I received a disturbing email from my host last summer. Maybe you did too.
It read like this:
Upon investigating, I learned that MailPoet is part of the WYSIJA newsletter installation, which I did have on an old, inactive site on my host server. I deleted the plugin as recommended, and read further into the issue.
In the article A Rough Weekend in WordPress Security, I learned that another of my plugins was affected too. In this current day of mobile responsive themes and mobile sites, many of us have newer, updated WordPress themes. They adjust automatically, based on what type of device and screen size the reader is using. My main blog was not one of these.
I did not yet have a mobile responsive theme on that site, so I had been using the WPTouch plugin for several years. It does what the newer themes do for you, enabling site visitors to have a better browsing experience while using a phone or tablet. Until that day, because I deleted that plugin too.
I should note here that I wrote this post in July 2014, and am updating it now in April 2015. The affected plugins have been updated and are no longer vulnerable like they were at the time. This post is strictly for educational purposes, to help you avoid being the victim of a hack.
There are several ways you can protect your WordPress site from being vulnerable to attacks and security leaks:
1. Keep your WordPress installation updated to the current version.
This is your first line of defense. WordPress is constantly fixing gaps and areas that leave it vulnerable to hackers. Keeping it updated means you are staying ahead of possible hackers.
2. Use secure passwords.
I can’t stress enough how important it is to use passwords that are not easy to guess! Any hacker running password guessing software can probably figure out your password and gain entry to not only your site, but also your host account. I wrote more here about strong passwords.
3. Update your plugins and themes.
All of them. Even the ones you have that are inactive. Plugins are updated for two main reasons: To make them compatible with the current WordPress version, and to fix security leaks. You want everything updated to current, to save you headaches later.
4. Delete inactive plugins.
This might sound odd after #2, but think about it this way: Every plugin is like a little computer program, and hackers try to find ways to break into programs. If a hacker finds an opening in a certain plugin, he can use that to gain entrance to your site or your server installation.
If you don’t need it for the everyday functionality of your site, DELETE IT. You can always download it again later if, for example, you want to run Broken Link Checker and spend the day fixing broken links. When you’re done, delete it.
5. Install a security plugin.
This is the first thing I install on a fresh WordPress installation, after Akismet. I used Wordfence for about five years, until it went haywire on me. I switched to Sucuri and I’ve been very happy with it. A security plugin will prevent someone (or some-bot) from gaining access to your site through the log-in screen. It will also notifiy you of failed login attempts.
Another good plugin for this is called Limit Login Attempts. I like Sucuri though because it just takes care of things and I don’t have to think much about it. I did, however, reinstall the new version of Wordfence just recently because I like the control it allows me to to have.
6. If someone contacts you saying that Chrome blocked your site with a hacking warning, take it seriously.
A friend of received several emails from different people that Chrome was saying her site had been hacked, yet she was able to access it without any issues at all. She finally checked it from another computer, and got the same warning/blocked page notification that others had told her about. She called her hosting company, and after a very long time and multiple phone calls, they were able to uncover a whole Chinese spam site that had been installed inside of her host account.
Someone had been running a massive website right underneath her “little ol’ blog”. They had left her blog alone and intact. It took a couple of months for them to get to the bottom of the problem and clean out her account. She was instructed to change all of her passwords to strong, secure passwords because they think her password was guessed using bot software. Take these notifications seriously if you get them!
The most important thing is that you are aware of what is happening on your website.
Have you ever been hacked?