Why Your WordPress Site Was Hacked

From October last year until about January I was experiencing a lot of downtime (at some point, 70% of the time) on my WordPress blog (hosted at my own domain). Despite keeping everything up to date and not having a lot of plugins installed, I apparently got hacked and a lot of strange code appeared in some of the files.

I have since moved hosts and started with a fresh new install of WordPress in February. Unfortunately, since two weeks I am experiencing the same problem. Not nearly as much downtime as before, thankfully, but unfortunately it seems WordPress is the culprit again.

Do you have any tips for making my WordPress more secure? I have very few plugins installed (WP Super Cache, CommentLuv and UBBP) and I have a secure password and username (not admin 😉 )

Loreley

Hi Loreley! I’m very sorry this happened to you; I can imagine how frustrating it is. Right off the bat, I’ll say that I can’t tell you exactly why you were hacked. But I can go through a list of possibilities. Some of these may not apply to you, because I’d like to create a general list for everyone, but some of them might be possibilities for your case!

1. You have an insecure username or password

This is a huge rookie mistake! The first username every hacker is going to guess is “admin”, so if that’s your username, you’re already so much more susceptible to a hack. Do yourself a favour and change your username (you can do this by creating a new admin account, then delete the old one). Another name you don’t want to use is your site’s URL. So, since my site is www.nosegraze.com, I would not want my username to be “nosegraze”.

And your password is extremely important. The first kinds of passwords hackers will try are dictionary words or simple letter/number combinations. Your password should be very long (about 20 characters) and very strong. Here’s a great example:

r*>8gB8Ck.3497C6YymL+sP

According to howsecureismypassword.net, it would take a PC about 30 octillion years to brute force that password! And heck, the longer the better. One of my passwords is 49 characters long!

Use a random password generator to help you come up with a good one.

2. One of your plugins (or your theme) is insecure

You should only be using reliable plugins that have been downloaded thousands of times and have great ratings. The plugins should also be updated often.

  • If you use a plugin that isn’t popular, it can’t be vouched for.
  • If you use a plugin that hasn’t been updated in 2 years, it may be using insecure or deprecated code.
  • If the plugin doesn’t have great ratings, there’s probably a reason.

Poorly coded plugins can have vulnerabilities that can result in your site being hacked. Only install ones that are reliable, updated often, and have good ratings.

3. You have a virus on your computer

Perhaps the reason you were hacked isn’t because of something you have on your site. It could be something you have on your computer! If you have a keylogger on your computer, then you login to your WordPress account, well whoever gave you that virus now has your username and password! (This could also happen with your actual web hosting account. If they can get in there, they can get into WordPress.)

Make sure you regularly scan your computer for viruses (even if you have a Mac! Macs are NOT immune to viruses).

4. You’re not stopping people from brute-forcing their way in

Unless you set up measures against it, bots can just sit on your login page all day and try password after password after password until they finally guess the right one. That’s NOT okay!

Install a plugin like Limit Login Attempts to limit the number of failed login attempts a person can make. You can block a person from attempting more logins after they fail more than 3 times (or any other number you specify). This prevents people from being able to try over and over again.

5. You’re running an out-of-date version of WordPress

There are reasons WordPress gets updated. Sure, new features is one of those reasons, but it’s not the main one. The main reason is so the developers can fix vulnerabilities, close up security holes, and fix bugs. So if you’re still running WordPress 3.0, odds are you have security holes in your installation (because those have since been fixed). Hackers can exploit those vulnerabilities to get into your site!

There’s no such thing as overkill: do everything you can to protect yourself!

You wouldn’t leave your front door unlocked when you leave the house, would you? You wouldn’t put your valuables on the doorstep and write a sign that says, “Feel free to steal; no one is home.” You should approach internet security with the same mindset. Protect yourself, your computer, and your online accounts.

Photo of Ashley
I'm a 30-something California girl living in England (I fell in love with a Brit!). My three great passions are: books, coding, and fitness. more »

Don't miss my next post!

Sign up to get my blog posts sent directly to your inbox (plus exclusive store discounts!).

You might like these

22 comments

  1. “r*>8gB8Ck.3497C6YymL+sP” ?????

    My beloved one can memorize any type of combinaison…. I can’t!!! And since I don’t want to have my passwords saved into my browser (I mean, what if my laptop gets stolen or lost?), I usually use a pattern I can remember with at least around 10 characters including letters, numbers and symbols.
    For instance, a pattern could be (I’m making it up):
    ! + 3 last letters of my name + 3 first letters of the website + Number of letters in the website name.
    For Ashley and Nosegraze it would then be: “!LeyNos9”

    You can make it more complexe and it has to change every so often but that’s the idea.

    But nothing can beat up “r*>8gB8Ck.3497C6YymL+sP” if you can memorize it :p

    Also, for super important things (bank, github account, my own blog…), I think indeed it’s better to have long and unique (non-patterned) passwords.

