in blogging

Five Ways to Keep Your WordPress Blog Safe(r)

As many of you know, I woke up on Sunday morning and Life Without Pants was missing. Not only was WordPress attacked, my database files were hacked courtesy of some fools over in Saudi Arabia. Needless to say I was upset and frustrated, but LUCKILY, with the help of a good friend, I was able to recover (most) of what was lost.

Hackers are devious little bastards, and they’ll always be a loophole here or there that you may not have thought of – but there’s a lot you can do to beef up your security – and if you have been attacked – keep it from happening again.

Here are just a few nuggets of wisdom – things I am doing to help protect my site and hopefully prevent an attack like what I experienced yesterday from happening again.

Keep your WordPress and Plugins Updated

From experience – this is one of the most important things I’ve learned that you MUST do. It’s annoying that WordPress sends an update (seemingly) every other day – but it’s imperative that when an update comes through, you take a minute or two to update your site. The same goes for plug-ins – make sure you are keeping these current as well. Old plug-ins and WordPress installs are much easier to crack into, so make sure you keep everything up to date.

If you’re experiencing some issues updating WordPress – deactivate all of your plugins, install the update – then reactivate your plugins.

Back up your site (and do it often)

Probably the single most important thing you can (and should) be doing is regularly backing up your WordPress content AND database. You can manually “export” your entire WordPress dashboard by going Tools – Export. With the click of the mouse, you can back up all of your files, posts, comments, etc. Simply put, if I didn’t have a backup for my database and WordPress content, none of this would be here right now.

Your host SHOULD provide a backup for you, but it may be somewhat dated (for example my backup dated back to early January) – take it upon yourself to do this manually – or use a plugin such as WP-DB-Backup which allows your to schedule automatic backups daily/weekly/etc. Do this, and do it often…It will save your ass in times of crisis.

Use strong passwords (and change them up from time to time)

Strong passwords mix upper and lowercase letters, symbols, and numbers – and are usually around 10 characters. The more random, the better – don’t use birthdays or words that are easy to guess. Come up with a random combination and write it down somewhere. Also, use different passwords across the board – don’t have ONE password for every login (WordPress, FTP, SQL, etc) – You want to do EVERYTHING you can to make things more difficult for someone trying to hack your site.

Don’t go overboard with plugins

I may sort of contradict this bit of advice by recommending some security plugins below, but you really don’t want to go overboard with installing plugins. 1) They create extra pathways for hackers to pass through (especially if you don’t keep them up-to-date) and 2) they can really slow down your site. If it’s not critical, get rid of it. You may lose out on some “cool” functionality but SAFE > cool.

Know smart people

Sometimes, all of the security in the world still isn’t enough. Sometimes, you just have to know the right people (or person) that can come through in the clutch and save your ass when assholes feel like trashing your site. For me, time and time again this has been Andrew Norcross – someone I consider a good friend, and, even though I probably bug the shit out of him sometimes, has always been around when an issue or problem should arise. I’m good at some things, but navigating through files and folders, tampering with core source files – that’s not my forte. Knowing someone who can help whether the storm with shit hits the fan can go a long, long way (just make sure you’re not taking advantage of them).

Some other useful plugins/resources

Login Lockdown: Login Lockdown will track the IP address of every failed login attempt to your WP dashboard and will “block” that IP address from logging in after several failed attempts.

WordPress File Monitor: This plugin will alert you of any added/deleted/changed files by sending you an email notification every time there is activity.

WP Security Scan: This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions.

Find more useful information on keeping your WordPress-based site safe with this informative Slideshare presentation.

(P.S. MUCH thanks to everyone who reached out and expressed concern/offered support while my site was down)

Add Your Voice

Comment

161 Comments

  1. Props to Andrew – he helped me when my site had a glitch as well. Great example of the awesomeness of the web community. Glad you’re back up and also happy that you used the opportunity to help others avoid this nightmare of a Sunday morning.

    • It was a nightmare – to say the least. I actually was watching this unfold before my eyes. It started with some spam posts here, then this was gone, then everything was gone, then they left some creepy message/picture in place of my site (which I took down ASAP). Much props to Andrew. I hope that what happened to me will serve as a reminder to everyone to keep their shit locked up tight (and backed up in case there is a breach).

  2. Props to Andrew – he helped me when my site had a glitch as well. Great example of the awesomeness of the web community. Glad you’re back up and also happy that you used the opportunity to help others avoid this nightmare of a Sunday morning.

    • It was a nightmare – to say the least. I actually was watching this unfold before my eyes. It started with some spam posts here, then this was gone, then everything was gone, then they left some creepy message/picture in place of my site (which I took down ASAP). Much props to Andrew. I hope that what happened to me will serve as a reminder to everyone to keep their shit locked up tight (and backed up in case there is a breach).

  3. I think you handled it really well Matt. You just got on with it. And this debacle could happen to anyone of us, so I’m really appreciative that you shared these tips (and Andrew’s contact details). Good job.

    • Thanks Alicia – much of the credit goes to Andrew for knowing his way around the back-end (I’m trying to learn my way – but like I said, it’s not my forte back in that neck of the woods). Happy that this attack can serve as an example that it really can happy to anyone – so it’s important to keep things locked up tight.

  4. I think you handled it really well Matt. You just got on with it. And this debacle could happen to anyone of us, so I’m really appreciative that you shared these tips (and Andrew’s contact details). Good job.

    • Thanks Alicia – much of the credit goes to Andrew for knowing his way around the back-end (I’m trying to learn my way – but like I said, it’s not my forte back in that neck of the woods). Happy that this attack can serve as an example that it really can happy to anyone – so it’s important to keep things locked up tight.

