your MySQL database to edit this. Once updated to something WAY more secure and different, edit the password in your wp-config.php file and re-upload that to your server. I shouldn’t stress that this shouldn’t be the same password as your Dashboard user login.
Speaking of users, be sure that you are NOT using the default “admin” account to login to your site. If so please create a new login with a better username like your nickname plus favorite 5 digit number, add in some spaces and a few capital letters while you’re at it. Brute force attacks on WordPress sites are common and over 90% of the time they are trying under the “admin” username.
Be sure you’re using the most udpated version of PHP. Could be 5.2 or 5.4. Check with your hosting company as well as your theme to be sure you’re where you need to be.
Login to WordPress and Check Around
See if there are any new users accounts (especially administrator ones) that you know shouldn’t be there. Update the passwords on the remaining ones you know are authorized. See if there are any new pages, posts, media files, etc that you know you didn’t load. Remove them too. If you did preserve some files or folders, you may have to reload your theme(s) and plugins. Not a big deal since you’ll easily be able to see them from your preserved files/folders.
Keep Up To Date
Be sure to keep in-step with security updates from WordPress. If you ever see a 3.x.x update, chances are is a vulnerability update and it will be an update to patch something that someone from Automattic or the WordPress community has discovered. Also check in on your plugins and themes to see if they have updates. Most theme houses like Themeforest or WooThemes will contact you via email whenever there are updates pushed by the submitting developers. If not, take some steps to stay up to date on your own. Beware of some free themes you find on the net too. There usually is no accountability or liability should that theme go un-updated for months or years yet still be available as free. Or worse yet, repackaged and loaded on other sites as a free theme yet its now loaded with malware.
Install Preventative Security Plugins
While there are a host of plugins you can choose from, some free, some premium; GET SOME! I’m more of a fan of premium plugins from respectable developers versus free ones because truly, you get what you pay for. The level of responsibility from premium developers to ones just starting out is quite noticeable and to be respected. So what should you use? Here are some suggestions:
Have you had a site get hacked? Have more ways to prevent a site from getting hacked? Share in the comments below!
Some useful links and further tips:
Hardening WordPress
All Posts, Web Development, WordPress
When it comes to your website, most people don’t always think about how safe it may be at this very moment. The thought of spambots or website hacking robo-scripts really doesn’t resonate until the worst happens. I’ve seen some websites get hacked and it isn’t a pretty thing. Hackers take pride in vulnerabilities and WordPress tries to do a good job with updating whenever these threats come to their attention.
There’s a new plugin that we’ve been using for the past few weeks that has been pretty stable and informing on what’s going on with our websites.
This plugin features a host of options there in:
- Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
- WordPress Multi-Site (or WordPress MU in the older parlance) compatible.
- Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
- Premium users can also block countries and schedule scans for specific times and a higher frequency.
- See how files have changed. Optionally repair changed files that are security threats.
- Scans for many known backdoors including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
- Continuously scans for malware and phishing URL’s including all URL’s on the Google Safe Browsing List in all your comments, posts and files that are security threats.
- Scans for heuristics of back doors, trojans, suspicious code and other security issues.
- Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
- Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
- Choose whether you want to block or throttle users and robots who break your security rules.
- Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
- Real-time traffic includes reverse DNS and city-level geo location. Know which geographic area security threats originate from.
- Our online forums are available 24/7 to answer your WordPress security questions.
And there’s so much more. One of the things we cared the most for was an option where we can set the amount of failed login attempts to the WP dashboard then lock a user out after so many failed attempts. Having multiple sites that all have different plugins and settings, Wordfence does a good job and sending emails on whenever plugins need updates as well as when WordPress itself requires updates.
Resolving Threats is quite simple too as well as intuitive.
Seeing the live traffic is a bit interesting too. Especially if you just released a new post or want to see how a live marketing campaign is working for your site.
Well don’t just take my word for it, check it out for yourself from WordPress.org Plugin Directory and see what others are saying about it. Or visit the Wordfence website for full disclosure. This plugin is actually FREE, and is fantastic for what it offers. However I would suggest their premium version as it adds a bit more functionality like remote scans, more scan frequencies in a day, and the ability to block IP’s from known malicious areas around the world
