Image via Wikipedia
A couple of days ago, I had a really trying experience. I had set up a new blog for my son, but failed to give him his log-in information. Days went by and he begged me to send it to him. When I finally did, he told me that the log-in information didn’t work. Boulderdash, I thought. He’s doing something wrong.
“Would you sign in for me, Mom?” he asked.
“Yes, yes,” I said, waving my hand.
Again, days went by, two or three, and he kept asking me to sign in for him and save it so that he would be automatically logged in.
Well, finally, day before yesterday, I tried. And tried. And tried. But every time I entered the log-in information, the screen “shook its head.” You know, like an obstinate child holding its breath, it refused to give me access. So I asked for it to send me the missing information.
The first clue was in the email I received: an entirely unknown username. Who the h*ll was “atro?” I asked my son if he’d changed the username, a dumb question because he’d never been able to sign on to begin with. Of course, his answer was no.
Then and only then did I think to look at the actual site. What did I see? Not the sweet and clean, grassy green site I’d set up for my 14-year-old, but a hideous creation in black with a white skull-and-crossbones. Blood red italics flowing across the bottom of the screen proclaimed with pride that the site had been hacked by some idiot named “Atrocity.”
I was furious. Naturally, I was. I dumped the whole site and reinstalled it. Took about twenty-five minutes. Who the h*ll, I wondered, would bother hacking an empty site? And the site of a child at that. (Although obviously, the hacker didn’t know it was a child’s site.) Even now, I just get angry thinking about it.
I spent hours the next day securing the site. And then it occurred to me that if some low-life is mieze enough to attack a baby’s empty site then what would they do to mine? So I spent several more hours then backing up and securing my site.
This year seems to be the one in which I become unhappily acquainted with low-life hackers. One of my various enterprises involves designing websites. This summer, a site I designed for a favorite client got hacked. I spent hours recovering and securing the site. It’s an important site, for them and their clients, but way too small, I thought, for anyone to go to the trouble of attacking it.
Obviously, I was wrong.
Obviously, no site is too small or humble for someone with nefarious intent.
Jennifer Blanchard, over at Procrastinating Writers, has also, unfortunately, endured having her site hacked. In a post about the experience, she gives good advice and points out an excellent article, “14 Effective Practical Security Tips for WordPress.”
In addition, I’ve found the articles at Velvet Blues, WP Beginner, and Tdot to be very helpful. Admittedly, some of the suggested measures are not for the faint of heart. If you’re not at ease messing with pHp and so on, then you might well want to find an expert to do it for you. I had to learn under the gun. The expert I called on last summer never returned my call and my client was under enormous pressure to get his site up and running (meaning, so was I).
What does everyone recommend?
(1) Make sure your webhost backs up your site automatically. Last summer, my host was able to restore the site within two hours. I suddenly felt a whole lot better about the hefty fee I pay the company annually.
(2) Learn how to backup your database yourself. Use a plugin, such as WordPress Backup or DB Cron, to back up your database.
(3) At a bare minimum with WordPress, use the Export option under Tools, to download a file of your posts and images. Most authors realize they can replicate the form of the site, so its the content they grieve for. Do an export and save your content. Takes a few minutes. The more frequently you update your content, the more frequently you should export it to your desktop.
(4) Keep your WordPress install and plug-ins up-to-date. Delete all unused/disabled plug-ins. If you’re unsure about whether you’ll need a plug-in in the future, then download the zip file that’s the plug-in itself. You can always upload it and reconfigure it.
(5) If you’re using “Admin” for your user admin name, then change it. Easiest way to do it: Create another user with administrator privileges. Make sure the user’s name is unique (i.e., include both numbers and letters), then log-out. Log back in as the new user and delete the old user.
(6) Change your WordPress database table prefixes. (See the article at Tdot for detailed instructions on how to do this.)
(7) Create custom log-in links or, even better, hide your log-in window. There’s a great plug-in called Hidden Login. Try it.
There are many good, solid suggestions out there. You needn’t implement them all, just enough of them to make a hacker decide it’s not worth the bother. Yes, it takes time to read these articles and/or find an expert, but the effort is worth it. Far better to take care of this now, than go to your site one day and find it’s gone, with a skull and crossbones in its place.
Related articles
- Hacked! Is Your WordPress Blog Vulnerable to Attack? (BuildMySiteforFree.com)
- Best WordPress Plugins Every WordPress Blogger Should Be – Ways To … (myearnonline.com)
- WordPress Database and Files Backup Solutions – Best of (hongkiat.com)