  5. I was shocked when I read that you were attacked yesterday via twitter. The hackers and spammers were definitely out over the weekend. On Friday, I received a virus that pretty much weakened my entire computer and forced me to buy a new one because the cost to repair was just too much. I was in need for a new system anyway, but it was certainly an inconvenience. It’s good to know great people to help you through the storm. I’m glad that you were able to recover everything so quickly. I wish you all the best.

      • I’m sorry to hear about your computer Patrice. This can happen to the best of us I guess – I’m not giving the “all clear” sign just yet – still noticing a few weird things here and there, but hopefully I can clean house and prevent this from ever happening again.

        As for Tim’s point – Mac’s are notorious for being much safer – but they’re also a lot more expensive – was tempting for me when I sprung for a new computer recently, but the funds just aren’t quite there to justify a $2000 computer.

        • Thanks for the Mac recommendation Tim, which is something I’ve been getting a lot of over the weekend. However, I’m in the same boat as Matt when it comes to the cost of purchasing one. I will definitely keep this in mind when the funds are available.

          Matt, we live and learn. Thanks for sharing your experience over the weekend with everyone as well as some necessary precautions to avoid it.

        • “but the funds just aren’t quite there to justify a $2000 computer.”

          This is what I don’t understand (and I’m not attacking you Matt, just people who say this in general). People would rather deal with an operating system (Windows) that requires weekly spyware cleaning, WEEKLY virus cleaning, WEEKLY malware cleaning, WEEKLY Windows updates and WEEKLY hard drive defragging – instead of buying a more expensive computer that requires MORE time and effort that is definitely more expensive in the long run.

          I recommend a change of perspective.

          • Ah, crap, I screwed up that last sentence. You know what I mean. :)

            “instead of buying a more expensive computer that requires NONE of that extra time and effort.”

            • You get no argument from me Tim. 1) I’ve always been a PC guy and didn’t really feel like making the switch at the time and 2) I understand the benefits of a Mac, but sometimes it really does come down to money, especially when you’re three months away from a wedding you’re funding much of yourself.

          • Tim, while I do love me some Apple stuff (iPhone FTW, and I rock a Mac Mini at home), I think that you’re WEEKLY caps are a little overblown.

            I make my living administrating Windows servers for a HUGE website. And I run Windows on both my work laptop and my home PC, as well as my wife’s desktop PC and laptop. I don’t find myself doing all of this work on a WEEKLY basis. I find myself setting it up properly, and then occasionally clicking on the “install downloaded updates” notifier (just like I do with a Software Update on OS X).

            While it’s undeniably true that OS X is inherently more secure than Windows, Windows can be made just as secure. The difference is that OS X comes “out of the box” locked down. And Windows is getting there. I don’t argue that security is easier on OS X, but I don’t really find the “time and effort” required to keep my Windows computers safe to be THAT intrusive.

            If you’re needing to run WEEKLY malware and virus scans that *require user action*, then you’re seriously surfing some dangerous porno sites :)

            • The thing about Windows is that it requires much more attention and maintenance to remain secure and running smoothly. The average user (aka, basically everybody that buys Windows laptops at Best Buy) has no idea what to run, how often to run it, or even that defragging is an option.

              Mac, on the other hand, just works. You can buy it from the Apple store and not have to run virus scans (ever), malware scans (ever), spyware scans (ever), defrags (ever).

              I’m not trying to beat a dead horse here – I’ve only been a Mac user for a little over 4 years now. I was a Windows user for over 10 years before that, so I’m speaking from experience, not just to be a dick.

              In my eyes, two choices:
              (a) a computer that costs a lot more money but that you don’t have to worry about maintaining beyond regular computer maintaence
              (b) a dirt cheap computer that is susceptible to all sorts of viruses, spyware, malware, and will eventually get so clogged up that it will run slower than you ever thought possible.

              No brainer, right? :)

              Glad to hear you step across the aisle though with your Mac Mini and iPhone. I don’t mind Windows people that actually understand the truth. I mind the people who are convinced Windows is the most secure thing on earth.

              • For what it’s worth, comparing Windows from 4 years ago to a Mac today isn’t a straight-up comparison. I’m not a Mac person at all (I’ve spent enough time fixing my fathers) but 99% of the issues aren’t related to the hardware or OS, rather, the user. Bad browsing habits, not paying attention (i.e. clicking ‘yes’ without reading) and just plain laziness account for most (if not all) of the problems. I own a total of 9 PCs between my wife and I, and I haven’t gotten a single virus in over 5 years. I don’t do anything special other than have 1 anti-virus running. That’s it.

                Macs don’t have viruses (yet) due to the low market share. But they still have browser exploits and phishing attempts, which are all net based. And if they ever break the 20% mark (in terms of user market share) look out.

                And a defrag hasn’t a PC-specific issue. anyone who has data moving often needs to clean the structure on their drives.

                • I agree with you on maybe an unfair comparison, but the amount of complaints and trouble I hear from Windows users hasn’t decreased since I stopped using Windows. If anything, it’s increased.

                  So I’m not totally crazy :)

                  • Consider this:
                    Statistically speaking up until a couple of years ago, the primary target markets for macs were, designers, artists, editors, writers, photographers, musicians and the like. The profile for these groups are either Technically gifted or Are willing to spend the $’s for the hardware and software.

                    That being said: the ones who actually have problems; usually skip out the fact that most viruses come from pron, p2p filesharing, and warez, fortunately most warez dont work on Macs.

                    Over and above that I like Macs, though buying one is somthing I shall not be doing for a while. Between my 5 PCs/notebooks/netbook, I have had 1 virus in 5 years, completely my fault, no BSOD (even if I did have one, it’d most probably be due to a hardware issue, last time i checked MS wasnt manufacturing that!).. Btw. I run, XP, Vista, Win7, OSX, Ubuntu, CentOS, and a couple of other smaller distributions, on my PC’s, with the exception of the netbook all have 2 or more OS’s.

