Hacker attacks on WordPress sites are constant, persistent, increasing, ongoing, and pervasive. Without some level of protection, your site WILL be hacked.
No server can offer an ironclad guarantee against hacking, although so-called “Managed WordPress” services do a pretty good job. Many of these charge significantly more (as much as ten times more) than self-managed servers. As a developer, my own preference is for maximum configurability and site speed for minimum cost.
Many Managed WordPress hosting providers only permit one domain per account, and place restrictions on site file management. If you’ve got multiple sites, a hosting account allowing multiple add-on domains is a must. When you choose this type of account, you’ve assumed the responsibility for managing it, including guarding against hacker attacks.
Common security mistakes to avoid for self-hosted WordPress
- “admin” or “wp-admin” as a site username
- Short passwords
- Incorrect file permissions
- Old versions of WordPress
- “Orphan” (inactive) plugins
- Vulnerable or malicious plugins
One of our customers has 9 WordPress websites we migrated over from Network Solutions and consolidated into a single account on A2 Hosting. His account was hacked (Not A2’s fault!!). A2’s support tech said “this is a bad one.”
Avoidable Security Mistake Number One
Some sites had WordPress versions not updated for many years.
At the client’s direction, we had redesigned and updated 3 of them and left the rest alone.
Avoidable Security Mistake Number Two
The client insisted on the same login for all of the sites.
Result – a hacker got in, and polluted the entire account matrix with obfuscated code and created 2 link-spam posts advertising a golf equipment site in Canada and a hotel in the Middle East!
According to A2’s site scan, every php file in all the accounts was infected with malicious code.
Fortunately, A2’s cPanel has “Site Rewind,” an app that can restore a site to a date within the last 30 days.
The procedure to recover the sites was as follows:
- Delete all content, visible and invisible, in the public_html directory
- Use Site Rewind to replace the content with uninfected code (this took a few re-tries – its performance was not flawless, having skipped some subdirectories)
- Replace all databases
- Change all passwords
- Install a login “fence” putting the admin login behind another URL.
- Put the WordPress login behind another url, protecting it from bots scanning for default login pages
- Add “Captcha” verification to comments and site login
- Optimize site code through caching, compression and minification for maximum site speed.
Lesson learned: Make sure you and your client understand the potential consequences and cost of inadequate site maintenance and security practices.
Advice?
Get the benefit of the experience of a developer with experience dealing with hacked sites and restoration.
Get a proactive assessment of your site’s setup and likely security vulnerabilities.
Act now. It’s cheaper than after you’re hacked.