    Great article again, Ashley!

    1. You can always use something like 1Password to store your passwords for you. You create one “master password”, which you use to login to the app, then you have access to all your saved passwords there. The login details are encrypted on your hard drive, so they’re not just stored in plain text. No one can view them without your master password.

      So the idea is that you only have to memorize ONE password, then you can make all others super complex because they’re saved and encrypted for you and you don’t have to remember them yourself. 🙂

      1. Oh I didn’t know 1Password. Sounds interesting, especially since it seems to work for online password too.

        When I was using Linux, there was a native tool to store all your application passwords (like FTP passwords) but then… I was thinking, what if I have my laptop stolen? You need to crack one password and then you get all the others.
        Ok… I might be a bit paranoid. :p

        1. Yeah that’s true. But as long as your “one password” is super super strong, it shouldn’t be a problem. 🙂

          If you have trouble remembering a really strong one with numbers and symbols, you can even use a sentence. It’s easier to remember a sentence. An example might be:

          “Lily is so cool for commenting on Ashley’s blog, Nose Graze!”

          That’s 60 characters long and contains three symbols (punctuation). And it would apparently take “10 untrigintillion years” to crack!

          Sentences are easier to memorize and it’s soo easy to make them super long (because they’re sentences!).

          1. Yes, good tip! I must be super old school: away from SSH sentence key, I never even check if spaces are allowed in online/app passwords. :/
            The sentence password is definitely a great idea, thank you!

    1. I recommend you still amp up that password. 😉 All the password related stuff can be applied to Blogger as well. Of course, Google does have some brute forcing protection measures in place, but a password can still be hacked/guessed/brute forced on Blogger if the password isn’t strong!

  2. Heh, I’m going through a hack attempt attack right now. Brute force login, yesterday with “admin” which I never used, now with the domain name as username, of course.
    I’ve got up all the kinds of protection I could think of, I do have solid passwords (I think) for all blog users (got more than one), plus blocking IPS-s after they try to force log in, limiting login attempts, validating new IPS-s for users when logging in from a different one then regular.

    I used to think I was paranoid to put up all those things, but I’m not thinking that way since like Sunday, lol. Better to be safe than sorry, and as is, I’m terrified they’ll manage to find a way in in the end. I mean, the attack has been pretty much going on since Sunday and it doesn’t seem to stop yet. I’m hoping it will soon, like they realize I’ve gotten as Fort Knox as I possibly could, lol, and they’ll just give up :))

    But anyway, all your advice is awesome, and it’s better to do it all asap than think it won’t happen to you (like I was sure it wouldn’t happen to me, either, and yet, lol…)

  3. I have a question. I’ve been getting a ton of the log in attempt fails because I use the iThemes security (used to be called something else… I found it in a different post of yours and love it.) and it’s driving me nuts. I have log in attempts limited to 5, I have my home IP and my host’s IP whitelisted as a just in case, and then my log in page is in offline mode at night while I sleep and they are still just trying and trying.

    I have this in the medium priority of the iThemes settings: “Your WordPress Dashboard is using the default addresses. This can make a brute force attack much easier.”

    My question is, if I change the address to that, will I break anything? I figure if it was harder to find my log in page, it could only help, but I’m worried about breaking my install or something by changing it. I think breaking WordPress is my biggest fear having a wordpress blog at all.

    Also; thanks for that password website. That is amazing and I will use it forever!

    Ariel recently posted: Life Update: Baby News!
    1. Changing the login/admin URL will definitely help with the problem. I think the process is fairly straight forward, but if anything were to go wrong it could be difficult to fix it. I haven’t done it myself so I can’t really say how hard it is or how easy it is to mess something up. But I know several bloggers who have done it without issue.

      The other option, which is more complicated but also very secure, is to set up an htpasswd to protect your login page. That’s what I’ve done. It basically forces users to input a username and password BEFORE they even get to the login page. No one ever gets past that, so I never have any login attempts. I think it’s more complicated to set up though.

      1. Oh that is so helpful! Thank you! I had downloaded a plugin recently that apparently was meant to set up the htpasswd for you, but it broke my site so I deleted it. Looking at tutorials I found off Google, it looks easy enough to do that without needing a plugin. And, it looks easier to fix if I were to break something in the process. I mean, either or would probably be nothing more than a full ftp reset, but still, that stuff takes time. 😀

        Ariel recently posted: Life Update: Baby News!
        1. If you’re going to go the htpasswd route, I recommend setting it up to protect the wp-login.php page (as opposed to wp-admin). Ultimately, both are fine. But if you have it only protect wp-admin, then users don’t have to enter the second username/password until AFTER they first try to login. So you’ll still see a ton of login attempts. But if you protect wp-login.php then they’re prompted to enter the htpasswd BEFORE the normal WordPress one. So if you get any failed login attempts it means they bypassed htpasswd. It’s just easier to manage, I think.

Recent Posts

    Random Posts