                    Can we get over the Mac vs Windows discussion already… And stick to WordPress!! Most probably we all love that, I know I do.

                    • Ah, and you clearly aren’t the average Windows user. Which means Windows still sucks for the average Windows user. :)

              • I should also make something clear – just so there’s no bias (the “stepping across the aisle” thing is what I’m clarifying). Up until 1995 or so, I had never used a Wintel computer (other than one semester of a “business” class in high school). All of my computing experience was on Apple products or Sun Solaris (in college). I’ve probably owned more Apple/Mac computers in my life than Wintel PC’s. I’m incredibly platform-agnostic (as I said, my day job involves supporting a major e-commerce infrastructure running on Windows/.NET, but I run Windows and OS X at home and manage my own VPS running Linux for my blog and other hosted applications).

                I didn’t take issue with the statement that Windows machines can (and usually do) require more maintenance and daily support than OS X. It was more the implication that it required hours of WEEKLY (caps, since you used them too :) ) effort to keep them safe.

                You are totally correct in your statement that the average user who buys an el cheapo laptop at Best Buy is going to be a honeypot for malware and crapware. But I think that when we are talking about fairly educated computer users, especially with the latest versions of Windows (Vista is crap, I won’t argue, but I’m talking about Win 7) it’s a much safer world than it used to be. I think there is a larger amount of user awareness of these types of things out there, and I don’t think it’s a cut-and-dried “Macs are safer, booyah” scenario.

                I also don’t buy into the “there aren’t viruses for OS X due only to market share”. I do think that OS X is inherently a more secure operating system than Windows XP or to some extent, Vista, but Microsoft IS getting better about locking the OS down. There ARE exploits for any OS, there are just more for Windows based systems because, well, it DOES have more holes. But those holes are getting smaller. And they can be plugged, and it doesn’t require hours and hours of weekly effort to plug them.

                Hell, Microsoft themselves even have a VERY good malware/AV solution that is FREE, doesn’t require manual intervention, and keeps you quite safe. The story is getting better over time.

                (and I know you’re not trying to be a dick; I wasn’t trying to be argumentative either. I just don’t think that it’s as cut-and-dried, black-and-white as you were coming across, and I do think that your initial comment was a little hyperbolic)

                • I agree well said!! I usually get disgruntled when I hear people say that Macs are more secure just because of low market share, from a highly technical stand point, they are just inherently more secure. Good stuff, and I love seeing IT posts up on this blog!

                  I’m looking to start some tech support campaigns for entrepreneurs, bloggers, and mac users…so if anyone stumbles on this and is dealing with tech issues themself…I’m giving away free support and consulting at http://www.itarsenal.com!

          • One point that I will NOT argue on is that the cost/value proposition of Mac computers is a sound one, and NOT because of the “extra time and effort” of Windows…but that apples to apples (no pun intended) comparing the hardware, the Mac machine is a good value.

            Assuming that you NEED all that horsepower. Which, of course, we all do. As I keep trying to convince my wife.

            • Agreed the value is good for a Mac – I don’t debate that at all – I’m sure I’ll make the conversion sooner than later – just have to put it in line with the list of other priorities at the moment.

        • Or a person could just switch to a Linux OS such as Ubuntu. Extremely secure and much faster operating than Windows. The downside is for gamers and those with unsupported Hardware.

          Maybe once Google releases their Linux/Unix based OS, we’ll all breathe easier. Google is engaged in talks with major software and hardware developers to gain ongoing compatibility with their system in development. promising I’d say :-)

  6. I was shocked when I read that you were attacked yesterday via twitter. The hackers and spammers were definitely out over the weekend. On Friday, I received a virus that pretty much weakened my entire computer and forced me to buy a new one because the cost to repair was just too much. I was in need for a new system anyway, but it was certainly an inconvenience. It’s good to know great people to help you through the storm. I’m glad that you were able to recover everything so quickly. I wish you all the best.

      • I’m sorry to hear about your computer Patrice. This can happen to the best of us I guess – I’m not giving the “all clear” sign just yet – still noticing a few weird things here and there, but hopefully I can clean house and prevent this from ever happening again.

        As for Tim’s point – Mac’s are notorious for being much safer – but they’re also a lot more expensive – was tempting for me when I sprung for a new computer recently, but the funds just aren’t quite there to justify a $2000 computer.

        • Thanks for the Mac recommendation Tim, which is something I’ve been getting a lot of over the weekend. However, I’m in the same boat as Matt when it comes to the cost of purchasing one. I will definitely keep this in mind when the funds are available.

          Matt, we live and learn. Thanks for sharing your experience over the weekend with everyone as well as some necessary precautions to avoid it.

        • “but the funds just aren’t quite there to justify a $2000 computer.”

          This is what I don’t understand (and I’m not attacking you Matt, just people who say this in general). People would rather deal with an operating system (Windows) that requires weekly spyware cleaning, WEEKLY virus cleaning, WEEKLY malware cleaning, WEEKLY Windows updates and WEEKLY hard drive defragging – instead of buying a more expensive computer that requires MORE time and effort that is definitely more expensive in the long run.

          I recommend a change of perspective.

          • Ah, crap, I screwed up that last sentence. You know what I mean. :)

            “instead of buying a more expensive computer that requires NONE of that extra time and effort.”

            • You get no argument from me Tim. 1) I’ve always been a PC guy and didn’t really feel like making the switch at the time and 2) I understand the benefits of a Mac, but sometimes it really does come down to money, especially when you’re three months away from a wedding you’re funding much of yourself.

          • Tim, while I do love me some Apple stuff (iPhone FTW, and I rock a Mac Mini at home), I think that you’re WEEKLY caps are a little overblown.

