Several weeks ago, many… if not all of my websites had been hacked. It was terrible! I spent many hours cleaning all the domains. Since then, I have learned some lessons. I had hoped to bring my lessons to you in an effort to keep you from sharing my mistakes.
Many of my websites are turning into WordPress websites now and I’ve really enjoyed learning new skills and finding a new niche. However, this road is not just learning how to build themes and set up WordPress for clients. There is a whole new level of security to be learned as well!
Imagine my surprise when I received my first email stating that I needed to shut down a site because it was phishing for information from their client’s banking site. Not cool! Imagine my surprise again, when a second and a third email came for some of my other sites that were doing the same thing.
Someone hacked into many of my sites and planted files & folders deep in the framework of each one. It was time-consuming to go through all those file trees looking for anything that didn’t belong. With my limited Linux skills, I was able to determine files with date changes. This helped determine where best to start, but ultimately, I had to go folder by folder, file by file.
I found a website, Sucuri.net, which helped to determine if there was any malware on my domains. However, it wasn’t conclusive. It did tell me that at least one of the domains I manage had been blacklisted. Not good!
In my search for more information, I found many who suffered the same demise. Many seemed incredibly lost with what to do. This is the category that I fell in.
You’ve heard the saying, “There’s an app for that!” said in reference to Apple’s iDevices. Well, WordPress is similar. There’s a plugin for just about anything. So I went searching for something that could scan my domains. Here is what I found, and what works for me.
Anti-Malware by Eli
The very first plugin I discovered is called, “Anti-Malware,” by Eli over at Get Off Those Maliciously Loaded Scripts! This plugin is a lifesaver! After installing and activating this plugin, I ran the plugin on my most attacked site. It took some time, because the site is huge, but this plugin found what I couldn’t. The report showed me of potential threats as well as known threats. I was able to take out all malicious files. It worked so well, that I now have it installed on all my sites.
Pros: There are frequent definition updates and the author stays in contact with his community. You can comment on his site with any issues you’ve come across and he’ll help to eradicate the threat.
Cons: The one unfortunate thing about this plugin… you have to log in and run it yourself. There is no automatic or schedule feature on this plugin. So, YOU have to remember to run the plugin periodically.
Better WP Security
With all the research I have put into this topic, I came across posts that lead me to “Better WP Security,” by bit51. This plugin is more technical than I had hoped for, but I have learned some very important facts about WordPress by using this plugin.
NEVER use the username ‘admin’ when installing WordPress on your site!
I never realized that this is the most important step. After installing this plugin and reviewing the log reports daily, I’m shocked to see how often people/bots try to log in as admin.
If you have a site already set up, and your username is ‘admin’ … change it! Unfortunately, WordPress does not allow you to change your username inside itself. There are only two ways that you can change your username.
- Install this plugin and it will allow you to make the change.
- Log into your phpMyAdmin and edit your database. Although I don’t advise you to edit your database, especially if you’re not clear on what to do, it is possible. Here’s how I did it without wreaking havoc.
- Once logged into your phpMyAdmin panel, choose the database used for your WordPress installation. Generally, this is something like _wrdp1.
- Next, on the left hand side, look for a table called, wp_users and click on it.
- Scroll down the list of users until you find your login. Click edit.
- Look for user_login and change your username. Then click GO to save your changes.
Enforce strong passwords! I cannot stress this enough! With this plugin, you can force every role, Administrator, Editor, Contributor, and User to use strong passwords.
This particular plugin is very technical. But don’t be afraid. There are notes along the way as you close up all the vulnerabilities with this plugin. Be advised though, this plugin suggests things like,
- Change wp-content path
- Turn off file editing from within WordPress admin area
- Prevent brute force attacks by banning hosts and users with too many invalid login attempts
Changing your wp-content path, although this is a very good idea for new sites, it is not a good idea with sites that are well established. This can really hose your site. So be careful.
Turning off file editing from within WordPress admin area means you will not be able to edit using the editor inside your dashboard. This can be problematic if you want to edit your theme pages inside the admin area.
