Just last week I spoke at Kelly McCausey’s Hot Seminar Series about WordPress security and the need to keep your sites up to date, remove unused plugins, themes, etc… I shared lots of great tips on how to protect your WordPress sites from being hacked.
Then, just two days after I spoke, my husband mentioned that my old web design site had some ‘issues’. There were odd looking characters in the page titles; and remembering back, a client had contacted me end of last year telling me the same thing. I just upgraded the site, so assumed it was an incompatibility within either the theme or the plugins. Since I do not actively do business via that site (and I was really busy), I didn’t stop to go have a look.
When I logged in the dashboard to see where those odd characters were coming from, I deleted those and then thought to have a look at the html coding within the page; WOW! hidden backlinks had been inserted to porn sites and all sorts of things.
Ugh! Had I only discovered this before my talk, I could have done a video on what I found and shared it. Learn from my mistakes, so you don’t have to go through the pain of dealing with it.
Ultimately, because this site is not actively used; I chose to first, change my password; then to delete all the posts and pages, and put up a minimal notice on the site for those older clients of mine who still contact me. Most know to email me, and don’ t go through the site, but still…. needed to address this issue.
So how did I get hacked?
I’m not sure I’ll ever know for sure, but my site was running WordPress version 2.8 – so not the latest version; but not horribly out of date. I did update the site periodically.
But this is a perfect example of why you need to keep up with what’s going on with your sites. If you’re like me, you have many, many sites, and it can be time consuming to go to everyone to up date them; but it’s necessary.
So if you have a niche website that you’ve setup and it’s either bringing in money and in ‘auto mode’; or you are letting it sit and age or for whatever reason – and you are not regularly logging into your WordPress dashboard, then take heed and go right now and make sure all your web sites are up to date and nothing funky is going on.
My active sites that I have, are always kept up to date, as I’m in there a lot; but I do have a few that I have setup, but for a variety of reasons, haven’t been to in awhile… they too will be getting checked.
This was a stealth hack – there wasn’t any obvious issues, other than the weird characters in the titles. My home page wasn’t hijacked redirecting site visitors to another site or anything like that. They inserted their code for hidden backlinks directly within posts and pages.
So learn from my experience; go right now today, and do these things to protect your web sites from being hacked.
Hack Prevention Action Steps
- Change your password. This is critically important! I started using Roboform a few months ago. I absolutely love it, as I can use really long, difficult passwords and it stores those securely for me.
- Remove any themes and plugins that you are not actively using. If you want to log into your site via FTP and download those to save them to your computer for future use – that’s fine; but then delete every single one that you do not have activated and are not using.
- Update your WordPress installation to the latest version. I highly recommend using the WP Automatic Upgrade Plugin to make this process complete. It will do all the required steps for you (i.e. backing up your files and database, downloading the latest WordPress version, deactivating plugins, puts the site in maintenance mode, installs/upgrades, reactivates plugins and removes site from maintenance mode). The built-in upgrade function within WordPress will upgrade your installation to the latest version, but even it fails to do all the steps that WordPress themselves recommends when upgrading your site. I have no clue why they would offer a built-in function that doesn’t do everything it should – so get the WP Automatic Upgrade plugin and problems solved.
- Upgrade any plugins and your WordPress theme, if an update is available. After you’ve upgraded your WordPress install to version 3+, you’ll find the Updates area under the Dashboard tab in the left column. Click that to see if you have any plugins and/or themes that need upgrading. Yep, the 3+ version of WordPress will upgrade your plugins and your themes! Sa-weet!
- One final bit of advice: check the Users that are registered for your site to make sure that there are no questionable users registered. I personally have the registration feature turned off on my blogs, so no one can register. I do know that on my hacked blog, at one time, I did have that feature turned on and I saw several user accounts listed and that could have been one possibly way they gained access to my site. (I deleted all user accounts except for my own). So if you do not have need of folks registering on your site, then turn off that function within your settings and thoroughly check any registered user accounts for your blog, paying particular attention to what their permission/user level settings are.
That’s it. Again, I’m clearly not perfect and let one of my sites slip into dormant status and the result was I left it open and vulnerable and a hacker got in. So when I talk about WordPress security, and the steps needed to protect your blog, you know that I have first-hand experience. 😉
To YOUR Success,
P.S.Have you ever had your blog hacked? What did you have to do to fix it?