WordPress security has become a big issue the past few weeks due to the existence of plugins containing backdoors, with an initial captcha plugin that was installed in 300,000+ sites acting as point of entry, together with three others this week. Mass bruteforce hackings have been happening as well, making the need to secure your website as important as it will ever be.
Preventing attacks and fixing a hacked website is imperative knowledge, and is important now more than ever with 2018 coming at hand. Here’s a few ways you can safely protect your website and, in case it’s compromised, recover it.
Before You Get Hacked
Nothing beats being prepared – even Batman can defeat anyone with prep. There’s a number of ways you can make sure you’re safe from backdoors and brute-force hacks.
Impenetrable Password Strength
Password strength is an important first step, and it should not even be too hard for you to remember. A favourite reminder I give to friends is a witty XKCD panel on password strength. There’s no hacker in their right mind that will bruteforce a password to your WordPress website using their own hands. There just isn’t. This is why length is more important than complexity.
Personally, my password for many of my accounts is between a minimum of 16 characters to an average of 36 characters, creating between 50.7 bits (for social accounts) to 142.5 bits (work and financial) of entropy for my security. In context, it will take a desktop PC between 175,000 to 1 octillion years to bruteforce my passwords.
Use words that only mean something to you – your favourite wine brand, your dog’s name, your mum’s birthday. Make it as long as you can easily manage.
Change the Admin Portal and Password
One of the favourite security gateways that may WordPress hackers tend to try first is the admin password, together with the /wp-admin/ sub level for the login page. If you want to deter any attacks at all, it’s best for you to change the admin password (100% required) and change the login page to something less generic but easy to remember for you.
By doing so, you’re removing the doorway and only you have a way in.
Updating Your WordPress ASAP
Many people may disagree with this notion, but updating as soon as the updates are available should be a habit. Many security updates are actually patched XSS vulnerabilities that are the favourite hacking gateway of many black hat hackers.
If you’re afraid that one of your more important plugins stop working, regular backups to a secure cloud server or an offline storage is the smart way to do it.
Use Limit Login Attempt Plugins
Limit Login Attempts is one of the best security plugins for the WordPress platform. It’s a login protection plugin that only allows a certain number of times to login from an IP. It’s a simple lock and key for your website’s door.
It provides a customisable number of attempts at login and even auth cookies login attempts. It’s currently in more than 2 million sites across the platform.
After You Get Hacked
Whilst it’s a sad reality, people get hacked all the time. Not everyone, but it can happen to some people at least once in their lives. Dealing with a hacked site is not as easy as simply pushing your site backup and going forward with it. This is how you deal with a successful hack to your site.
Finding The Problems
The first move that you do is check for any recent changes, additions and plugins that have been added. Backdoors are any addition that allows hackers to access your website any time via bypassing of authentication procedures. These are typically unknowing exploits and can be taken advantage of months after the attack.
The top priority for any persistent hacker is to add a backdoor to allow entry once they’re kicked out of the space. If you find any changes, remove them and run a WordPress Auditor and Theme Checker plugin. These can pinpoint where the attacks are happening and what changes make you vulnerable.
Restoring Your Last Known Good Backup
Restore the backup that you have, up to the latest, cleanest backup that contains most of your content. You may lose out on some content, especially if you keep a regular blog or recently added some pages. Weigh out any pros and cons that doing a restore may do for you.
This can help remove any existing backdoors and would need you to do less.
Changing User Permissions
Check your user permissions. Make sure everything is in the right order and no new users are added into your list. Delete any user that you’re not sure what’s the source of.
Changing Passwords and Generating New Secret Keys
Change your passwords immediately and change your secret keys to disable any previous cookies that the hacker may have on their side. This is especially important for bruteforced accounts as any restores that you do may allow any hackers to access any previous account.
Almost any hack can be deterred by vigilance and smart data protection. It’s much better to push protections before you are even hacked. Only you can prevent hacks and espionage, so secure your website.