            I make my living administrating Windows servers for a HUGE website. And I run Windows on both my work laptop and my home PC, as well as my wife’s desktop PC and laptop. I don’t find myself doing all of this work on a WEEKLY basis. I find myself setting it up properly, and then occasionally clicking on the “install downloaded updates” notifier (just like I do with a Software Update on OS X).

            While it’s undeniably true that OS X is inherently more secure than Windows, Windows can be made just as secure. The difference is that OS X comes “out of the box” locked down. And Windows is getting there. I don’t argue that security is easier on OS X, but I don’t really find the “time and effort” required to keep my Windows computers safe to be THAT intrusive.

            If you’re needing to run WEEKLY malware and virus scans that *require user action*, then you’re seriously surfing some dangerous porno sites :)

            • The thing about Windows is that it requires much more attention and maintenance to remain secure and running smoothly. The average user (aka, basically everybody that buys Windows laptops at Best Buy) has no idea what to run, how often to run it, or even that defragging is an option.

              Mac, on the other hand, just works. You can buy it from the Apple store and not have to run virus scans (ever), malware scans (ever), spyware scans (ever), defrags (ever).

              I’m not trying to beat a dead horse here – I’ve only been a Mac user for a little over 4 years now. I was a Windows user for over 10 years before that, so I’m speaking from experience, not just to be a dick.

              In my eyes, two choices:
              (a) a computer that costs a lot more money but that you don’t have to worry about maintaining beyond regular computer maintaence
              (b) a dirt cheap computer that is susceptible to all sorts of viruses, spyware, malware, and will eventually get so clogged up that it will run slower than you ever thought possible.

              No brainer, right? :)

              Glad to hear you step across the aisle though with your Mac Mini and iPhone. I don’t mind Windows people that actually understand the truth. I mind the people who are convinced Windows is the most secure thing on earth.

              • For what it’s worth, comparing Windows from 4 years ago to a Mac today isn’t a straight-up comparison. I’m not a Mac person at all (I’ve spent enough time fixing my fathers) but 99% of the issues aren’t related to the hardware or OS, rather, the user. Bad browsing habits, not paying attention (i.e. clicking ‘yes’ without reading) and just plain laziness account for most (if not all) of the problems. I own a total of 9 PCs between my wife and I, and I haven’t gotten a single virus in over 5 years. I don’t do anything special other than have 1 anti-virus running. That’s it.

                Macs don’t have viruses (yet) due to the low market share. But they still have browser exploits and phishing attempts, which are all net based. And if they ever break the 20% mark (in terms of user market share) look out.

                And a defrag hasn’t a PC-specific issue. anyone who has data moving often needs to clean the structure on their drives.

                • I agree with you on maybe an unfair comparison, but the amount of complaints and trouble I hear from Windows users hasn’t decreased since I stopped using Windows. If anything, it’s increased.

                  So I’m not totally crazy :)

                  • Consider this:
                    Statistically speaking up until a couple of years ago, the primary target markets for macs were, designers, artists, editors, writers, photographers, musicians and the like. The profile for these groups are either Technically gifted or Are willing to spend the $’s for the hardware and software.

                    That being said: the ones who actually have problems; usually skip out the fact that most viruses come from pron, p2p filesharing, and warez, fortunately most warez dont work on Macs.

                    Over and above that I like Macs, though buying one is somthing I shall not be doing for a while. Between my 5 PCs/notebooks/netbook, I have had 1 virus in 5 years, completely my fault, no BSOD (even if I did have one, it’d most probably be due to a hardware issue, last time i checked MS wasnt manufacturing that!).. Btw. I run, XP, Vista, Win7, OSX, Ubuntu, CentOS, and a couple of other smaller distributions, on my PC’s, with the exception of the netbook all have 2 or more OS’s.

                    Can we get over the Mac vs Windows discussion already… And stick to WordPress!! Most probably we all love that, I know I do.

                    • Ah, and you clearly aren’t the average Windows user. Which means Windows still sucks for the average Windows user. :)

              • I should also make something clear – just so there’s no bias (the “stepping across the aisle” thing is what I’m clarifying). Up until 1995 or so, I had never used a Wintel computer (other than one semester of a “business” class in high school). All of my computing experience was on Apple products or Sun Solaris (in college). I’ve probably owned more Apple/Mac computers in my life than Wintel PC’s. I’m incredibly platform-agnostic (as I said, my day job involves supporting a major e-commerce infrastructure running on Windows/.NET, but I run Windows and OS X at home and manage my own VPS running Linux for my blog and other hosted applications).

                I didn’t take issue with the statement that Windows machines can (and usually do) require more maintenance and daily support than OS X. It was more the implication that it required hours of WEEKLY (caps, since you used them too :) ) effort to keep them safe.

                You are totally correct in your statement that the average user who buys an el cheapo laptop at Best Buy is going to be a honeypot for malware and crapware. But I think that when we are talking about fairly educated computer users, especially with the latest versions of Windows (Vista is crap, I won’t argue, but I’m talking about Win 7) it’s a much safer world than it used to be. I think there is a larger amount of user awareness of these types of things out there, and I don’t think it’s a cut-and-dried “Macs are safer, booyah” scenario.

                I also don’t buy into the “there aren’t viruses for OS X due only to market share”. I do think that OS X is inherently a more secure operating system than Windows XP or to some extent, Vista, but Microsoft IS getting better about locking the OS down. There ARE exploits for any OS, there are just more for Windows based systems because, well, it DOES have more holes. But those holes are getting smaller. And they can be plugged, and it doesn’t require hours and hours of weekly effort to plug them.

                Hell, Microsoft themselves even have a VERY good malware/AV solution that is FREE, doesn’t require manual intervention, and keeps you quite safe. The story is getting better over time.

