The next reason is not necessarily a “good” reason per se, but while we were away, the main website on my hosting account was hacked and blacklisted as Malware by Google. HUGE Bummer. This in turn ended up affecting a few other sites I also had hosted under the same account. It was basically a nightmare. Luckily I have a developer friend that gladly helped me out in exchange for lunch and a few cups of coffee. How nice is that??
I thought you might want to know what I learned from that experience so that you can avoid it yourself because it really was a huge waste of time at the most inconvenient of times for me. So what did I learn?
Backup, Backup, Backup!
I cannot stress this enough. If you haven’t read my previous post about how to back up your data, you should check that out right now and do a backup of your WordPress site(s) right now.
Keep WordPress Updated at ALL Times!
This is mainly why I got hacked. I have about 6 WordPress sites hosted in one hosting account with GoDaddy. There is one WordPress install at the root folder (the main folder) and the rest are all installed in subfolders within that root folder. The website I had installed at the root folder was one of the sites I was kind of done with. I hadn’t updated it in forever and it was for a business that was basically going out of business. So I never updated the install.
You see WordPress doesn’t do updates from time to time just for the heck of it. Sure, sometimes they have feature updates and stuff, but usually it’s because they uncovered vulnerabilities that hackers have figured out how to find. Updates are a way for them to block those vulnerabilities before the hackers find them on your website. So there you have it. These Russian spammers got into my root site through the old WordPress installation and were able to change my .htaccess files to redirect my site to their own malware sites.
Luckily Google usually figures this out pretty quickly to protect us and they threw up a big, ugly malware warning on my website:
The bad thing about it is that if anyone tries to come to your website, they get scared away and may never come back! So the key is to deal with it as quickly as possible to get the warning removed.
How to Be Alerted if Google Finds an Issue with Your Site
You have to have your sites added to Google Webmaster Tools in your Google account. If you don’t have your site(s) added to this free service, you should. Don’t worry, it’s not too late, if you haven’t already, but it’s helpful to have. It determines the health of your site (malware) and gives you options to submit your site for verification after you’ve cleaned it up. If it does find malware has been installed on your site, it sends you an email to let you know so you can take care of it ASAP.
Google Webmaster Tools has a boatload of other user tools as well such as submitting a sitemap, finding out what keywords lead people to your site, etc. so it’s definitely worth your while to check it out.
What Else Can You Do To Protect Yourself?
As you might have guessed there is a lot more you can do to protect your WordPress sites from hackers. So what else can you do to add an extra layer of protection?
- Change your default admin username and create a very strong password.
- Set up a backup schedule (as mentioned previously) and have backups sent to you via email or cloud storage account on a weekly basis at the least.
- Hackers can also get in through bad code in plugins so be careful about the plugins you install. Make sure they have good reviews and are compatible with the latest version of WordPress.
- Use the following plugins (these are all safe to use):
- WordPress Firewall
- Silence is Golden Guard
- WP DB Backup
- WordPress File Monitor Plus
- Limit Login Attempts
- WP Security Scan
There is always more you can do, but this should give you a good base. Feel free to do some of your own research on WordPress security,
What do you do to protect your WordPress installations?