This past Friday I came into work at my day job to find the dev site I had been working on for about two months was completely down. A novice at WordPress and especially PHP, I did not set up my WordPress site the way I should have. Since WordPress is such a popular CMS, it is the target of many hackers. Especially eCommerce sites, where customers are bound to enter sensitive personal information at some point in their visit.
Before I even started, I should have made sure a few preventative measures were put in place. Hindsight is always 20/20, and this has certainly been a learning experience! This is certainly case of “the best offense is a good defense.” Set up a good defense system, make your site secure, and you will not have to worry about cleaning up the mess (like I had to do.) First I will start with the preventative measures you should take as a developer, and then I will get in to what I had to do to clean my site of all malware.
1. Look into how WordPress friendly your hosting service is.
WordPress itself recommends Bluehost, DreamHost and Laughing Squid. Check out the documentation here: https://wordpress.org/hosting/. Though not personally experienced with WPengine, I have worked with people who swear by it. They say they have never had a client hacked on that platform.
That isn’t to say you have to use any of those providers. They are just a few suggestions. Your current provider may be WordPress friendly. Reach out to their sales or support and ask them about how easy it is to install WordPress on their platform, and what preventative security measures they have in place. As a developer it is mainly your responsibility to lock down your site, but it is nice to know your hosting provider has your back. They should save a back up copy of your site files every day, so if the worst case scenario happens, they can revert to an older version of the site, one before the malware took it’s course.
2. When setting up your WordPress CMS, do not use the username “admin”
The username “admin” is the default setting in WordPress, and few bother to change it. That is why it is so often the target of hackers and their malicious bot minions. Create a unique username along with a strong password.
Once created, in your admin settings, create a limit on how many failed login attempts you’re allowed. Hackers create bots that will try to login as many times as they are allowed to try, which could be infinite if you don’t set a limit. They will try and try again until they crack your password without even lifting a finger themselves.
3. Install some plugins that prevent attacks, and scan for malware.
Wordfence is one of the most widely used and highly rated security plugins out there. It’s completely free and will not only prevent infections, it also secures your site.
Sucuri will run scans for you and provide detailed audits, as well as send you notifications. Download both Word Fence and Sucuri for extra security umph.
4. Put Captcha on all of your forms.
This is important. A lot of business owners/marketing professionals seem really opposed to this in my experience, because it’s so hard to get a user to fill out a form in the first place, why make it harder? They fear this will effect leads. I won’t get into the anatomy of forms and leads here, but I will say that captcha is a very effective security measure.
Bots will autofill text fields with malicious code and submit forms over and over and over again until they crack into your site. There are a few ways to verify whether or not an actual human is submitting the form, here are a few options:
- Traditional Captcha – you know, the annoying “type what you see here” and it’s a bunch of squiggly letters.
- Timed submission – Force users to wait 10 seconds to be able to submit a form. This allows enough time for them to type out/select their responses, but a bot will not be able to submit instantly.
- Simple math equations – Ask a user to supply the answer to something like 8 – 2 = ?
4. Update all of your themes and plugins when updates are available.
Make sure you create custom templates, do not override your template files with custom code. This will ensure that the themes and plugins are update proof. If you create a “custom.css” instead of adding your styles to your themes main “style.css” for example, the next time you install your theme’s update you won’t lose all of your CSS!
Keeping your WordPress version, themes and plugins is important. The new releases and versions not only fix bugs and styles, they also add in new security measures to keep the hackers at bay. The developers may have found a vulnerability they needed to patch up, and included the fix in their new release. Do not skip this step!
Next: Part 2 of WordPress and Hacking: How to fix and prevent a hack