                (and I know you’re not trying to be a dick; I wasn’t trying to be argumentative either. I just don’t think that it’s as cut-and-dried, black-and-white as you were coming across, and I do think that your initial comment was a little hyperbolic)

                • I agree well said!! I usually get disgruntled when I hear people say that Macs are more secure just because of low market share, from a highly technical stand point, they are just inherently more secure. Good stuff, and I love seeing IT posts up on this blog!

                  I’m looking to start some tech support campaigns for entrepreneurs, bloggers, and mac users…so if anyone stumbles on this and is dealing with tech issues themself…I’m giving away free support and consulting at http://www.itarsenal.com!

          • One point that I will NOT argue on is that the cost/value proposition of Mac computers is a sound one, and NOT because of the “extra time and effort” of Windows…but that apples to apples (no pun intended) comparing the hardware, the Mac machine is a good value.

            Assuming that you NEED all that horsepower. Which, of course, we all do. As I keep trying to convince my wife.

            • Agreed the value is good for a Mac – I don’t debate that at all – I’m sure I’ll make the conversion sooner than later – just have to put it in line with the list of other priorities at the moment.

        • Or a person could just switch to a Linux OS such as Ubuntu. Extremely secure and much faster operating than Windows. The downside is for gamers and those with unsupported Hardware.

          Maybe once Google releases their Linux/Unix based OS, we’ll all breathe easier. Google is engaged in talks with major software and hardware developers to gain ongoing compatibility with their system in development. promising I’d say :-)

  7. Matt, thanks for this and I’m glad you got your site back up and running. I will follow all your recommendations to preserve the work that I’ve done on my site as well. Great job in overcoming this and coming out even stronger than before!

    • You’d be wise to do so Ed – I thought I had things pretty well secured around here. Goes to show that it can happen to anyone. Here’s to hoping we both remain spam/hacker free moving forward.

  8. Matt, thanks for this and I’m glad you got your site back up and running. I will follow all your recommendations to preserve the work that I’ve done on my site as well. Great job in overcoming this and coming out even stronger than before!

    • You’d be wise to do so Ed – I thought I had things pretty well secured around here. Goes to show that it can happen to anyone. Here’s to hoping we both remain spam/hacker free moving forward.

  9. Thanks for writing this, Matt. I had no idea that such a horrible thing could happen to our WordPress Blogs, and I’m ashamed to say I’ve never done anything to prevent it! I didn’t even know there was a back-up option. Upon reading this, I immediately exported my info from the toolbar like you suggested, but I’m not sure I did it correctly. It simply opened up an Internet Explorer window with a bunch of HTML code…is that all I needed to do? Or am I supposed to do something next with that information? Thank you again for the advice! I’m so glad you didn’t lose your blog. That would have been awful!

    • Any website can be hacked at ANY time. Here are some quick first steps:
      – backup your WordPress database on a weekly basis
      – backup your WordPress site files on a weekly basis
      – ensure that your WordPress administrator login name is not “admin”
      – ensure that your WordPress administrator login password is a clever combination of lowercase letters, uppercase letters, numbers, and symbols (like $,!,#)
      – ensure that your WordPress database password is also a clever combination of the above

      • Lauren – you are on a wordpress.com hosted blog so (and anyone can feel free to correct me if I’m wrong) but under their hosting you don’t have to worry as much about security breaches – as you’re not having to worry about your database being corrupted through FTP or SQL. However, you should still export your WordPress files via the WP dashboard, and beef up your passwords. If you need any help, let me know.

    • If you’re running on WP.com, then you don’t have the security issues to deal with. That’s the benefit of running on their servers (the negative being lack of control, customization, etc).

  10. Thanks for writing this, Matt. I had no idea that such a horrible thing could happen to our WordPress Blogs, and I’m ashamed to say I’ve never done anything to prevent it! I didn’t even know there was a back-up option. Upon reading this, I immediately exported my info from the toolbar like you suggested, but I’m not sure I did it correctly. It simply opened up an Internet Explorer window with a bunch of HTML code…is that all I needed to do? Or am I supposed to do something next with that information? Thank you again for the advice! I’m so glad you didn’t lose your blog. That would have been awful!

    • Any website can be hacked at ANY time. Here are some quick first steps:
      – backup your WordPress database on a weekly basis
      – backup your WordPress site files on a weekly basis
      – ensure that your WordPress administrator login name is not “admin”
      – ensure that your WordPress administrator login password is a clever combination of lowercase letters, uppercase letters, numbers, and symbols (like $,!,#)
      – ensure that your WordPress database password is also a clever combination of the above

      • Lauren – you are on a wordpress.com hosted blog so (and anyone can feel free to correct me if I’m wrong) but under their hosting you don’t have to worry as much about security breaches – as you’re not having to worry about your database being corrupted through FTP or SQL. However, you should still export your WordPress files via the WP dashboard, and beef up your passwords. If you need any help, let me know.

    • If you’re running on WP.com, then you don’t have the security issues to deal with. That’s the benefit of running on their servers (the negative being lack of control, customization, etc).

  11. Dude, I’m SO sorry you got hacked! What a crappy way to spend your weekend! But seriously, like a few of your commenters voiced above, it’s great that you were able to share your lessons with us. I’ll definitely be doing a little work on my end — can’t afford to be having that kind of thing happen. Just think, you’ll be so much more aware of what’s going on with Life Without Pants on the back end now.

    • Yeah – it sucked pretty hard. Especially watching it unfold before my eyes yesterday morning not knowing what the heck to do. But…lesson (hopefully) learned and here’s to hoping things are a little more secure around these parts today. I know hackers will be hackers and where there’s a will there’s a way – but at least this gives you a head start on beefing up your security.

  12. Dude, I’m SO sorry you got hacked! What a crappy way to spend your weekend! But seriously, like a few of your commenters voiced above, it’s great that you were able to share your lessons with us. I’ll definitely be doing a little work on my end — can’t afford to be having that kind of thing happen. Just think, you’ll be so much more aware of what’s going on with Life Without Pants on the back end now.

