Yes, the familiar cry of a client who woke up to digital graffiti strewn across their online home—or worse. For many small business owners (and even for medium and large businesses) websites can be their sole source of income, or at the very least a large part of their portfolio and presence in today’s business world. Increasingly, sites are being built on the WordPress platform; partly due to cost, and partly due to the fact that it’s one of the most versatile, easy-to-use platforms for content management out there.
(Read More: Standing Dog: WordPress, It’s Not Just for Bloggers)
The problem with WordPress is the same issue that has been plaguing Microsoft for years: with popularity comes an increased number of people “testing” the security of the platform. Both companies have developed methods of patching and updating to fix these security holes, but you can never reply solely on keeping updated to keep your site safe anymore—it’s one step in the process, but will not guarantee that your site is always invulnerable.
In this post we break down your complete WordPress security solution into 3 sections: planning, prevention, and remediation. For planning, you’ll learn how to protect yourself from the worst case scenario, such as your site being entirely ripped apart and turned into a Hello Kitty playground for hackers (they’re strange that way). Prevention will show you how to install and configure a few plugins that will stop problems dead in their tracks, and notify you when there’s a problem. Remediation—well, that one is pretty self-explanatory. That’s usually where I step in and have to rebuild the site from scratch, reinstall 40 plugins, and hope that the most recent backup isn’t two months old.
Backup, backup, backup. When I first started learning about the industry, shortly before my first job in IT, our instructor handed us the rubber chicken award if we forgot to back things up—several times. Once is not good enough, make sure you have at least two alternatives. With Dropbox, OneDrive, and Google Drive offering cheap or free storage alternatives, it only takes a few minutes to upload a copy there and not have to worry if you wash your USB thumb drive with your entire business saved on it. After your site is up and running, install one plugin (BackWPUp Free) and make sure you have a complete copy of your database and files stored somewhere.
To backup using BackWPUp, it’s only a few clicks. Go to the BackWPUp menu, and click on “Add New Job”. Name the backup whatever you’d like, but just make sure the file, database, and plugin list checkboxes are checked. If you’re unsure about the archive format, click “zip” as you will likely be able to open it on any platform you’re using. If your site is small, you might be able to get away with backing up to email, but for most purposes you will want to either back up to a folder (which you can download afterwards), or back up to Dropbox and a folder for added measures.
Once you hit that “save changes” button, it will refresh the page, and give you a typical “Wordpress-style” prompt:
If you clicked Dropbox as well as a folder backup, you’ll notice a new tab at the top, which you’ll need to click on to set up your Dropbox connection. You can choose to just give the app backup privileges, or full access, by clicking one of the two Dropbox Auth Code buttons in that tab.
Once you’re all set up, go back to the Jobs menu option (on the left, under the BackWPUp menu), move your mouse over the job you just created, click “run now” and it will take care of the rest.
So you have a site up and running, and it’s everything you want it to be—and more. People start to take notice, even the hackers. You don’t know it, but even automated scripts and programs start trying to log in using random passwords, and probing every file for signs of vulnerability. Every plugin you have installed, your theme, and all of the core WordPress files are likely to be scanned at some point. It’s important for either you or your webmaster to keep everything up to date as part of your maintenance! Security fixes are released all the time, so as long as you have a backup of your site you should feel confident in clicking that update button.
I also recommend installing these plugins for security: Wordfence, and Sucuri Security. Another one to use if you see a high number of failed login attempts is Login Security Solution, which makes it hard for people to guess your password, as it limits login attempts. Wordfence will scan your core WordPress files and themes (if you use any WordPress.org based themes) and report any changes, which is important because you will know as soon as someone has injected malware into your site. Sucuri Security has similar options, some of which overlap with the other two plugins, but will also give you a file modified list including timestamps, and user login information including IP address. Be careful using the Hardening features, as it may end up blocking access to key files that you need for your site. The best method is to turn one feature on, test your site to make sure it all works, then move onto the next. All of these plugins have built-in email notifications, so make sure your contact information is correct and up to date, and test it to make sure you’re able to receive the emails.
Ask for a copy of your theme files from your web developer, just as a precaution for issues like this; it will save a lot of headache in the future. Any developer that is above board will happily give them to you. Ask for any custom plugins while you’re at it, they won’t be up to date a year down the road but it’s better than an infected or hacked version of it.
