Lately, I’ve been seeing and helping a lot of customers who have had their website hacked. These include, but are not limited to, WordPress sites. Once the initial panic has subsided, oftentimes customers’ first question is “how do I prevent this in the future?”
Of course, no networked computer is completely immune to attack, and there is no guarantee that an attack of this nature will never happen again. That said, there are steps that you can take to reduce the likelihood of attacks of any kind.
The most popular attacks appear to be very common in shared hosting environments, like Media Temple. No hosting environment is completely impenetrable, however shared hosting environments are frequently targeted because of their convenience to the attacker. In some cases, an attacker can modify several sites simultaneously with a tool purpose-built to identify and modify sites that are using a particular (old) version of WordPress.
For a lot of customers the issue has to deal with short, guessable passwords, and a lot of people having their own FTP accounts (so it’s difficult to know how far passwords spread).
What follows is generally what I’ve been recommending lately.
Everyone’s got one. Or a hundred. It’s easy to have the same password everywhere, but it gets dangerous when passwords are hacked or compromised elsewhere on the internet: If that password is used in other places, those other places are instantly vulnerable.
Encourage employees to use passwords that are long and difficult to guess. Passwords should be at least 16 characters long, include a variety of upper- and lower-case letters, numbers, and punctuation. Lookalike characters are good ideas too (like a zero and a capital O) to foil someone glimpsing your password over your shoulder. Avoid words in the dictionary, names, birthdates, keyboard patterns, and repeating sequences of letters and numbers. Whatever you do, don’t send passwords in emails. Also, change your passwords like you would your smoke detector battery — about every six months.
Change your WordPress administrator username and password to avoid using the system default username of “admin”. Also, change FTP and SSH passwords using these guidelines as well.
WordPress should always be kept up-to-date. Updates to WordPress frequently contain security updates to prevent attacks of this kind before they happen. Attackers will frequently target sites that are not up-to-date in order to exploit those vulnerabilities.
Media Temple recommends the installation of two plugins to help prevent and mitigate several kinds of attacks on your server, including denial-of-service (DoS) attacks. Those plugins are:
- WordFence Security: A free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.
- Fail2Ban: Writes all login attempts to syslog for integration with fail2ban. fail2ban will block IP addresses that make multiple failed attempts to log in to WordPress.
Honest Code is ready to assist you if (heaven forbid) this happens to you. We appreciate your trust and custom, and are here to answer any questions you may have.