    • Yeah – it sucked pretty hard. Especially watching it unfold before my eyes yesterday morning not knowing what the heck to do. But…lesson (hopefully) learned and here’s to hoping things are a little more secure around these parts today. I know hackers will be hackers and where there’s a will there’s a way – but at least this gives you a head start on beefing up your security.

  13. And one final thought (sorry for hitting you with all these individual comments; I should have wrapped them up as one). Never depend on your host to perform the backups. As Matt said, not only do you have no idea how recent it might be, but your hosting company will likely charge you cash money for the privilege of restoring your files for you. Pretty much the only time a hosting company will do a file restore for you gratis is when it’s THEIR fault that the files got hosed. And even then, they might not.

    If you run on a VPS (like I do) you might want to look into a service like rsync.net where you can run offsite backups for a very inexpensive price. Amazon S3 is another alternative for shoving your backups offisite. Or, just run an FTP job on your computer at home to back everything up every day :)

    • That’s a great point, Matt. A lot of people assume their hosting company is making backups for them, but often the opposite is actually true – the host is making no backups at all or they’re making very sporadic backups (weekly, monthly, etc).

      Chevy, I’d say Matt’s advice here is worth amending the post – crucial advice.

      • Amend the post? This advice is already part of the post:

        “Your host SHOULD provide a backup for you, but it may be somewhat dated (for example my backup dated back to early January) – take it upon yourself to do this manually – or use a plugin such as WP-DB-Backup which allows your to schedule automatic backups daily/weekly/etc. Do this, and do it often…It will save your ass in times of crisis.”

        Always important to take care of the backing things up part yourself rather than leaving it up to your host.

        • You might want to amend it with the fact that WP-DB-Backup only backs up your database – which probably helps if you get hacked and they don’t DELETE any files, but just mess with your install, but in the case of a catastrophic failure (or really mean hacker that deletes all your files), you need another backup solution to handle any uploaded image files, etc, that you have in your wp-content/uploads directory. Or if you’ve made changes to custom CSS, etc, etc.

          • Right – and there has been a lot of discussion about making sure the whole shebang is backed up – I was more or less focusing on the WordPress install in the actual post – but there’s plenty of other good tips to be found throughout these comments. Thanks for adding some additional wisdom – I am by no means an expert when it comes to this stuff (obviously).

  14. And one final thought (sorry for hitting you with all these individual comments; I should have wrapped them up as one). Never depend on your host to perform the backups. As Matt said, not only do you have no idea how recent it might be, but your hosting company will likely charge you cash money for the privilege of restoring your files for you. Pretty much the only time a hosting company will do a file restore for you gratis is when it’s THEIR fault that the files got hosed. And even then, they might not.

    If you run on a VPS (like I do) you might want to look into a service like rsync.net where you can run offsite backups for a very inexpensive price. Amazon S3 is another alternative for shoving your backups offisite. Or, just run an FTP job on your computer at home to back everything up every day :)

    • That’s a great point, Matt. A lot of people assume their hosting company is making backups for them, but often the opposite is actually true – the host is making no backups at all or they’re making very sporadic backups (weekly, monthly, etc).

      Chevy, I’d say Matt’s advice here is worth amending the post – crucial advice.

      • Amend the post? This advice is already part of the post:

        “Your host SHOULD provide a backup for you, but it may be somewhat dated (for example my backup dated back to early January) – take it upon yourself to do this manually – or use a plugin such as WP-DB-Backup which allows your to schedule automatic backups daily/weekly/etc. Do this, and do it often…It will save your ass in times of crisis.”

        Always important to take care of the backing things up part yourself rather than leaving it up to your host.

        • You might want to amend it with the fact that WP-DB-Backup only backs up your database – which probably helps if you get hacked and they don’t DELETE any files, but just mess with your install, but in the case of a catastrophic failure (or really mean hacker that deletes all your files), you need another backup solution to handle any uploaded image files, etc, that you have in your wp-content/uploads directory. Or if you’ve made changes to custom CSS, etc, etc.

          • Right – and there has been a lot of discussion about making sure the whole shebang is backed up – I was more or less focusing on the WordPress install in the actual post – but there’s plenty of other good tips to be found throughout these comments. Thanks for adding some additional wisdom – I am by no means an expert when it comes to this stuff (obviously).

  15. Hey Matt,

    Thanks for sharing these tips. While I haven’t had any issues to date, it’s good to keep all of the things you mentioned in mind. I’ll work on implementing some of them today.

    • No problem buddy – I had no issues up until about a month or so ago – started getting attacked with Viagra spam – then this crap happened. It’s almost like my Google Page Rank jumped to 5 and then hackers everywhere set their sites on this place. Hopefully with the new security I have in place things will be smooth sailing from here on out…

  16. Hey Matt,

    Thanks for sharing these tips. While I haven’t had any issues to date, it’s good to keep all of the things you mentioned in mind. I’ll work on implementing some of them today.

    • No problem buddy – I had no issues up until about a month or so ago – started getting attacked with Viagra spam – then this crap happened. It’s almost like my Google Page Rank jumped to 5 and then hackers everywhere set their sites on this place. Hopefully with the new security I have in place things will be smooth sailing from here on out…

  17. I am so glad you are up and running again Matt. You really stand out in the blogging community as someone with so much passion … always wanting to give value. Glad you’re back on the road and thank you for being so helpful to share these tips with us when you’ve had such a bad weekend!
    Jen

    • Thank you for the kind words Jen – It was a rough day yesterday, to say the least, but I’m glad things are back in place and I didn’t lose too much (a few comments from the “Back to School post”) – I’m happy to use this attack as an example to everyone. If you ever need help with anything, you know where to find me!

