Website security is something that you hear about in the news all the time. So and so’s website has been hacked and has leaked peoples sensitive information. It’s something that will probably never stop. And if your website has been hacked before in the past, you know how much of a pain in the rear it can be.
We have hundreds of WordPress websites, and have had a couple of them hacked before, and we know, it really sucks. We would like to get our hands on the hackers and demonstrate some of our hand to hand combat skills we learned in the Corps (ya, there are a couple of us here that are Leather Necks – Semper Fi!). Thankfully we always regularly backup our sites. Backups are a MUST!
If your site has been hacked, it may or may have not been your fault. Sometimes hackers are able to get in through the server where your site resides. This could effect you whether or not you are using WordPress.
You may have heard of the Ransomeware that has been going around. Your computer gets infected and you get a pop up that tells you that you must pay this “ransome” to unlock your computer. Well now it seems that the hackers can do this to your website as well. David Bisson recently wrote an article about this on GrahamCluley.com and what it does:
Ransomware’s new target?
Websites Extortionists demand Bitcoin ransom be paid to restore WordPress websites
A strain of ransomware has reinvented itself and begun encrypting WordPress websites in exchange for Bitcoin ransom payments.
Lawrence Abrams of Bleeping Computer explains in a blog post that the ransomware, dubbed “CTB-Locker,” first appeared two years ago as a traditional sample of crypto-ransomware targeting ordinary users.
Since then, Abrams explains, the malware’s authors have realized that there are bigger fish worth catching:
“CTB-Locker for Websites is a ransomware that is designed specifically to target websites, encrypt their contents, and then demand a .4 bitcoin ransom to get the decryption key.”
The encryption process begins with the ransomware author hacking a poorly-secured website and replacing the existing index.php or index.html files with versions that display a ransom demand. The attacker gives victims the opportunity to decrypt two randomly pre-chosen files “for free” (presumably to prove that files are indeed recoverable), but has encrypted any documents found on the server that match a long list of file extensions.
Once the site’s content is encrypted, the ransom note is displayed to anyone visiting the site.
Attention! What happened?
Your personal files are encrypted by CTB-Locker.
Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site.
Decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the decryption key.
Learn more about the algorithm can be here: Wikipedia
The ransom note goes on to reference a news story on the Security Ledger website that quotes an FBI spokesman’s controversial advice that companies hit by ransomware should just pay the ransom. Continue Reading The Article Here…
David goes on to explain that most of the sites that are getting hit with this are WordPress sites that are running out dated versions.
So what do you do? How can you protect yourself? If you are like us, WordPress is your platform of choice. But there are some things you must do to keep hackers out.
First never ever, and we mean NEVER, leave your Username to sign in as “Admin”, which is the default. We like making stuff up, or using parts of people’s names, your favorite team, whatever. Just don’t leave it Admin!
The same goes with your password. Make it part of a song, like a few words from your favorite song along with a few numbers and various punctuation marks.
We also like moving the login so that it is no longer yoursite.com/wp-admin. There are a few plugins out there that make this easy to do.
Now you might be saying to yourself “how do I keep up with all of these passwords?”. We like using Last Pass. We have researched them and find they do an excellent job of encryption and protecting your information. We aren’t endorsing them, they are just who we like. There are others out there, just do a Google search for them.
There are a lot more things to do to keep your site safe. Jean-Baptiste Jung covers in a post he wrote on DZone.com and here is a snippet from it:
10 Tips for a More Secure WordPress Blog
Host Your Website on a Reliable Web Host
Especially if you’re on a shared server (this is the case of most small websites such as a personal blog), attackers can use corrupted files on the server, even if they aren’t yours, to spread on other websites hosted on the server. This can’t be fully stopped by you alone, so you need to be sure that your web host is super serious about security and offers strong customer support that will always be helpful in case something goes wrong.
Below are the three web hosts I personally work with and recommend for their performance and security:
- Vidahost: this company has been hosting CatsWhoCode since 2012. The speed and availability are amazing and the support service always responds fast, even on Sundays or in the middle of the night. The only downside is the somewhat expensive price, but just like cheap hosting isn’t good, good hosting isn’t cheap.
Good news: by using the coupon CATSWHOCODE when checking out, you’ll get 10% off any hosting plan.
- A Small Orange: A company that many of my partners and I work with, A Small Orange is offering an exclusive discount to CWC readers consisting of one year of hosting + a domain name for only $40. Definitely a great deal for serious websites owners.
- In Motion Hosting: I haven’t worked with them directly yet, but I’ve been fixing quite a lot of websites hosted on their servers and everything was smooth. Definitely worth checking out!
If a problem happens, it is essential that you have a backup of both your database and files so that you can restore them to your server. Backups can be done manually or by using a plugin such as WP Database Backup. Your web host can also make regular back-ups of your website and database. The three hosts I mentioned above do free, regular backups for their clients and their support service can help you to restore it to your server in case of an attack.
Use .htaccess to Protect wp-login
Password protecting your wp-login.php file can add an extra layer to your server. Because password protecting wp-admin can break any plugin that uses AJAX on the front end, it’s usually sufficient to just protect wp-login.php.
To do this, you will need to create a .htpasswd file. To do so, go to htpasswd generator and follow the instructions. Once you have your file ready, upload it to your server.
Once done, you need to tell .htaccess where it’s at. Assuming you’ve put .htpasswd in your user’s home directory and your htpasswd username is mysecretuser, then you put this in your .htaccess file: Continue With His Article Here…
Good article from him, but if using .htaccess and uploading directly to your server is a little over your head, you should probably get a webmaster to do it for you. You can really mess things up if you do it wrong.
As far as the Hosts he recommends, the only one that we have used from that list is A Small Orange. We have never had any problems with them, no down time either. For most of our main sites and client sites we use A2 Hosting. We stay away from GoDaddy and HostGator. With GoDaddy we have had issues and can’t get customer service on the phone for over an hour. Same with HostGator. Another factor with hosting is that GOOD HOSTING won’t come cheap. Again, do a Google search if you don’t like our recommendations for “Reliable Web Hosting” or something along those lines.
So to sum it all up in having a secure website – have long usernames and passwords, move your wp-admin, pay attention to where you are hosting your site, keep your site up to date with new releases from WP and plugins, and MAKE REGULAR BACKUPS!
How often you need to back up your site will depend on how often you are changing your content. If you are making several posts a week, then make a backup at the end of the week. If you aren’t really active on the site, then maybe once a month, maybe twice. We also like using our own backup plugins and don’t rely on the host. One of our favorites is UpDraftPlus. Not only does it make backing your site up easy, it also makes it easier to move your site to a new host if need be.
So if you haven’t taken the time to take these measures to protect your site, you need to before it’s too late! Especially if you rely on your site to drive traffic to your business.
As always, if all of this is to much for you or you don’t have the time, visit our site and we can handle all of your web design and security issues. Until next time 🙂