Preventing brute force attacks by banning hosts and users with too many invalid login attempts is an excellent tool! I recommend you check this feature out. You’ll be surprised at how many brute force attempts are made on your site daily. However, use CAUTION! This setting can block you out too if you forget your login credentials.
Pros: This plugin will tell you where your website’s vulnerabilities are and walk you through locking it down and making it more secure. The log files are very informative and continually show you where the attacks are. As you get used to how this plugin works, you can begin to ban IP addresses that seem to attack a lot and regularly.
Technical support seems to be on top of helping their customers out in a timely fashion.
Cons: There is so much to this plugin, if you’re not careful, you could end up locking yourself out or hosing your site. However, as I said above, technical support seems to be on top of helping their customers. Also, in order for this plugin to be effective, it must access core files as well as .htaccess files. Although this is a plus, it’s also a problem if you need to access your own .htaccess for any reason. Also, this plugin will send you emails of changes to files and login attempts. This is cool except that it sends multiple emails, thus driving the bandwidth of your site up. So once you have a handle on what you really want to know about NOW, you can shut this feature off. It’s already put 3 of my sites over bandwidth.
In my opinion, the Pros outweigh the Cons with this product.
Wordfence Security was the latest install added to my security measures. This plugin has some free services and some paid for services. Once installed, I suggest going to options first and get the settings to your liking.
One of my downfalls is staying on top of plugin and theme updates. This plugin will watch that for you and send you an email when there is an update needed to any plugin or theme. This plugin also scans for malicious files, backdoors, Trojans and suspicious code. It scans posts and comments for suspicious content. It can also scan outside of your WordPress installation.
You can set up firewall rules, enabling both bots and humans a crawl speed. This plugin does not have default settings here. You have to choose your own. Here is what I have begun with:
Enable firewall rules: Yes
Immediately block fake Google crawlers: Yes
How should we treat Google’s crawlers: Verified Google crawlers have unlimited access to this site
If anyone’s requests exceed: 30 per minute (1 every 2 seconds) then throttle it.
If a crawler’s page views exceed: 960 per minute (16 per second) then throttle it.
If a crawler’s pages not found (404s) exceed: 960 per minute (16 per second) then throttle it.
If a human’s page views exceed: 240 per minute (4 per second) then throttle it.
If a human’s pages not found (404s) exceed: 120 per minute (2 per second) then throttle it.
If 404’s for known vulnerable URL’s exceed: 30 per minute (1 every 2 seconds) then throttle it.
How long is an IP address blocked when it breaks a rule: 12 hours
Remember, these are only suggestions. You can choose to be tighter or looser on your firewall rules.
Now, for me, the login security options were very important. But be careful… Like Better WP Security, you CAN lock yourself out.
I don’t want anyone to get more than 5 tries within 5 minutes time to log in before I lock them out. And when I lock them out, I want them locked out for at least a day. That gives me time to login and look the abuser up on WHOIS to decide whether they should be locked out permanently. ANYONE trying to login with the username ‘admin’ is blocked permanently.
Once you have chosen your settings, on the left side of your dashboard, under Wordfence, click scan. This will now scan your site for vulnerabilities and report them to you within minutes.
Pros: This plugin, like Better WP Security, will tell you where your website’s vulnerabilities are and walk you through locking it down and making it more secure. This plugin has a Live Traffic feature which allows you to watch traffic as it hits your site. As you get used to how this plugin works, you can begin to ban IP addresses that seem to attack a lot and regularly.
Cons: This plugin will send you emails of changes to files, login attempts and tell you when an administrator has logged in. This is cool except that it sends multiple emails, thus driving the bandwidth of your site up. So once you have a handle on what you really want to know about NOW, you can shut this feature off. It’s already put 3 of my sites over bandwidth.
I use all three of these tools together. I find they work well together. I have not had any hackers break through since installing these plugins. Each one of these plugins has its pros and cons but for the most part, the pros outweigh all the cons. There can be plugin or theme conflicts with any of these security plugins, so be careful. I have found at least one conflict with Tips and Tricks, “WP eStore” plugin. All three of these plugins will block “timthumb” files. Even if you have an updated version of timthumb.php, it will still be blocked. So be aware.
Leave me a comment if this has helped you.