  18. I am so glad you are up and running again Matt. You really stand out in the blogging community as someone with so much passion … always wanting to give value. Glad you’re back on the road and thank you for being so helpful to share these tips with us when you’ve had such a bad weekend!
    Jen

    • Thank you for the kind words Jen – It was a rough day yesterday, to say the least, but I’m glad things are back in place and I didn’t lose too much (a few comments from the “Back to School post”) – I’m happy to use this attack as an example to everyone. If you ever need help with anything, you know where to find me!

  19. Man, that was close. Glad you got LWP back up and I’m definitely going to take your advice on security plugins. Looking forward to some more awesome posts Matt.

  20. Man, that was close. Glad you got LWP back up and I’m definitely going to take your advice on security plugins. Looking forward to some more awesome posts Matt.

  21. Matt – so sorry to hear this happened to you, but like everyone else – you handled it so well! I also liked the “fuck you tweet.” Sometimes you NEED to vent! I think it’s awesome that you shared what you learned with us – THANK YOU! I just updated all my plug-ins and changed my password thanks to you. My blog was hacked a while back, but thankfully it wasn’t this bad. I’m just glad you got yours up and running again!

  22. Matt – so sorry to hear this happened to you, but like everyone else – you handled it so well! I also liked the “fuck you tweet.” Sometimes you NEED to vent! I think it’s awesome that you shared what you learned with us – THANK YOU! I just updated all my plug-ins and changed my password thanks to you. My blog was hacked a while back, but thankfully it wasn’t this bad. I’m just glad you got yours up and running again!

  23. Yikes – lots of comments on this one, not sure if it’s already been mentioned, but some vital security tasks to do:

    – change the default admin name and either delete the original “admin” or give it the lowest role so even if an automated attack gets into the admin account it will think it successfully hacked your site when really it didn’t b/c it has a subscriber role.

    – along with automated backups make sure you backup not only the database but the files/images each time too! I wrote an S3 script for this a while ago that has become rather popular: http://paulstamatiou.com/how-to-bulletproof-server-backups-with-amazon-s3

    – checkout the AskApache WP security plugin – does a lot of server-side checks for permissions, etc

    – change default login/logout URLs. first thing hackers check is wp-admin, wp-login.php and all of that! A plugin called Stealth Login fixes this

    – Donncha’s WordPress Exploit Scanner

    – check htaccess perms!

    – even more important is to make sure you have a reliable web host that doesn’t do silly things like keep user passwords in plain text!

    • Not wanting to be a SPAM whore or anything but if any users are finding themselves lost with completing any of these tasks on making your blog more secure from the article or comments, I’d love to help you out, night or day for free!

    • Wow, these are great tips, Paul. I already have been backing up the files (I mentioned that in one of the comments above, that Matt’s suggestion of the DB backup only backs up, well, the DB…although I use rsync.net instead of S3, but that’s not really a bit difference).

      A lot of those plugins are super dope. My issue is that I run lighttpd instead of Apache, so the usual mod-rewrite and .htaccess stuff doesn’t apply (lighty does it differently, so all of those plugins and stuff that rely upon .htaccess rules won’t work).

      I AM tempted to switch to Apache; I run lighty since, well, it’s better on a low memory system. But my server has 512 MB of RAM, which isn’t really “low” for a LAMP box…but anyway.

      • I used to run lighty for a bit – converting htaccess rules is a bit of a pain! Not nearly as bad as nginx’s htaccess-equivalent config files haha. My server has 3GB but Apache still finds ways to suck all that up and crash every once in a while. I blame one of the random plugins I use. I’m supposed to be moving to a 2 server setup (db, app) sooner or later, so I don’t really care enough to debug what is causing the memory leaks haha.

        P.S. – found this site via my friend @GoKTGo

        • Thanks for the advice/suggestions here everyone – a lot of valuable information for everyone throughout this post and in the comments. Hopefully a lot of people will benefit from reading through this and will take steps toward protecting themselves. Cheers!

  24. Yikes – lots of comments on this one, not sure if it’s already been mentioned, but some vital security tasks to do:

    – change the default admin name and either delete the original “admin” or give it the lowest role so even if an automated attack gets into the admin account it will think it successfully hacked your site when really it didn’t b/c it has a subscriber role.

    – along with automated backups make sure you backup not only the database but the files/images each time too! I wrote an S3 script for this a while ago that has become rather popular: http://paulstamatiou.com/how-to-bulletproof-server-backups-with-amazon-s3

    – checkout the AskApache WP security plugin – does a lot of server-side checks for permissions, etc

    – change default login/logout URLs. first thing hackers check is wp-admin, wp-login.php and all of that! A plugin called Stealth Login fixes this

    – Donncha’s WordPress Exploit Scanner

    – check htaccess perms!

    – even more important is to make sure you have a reliable web host that doesn’t do silly things like keep user passwords in plain text!

    • Not wanting to be a SPAM whore or anything but if any users are finding themselves lost with completing any of these tasks on making your blog more secure from the article or comments, I’d love to help you out, night or day for free!

    • Wow, these are great tips, Paul. I already have been backing up the files (I mentioned that in one of the comments above, that Matt’s suggestion of the DB backup only backs up, well, the DB…although I use rsync.net instead of S3, but that’s not really a bit difference).

      A lot of those plugins are super dope. My issue is that I run lighttpd instead of Apache, so the usual mod-rewrite and .htaccess stuff doesn’t apply (lighty does it differently, so all of those plugins and stuff that rely upon .htaccess rules won’t work).

      I AM tempted to switch to Apache; I run lighty since, well, it’s better on a low memory system. But my server has 512 MB of RAM, which isn’t really “low” for a LAMP box…but anyway.

