From October last year until about January I was experiencing a lot of downtime (at some point, 70% of the time) on my WordPress blog (hosted at my own domain). Despite keeping everything up to date and not having a lot of plugins installed, I apparently got hacked and a lot of strange code appeared in some of the files.
I have since moved hosts and started with a fresh new install of WordPress in February. Unfortunately, since two weeks I am experiencing the same problem. Not nearly as much downtime as before, thankfully, but unfortunately it seems WordPress is the culprit again.
Do you have any tips for making my WordPress more secure? I have very few plugins installed (WP Super Cache, CommentLuv and UBBP) and I have a secure password and username (not admin 😉 )
Hi Loreley! I’m very sorry this happened to you; I can imagine how frustrating it is. Right off the bat, I’ll say that I can’t tell you exactly why you were hacked. But I can go through a list of possibilities. Some of these may not apply to you, because I’d like to create a general list for everyone, but some of them might be possibilities for your case!
1. You have an insecure username or password
This is a huge rookie mistake! The first username every hacker is going to guess is “admin”, so if that’s your username, you’re already so much more susceptible to a hack. Do yourself a favour and change your username (you can do this by creating a new admin account, then delete the old one). Another name you don’t want to use is your site’s URL. So, since my site is www.nosegraze.com, I would not want my username to be “nosegraze”.
And your password is extremely important. The first kinds of passwords hackers will try are dictionary words or simple letter/number combinations. Your password should be very long (about 20 characters) and very strong. Here’s a great example:
According to howsecureismypassword.net, it would take a PC about 30 octillion years to brute force that password! And heck, the longer the better. One of my passwords is 49 characters long!
Use a random password generator to help you come up with a good one.
2. One of your plugins (or your theme) is insecure
You should only be using reliable plugins that have been downloaded thousands of times and have great ratings. The plugins should also be updated often.
- If you use a plugin that isn’t popular, it can’t be vouched for.
- If you use a plugin that hasn’t been updated in 2 years, it may be using insecure or deprecated code.
- If the plugin doesn’t have great ratings, there’s probably a reason.
Poorly coded plugins can have vulnerabilities that can result in your site being hacked. Only install ones that are reliable, updated often, and have good ratings.
3. You have a virus on your computer
Perhaps the reason you were hacked isn’t because of something you have on your site. It could be something you have on your computer! If you have a keylogger on your computer, then you login to your WordPress account, well whoever gave you that virus now has your username and password! (This could also happen with your actual web hosting account. If they can get in there, they can get into WordPress.)
Make sure you regularly scan your computer for viruses (even if you have a Mac! Macs are NOT immune to viruses).
4. You’re not stopping people from brute-forcing their way in
Unless you set up measures against it, bots can just sit on your login page all day and try password after password after password until they finally guess the right one. That’s NOT okay!
Install a plugin like Limit Login Attempts to limit the number of failed login attempts a person can make. You can block a person from attempting more logins after they fail more than 3 times (or any other number you specify). This prevents people from being able to try over and over again.
5. You’re running an out-of-date version of WordPress
There are reasons WordPress gets updated. Sure, new features is one of those reasons, but it’s not the main one. The main reason is so the developers can fix vulnerabilities, close up security holes, and fix bugs. So if you’re still running WordPress 3.0, odds are you have security holes in your installation (because those have since been fixed). Hackers can exploit those vulnerabilities to get into your site!
There’s no such thing as overkill: do everything you can to protect yourself!
You wouldn’t leave your front door unlocked when you leave the house, would you? You wouldn’t put your valuables on the doorstep and write a sign that says, “Feel free to steal; no one is home.” You should approach internet security with the same mindset. Protect yourself, your computer, and your online accounts.