As many of you know, I woke up on Sunday morning and Life Without Pants was missing. Not only was WordPress attacked, my database files were hacked courtesy of some fools over in Saudi Arabia. Needless to say I was upset and frustrated, but LUCKILY, with the help of a good friend, I was able to recover (most) of what was lost.
Hackers are devious little bastards, and they’ll always be a loophole here or there that you may not have thought of – but there’s a lot you can do to beef up your security – and if you have been attacked – keep it from happening again.
Here are just a few nuggets of wisdom – things I am doing to help protect my site and hopefully prevent an attack like what I experienced yesterday from happening again.
Keep your WordPress and Plugins Updated
From experience – this is one of the most important things I’ve learned that you MUST do. It’s annoying that WordPress sends an update (seemingly) every other day – but it’s imperative that when an update comes through, you take a minute or two to update your site. The same goes for plug-ins – make sure you are keeping these current as well. Old plug-ins and WordPress installs are much easier to crack into, so make sure you keep everything up to date.
If you’re experiencing some issues updating WordPress – deactivate all of your plugins, install the update – then reactivate your plugins.
Back up your site (and do it often)
Probably the single most important thing you can (and should) be doing is regularly backing up your WordPress content AND database. You can manually “export” your entire WordPress dashboard by going Tools – Export. With the click of the mouse, you can back up all of your files, posts, comments, etc. Simply put, if I didn’t have a backup for my database and WordPress content, none of this would be here right now.
Your host SHOULD provide a backup for you, but it may be somewhat dated (for example my backup dated back to early January) – take it upon yourself to do this manually – or use a plugin such as WP-DB-Backup which allows your to schedule automatic backups daily/weekly/etc. Do this, and do it often…It will save your ass in times of crisis.
Use strong passwords (and change them up from time to time)
Strong passwords mix upper and lowercase letters, symbols, and numbers – and are usually around 10 characters. The more random, the better – don’t use birthdays or words that are easy to guess. Come up with a random combination and write it down somewhere. Also, use different passwords across the board – don’t have ONE password for every login (WordPress, FTP, SQL, etc) – You want to do EVERYTHING you can to make things more difficult for someone trying to hack your site.
Don’t go overboard with plugins
I may sort of contradict this bit of advice by recommending some security plugins below, but you really don’t want to go overboard with installing plugins. 1) They create extra pathways for hackers to pass through (especially if you don’t keep them up-to-date) and 2) they can really slow down your site. If it’s not critical, get rid of it. You may lose out on some “cool” functionality but SAFE > cool.
Know smart people
Sometimes, all of the security in the world still isn’t enough. Sometimes, you just have to know the right people (or person) that can come through in the clutch and save your ass when assholes feel like trashing your site. For me, time and time again this has been Andrew Norcross – someone I consider a good friend, and, even though I probably bug the shit out of him sometimes, has always been around when an issue or problem should arise. I’m good at some things, but navigating through files and folders, tampering with core source files – that’s not my forte. Knowing someone who can help whether the storm with shit hits the fan can go a long, long way (just make sure you’re not taking advantage of them).
Some other useful plugins/resources
Login Lockdown: Login Lockdown will track the IP address of every failed login attempt to your WP dashboard and will “block” that IP address from logging in after several failed attempts.
WordPress File Monitor: This plugin will alert you of any added/deleted/changed files by sending you an email notification every time there is activity.
WP Security Scan: This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions.
Find more useful information on keeping your WordPress-based site safe with this informative Slideshare presentation.
(P.S. MUCH thanks to everyone who reached out and expressed concern/offered support while my site was down)