      • I used to run lighty for a bit – converting htaccess rules is a bit of a pain! Not nearly as bad as nginx’s htaccess-equivalent config files haha. My server has 3GB but Apache still finds ways to suck all that up and crash every once in a while. I blame one of the random plugins I use. I’m supposed to be moving to a 2 server setup (db, app) sooner or later, so I don’t really care enough to debug what is causing the memory leaks haha.

        P.S. – found this site via my friend @GoKTGo

        • Thanks for the advice/suggestions here everyone – a lot of valuable information for everyone throughout this post and in the comments. Hopefully a lot of people will benefit from reading through this and will take steps toward protecting themselves. Cheers!

  25. I want to make sure I’m understanding everyone correctly. Will Tools-Export backup my files (theme, images, etc), the database (post, comments, etc), or both?

    Whereas the WP-DB-Backup plugin will only back up the database (post, comments, etc)?

    I want to make sure I’m backing up EVERYTHING! What happened to Matt is scary.

    • Tools | Export will NOT back up ANY of your files. It just exports the content of your posts and their comments to a file that you could use to IMPORT those posts into a rebuilt version of your blog (or another blog).

      The only way to back up your files is to use an FTP program or something similar to literally copy the files down to your computer (or if you want to be fancy and have the right access to your server, you can write scripts that will automagically copy all of those files to an offline store such as Amazon S3 or rsync.net).

      There IS a plugin called “WP-Backup” (I think that is what it was called) that will actually zip up all the FILES in your WordPress (themes, etc) and you can even have it email it to you on a schedule, but it appears to be very poorly supported and I had a bunch of problems with it. That’s why I switched to using DB-Manager plugin (it optimizes your DB on a schedule in addition to backing it up) and using a script on my server to move the files offline.

  26. I want to make sure I’m understanding everyone correctly. Will Tools-Export backup my files (theme, images, etc), the database (post, comments, etc), or both?

    Whereas the WP-DB-Backup plugin will only back up the database (post, comments, etc)?

    I want to make sure I’m backing up EVERYTHING! What happened to Matt is scary.

    • Tools | Export will NOT back up ANY of your files. It just exports the content of your posts and their comments to a file that you could use to IMPORT those posts into a rebuilt version of your blog (or another blog).

      The only way to back up your files is to use an FTP program or something similar to literally copy the files down to your computer (or if you want to be fancy and have the right access to your server, you can write scripts that will automagically copy all of those files to an offline store such as Amazon S3 or rsync.net).

      There IS a plugin called “WP-Backup” (I think that is what it was called) that will actually zip up all the FILES in your WordPress (themes, etc) and you can even have it email it to you on a schedule, but it appears to be very poorly supported and I had a bunch of problems with it. That’s why I switched to using DB-Manager plugin (it optimizes your DB on a schedule in addition to backing it up) and using a script on my server to move the files offline.

  27. Wow! At approximately the same time, MY WordPress blog was hacked and erased! It was the second time in as many days that I had to start from scratch, so I changed domains and servers. The jerks musta been BUSY that day!

  28. Wow! At approximately the same time, MY WordPress blog was hacked and erased! It was the second time in as many days that I had to start from scratch, so I changed domains and servers. The jerks musta been BUSY that day!

  29. I’m glad to see that you recovered your blog! I dread the day this happens to me, and I’ve done everything to avoid it that I can think of. I already do everything you suggest, except for some of those plugins. I’ll have to check them out. Thanks for the advice!

    • No problem buddy – I didn’t think it would/could happen to me – thought I had things pretty well locked down, and then it didn’t…so, lesson learned, right? Hopefully it won’t happen again.

  30. I’m glad to see that you recovered your blog! I dread the day this happens to me, and I’ve done everything to avoid it that I can think of. I already do everything you suggest, except for some of those plugins. I’ll have to check them out. Thanks for the advice!

    • No problem buddy – I didn’t think it would/could happen to me – thought I had things pretty well locked down, and then it didn’t…so, lesson learned, right? Hopefully it won’t happen again.

  31. It’s so easy now to update WP and plugins, with the new automatic upgrades, there’s no reason not to do that as soon as you see that one needs upgrading. Check your blog every day and act immediately on this. I once got hacked because I had not upgraded; that’s when I learned the hard way how important it is to keep up to date.

    Also, make sure your web host has their own backup facilities. That’s what saved me in the end.

    Great post, Matt; thanks!

  32. It’s so easy now to update WP and plugins, with the new automatic upgrades, there’s no reason not to do that as soon as you see that one needs upgrading. Check your blog every day and act immediately on this. I once got hacked because I had not upgraded; that’s when I learned the hard way how important it is to keep up to date.

    Also, make sure your web host has their own backup facilities. That’s what saved me in the end.

    Great post, Matt; thanks!

  33. Login Lockdown–thanks for the tip. I”ll be checking this out. My blog is relatively new, but imagine my surprise when I found over a 100 spam comments in the WP queue. >:(

  34. Login Lockdown–thanks for the tip. I”ll be checking this out. My blog is relatively new, but imagine my surprise when I found over a 100 spam comments in the WP queue. >:(

  35. Jeder Mensch braucht Bewegung, Sportgerte, natrlich entscheidend, und die wie Sportschuhe, Sportbekleidung wie. Bevor ich auf anderen Seiten suchen gehen, habe ich mehrere gute Seiten ber die Sportgerte finden eine Menge Hilfe bieten, knnen wir frei sein zu sehen.Jordan OL School

  36. Because of life rhythm accelerated and working pressure increased so that people to pursue a Amare Stoudemire shoes relaxed, carefree mood in the spare time.They wont suffer trend while seeking a comfortable, natural new packing. Just introduce some websites for you about natural new packing you can go and see.

  37. I’ve read several good stuff here. Certainly worth bookmarking for revisiting.

    I wonder how so much effort you place to make any such fantastic informative web site.