This is the tough part, your site is already compromised and you’ve received a notice (or maybe you haven’t yet) from Google, your web host, or an unhappy customer that was trying to purchase one of your amazing creations. You have two options—wipe out the entire site and restore the backup, or start from scratch and install the plugins from scratch.
Option A is fairly straightforward. You would use the tools provided by the pro version of BackWPUp and can get support from their forum, but it involves creating a brand new installation of WordPress, installing and activating the plugin, restoring the database, then re-logging into the site and uploading your files.
Option B—wiping out the entire site—is usually the path I have to take when I jump on board after the site is live. I need to find creative solutions for these problems, such as a blacklisted IP that won’t allow emails to go out from your site anymore. That one is a real pain for hockey pools and online stores.
A Clean Installation—Plan B
So what do you do? Well for starters, you’re going to want to dig out your FTP login details or log into your web host and click on their file manager. Move all of the folders into a sub folder, call it “bad” or “infected”. We need it for reference, just in case you have content in there that you don’t have anywhere else. Log into your admin dashboard if you can, and write down all of the plugins that you see listed, and which versions they are (which may be important too). You can download a copy of the plugins in zips directly from the WordPress site for use later, or you can wait until after you’ve got everything up and running and install them directly from inside WordPress.
Go to WordPress.org and download a new copy of WordPress—find it here. Unzip it, and upload it using your favourite FTP client (I use FileZilla) or by using the file manager on your web host. Every web host is different and you may have to get support involved to give you a hand. They may even be able to install a new copy of WordPress for you. If you don’t have support, or find that it is not willing to help, then you need to find a new web host. They’re a dime a dozen—don’t feel that you need to stick with one, and do your research and look at reviews beforehand.
After you have the files uploaded, you need to review one file you left from the old site—wp-config.php. Take note of all of the information in it, as it’s important. Database name, server, username, password, and prefix. Using your web host file manager, which usually has a text editor built in, open up the wp-config sample that WordPress provides and plug in all of those details. Save the file as wp-config.php or rename it after you’ve saved it as the sample.
Open up your site again and see if you get anything—if you see the content, but not the right template, then you’re almost there!
You will need to log into the dashboard of your site and install Wordfence, as well as any other plugins that you may have had before—the first time you log in you’ll see a list of disabled plugins that have “missing” files. Write those down! You’ll need to refer back to it.
Once you have Wordfence installed, copy your old theme back over, you will find it in the /wp-content/themes folder. Run a full Wordfence scan, it will find and give you options to fix files in your theme, but only if it had access to the original from WordPress repositories. Otherwise, it will ask you if you want to delete the files. If you have a custom theme, it’s time to ask for a copy from your web developer, or use the copy you already asked for. You’ll need to replace the files one by one, or if it’s too many files just replace them all in one shot.
That list of plugins that you wrote down? It’s time to go through them and install the latest versions. If your developer customized any of the plugins for you, then you will need to again get them involved. If you have copies of them in zip format, just use the menu options inside of WordPress to upload those zips, and then re-activate the plugins.
Your Web Host
In some cases your web host will shut down your entire site and require you to pass virus scans that they themselves will run on your site. In this case you’ll probably need to get on the phone with them and remove that “bad” folder you created earlier. They will be able to give you a list of files you may have missed in the initial clean up. Some web hosts won’t provide any support with the sites themselves, at least without a fee. You need to weigh that cost against your time and how much your business is worth. If they want to charge you $500, walk away and find someone else. But if it’s a nominal $50 fee for their time, it will save you the headache!
If you continue to run into issues, it may not be your site, it may actually be your host—some have poor or lax security measures in place. The sites and hosting packages are supposed to be segregated and protected from accessing each other, but in some cases it could be the hosting platform they’re using that is vulnerable. If Wordfence finds nothing wrong with your site, and Sucuri comes up clean, then it’s time to look at where your files are sitting. I highly recommend a WHM/Cpanel hosting solution, it is one of the widest used, easy to transfer between hosts, and easy to backup and restore. It has click-to-install WordPress options, without having to know too much about what you’re doing. If your host is the cause of your website problems, just take a full Cpanel backup to any other hosting company and they’ll quickly and easily restore it into a new account for you, usually for free. Their techs will be able to help you switch DNS and if you host your email inside of Cpanel it will automatically be transferred over.
The bottom line is: try not to get to this point. Install the plugins and take the backups ahead of time, and with any luck you will have years of great life out of your site.