Just last week I spoke at Kelly McCausey’s Hot Seminar Series about WordPress security and the need to keep your sites up to date, remove unused plugins, themes, etc… I shared lots of great tips on how to protect your WordPress sites from being hacked.
Then, just two days after I spoke, my husband mentioned that my old web design site had some ‘issues’. There were odd looking characters in the page titles; and remembering back, a client had contacted me end of last year telling me the same thing. I just upgraded the site, so assumed it was an incompatibility within either the theme or the plugins. Since I do not actively do business via that site (and I was really busy), I didn’t stop to go have a look.
My mistake.
When I logged in the dashboard to see where those odd characters were coming from, I deleted those and then thought to have a look at the html coding within the page; WOW! hidden backlinks had been inserted to porn sites and all sorts of things.
Ugh! Had I only discovered this before my talk, I could have done a video on what I found and shared it. Learn from my mistakes, so you don’t have to go through the pain of dealing with it.
Ultimately, because this site is not actively used; I chose to first, change my password; then to delete all the posts and pages, and put up a minimal notice on the site for those older clients of mine who still contact me. Most know to email me, and don’ t go through the site, but still…. needed to address this issue.
So how did I get hacked?
I’m not sure I’ll ever know for sure, but my site was running WordPress version 2.8 – so not the latest version; but not horribly out of date. I did update the site periodically.
But this is a perfect example of why you need to keep up with what’s going on with your sites. If you’re like me, you have many, many sites, and it can be time consuming to go to everyone to up date them; but it’s necessary.
So if you have a niche website that you’ve setup and it’s either bringing in money and in ‘auto mode’; or you are letting it sit and age or for whatever reason – and you are not regularly logging into your WordPress dashboard, then take heed and go right now and make sure all your web sites are up to date and nothing funky is going on.
My active sites that I have, are always kept up to date, as I’m in there a lot; but I do have a few that I have setup, but for a variety of reasons, haven’t been to in awhile… they too will be getting checked.
This was a stealth hack – there wasn’t any obvious issues, other than the weird characters in the titles. My home page wasn’t hijacked redirecting site visitors to another site or anything like that. They inserted their code for hidden backlinks directly within posts and pages.
So learn from my experience; go right now today, and do these things to protect your web sites from being hacked.
Hack Prevention Action Steps
- Change your password. This is critically important! I started using Roboform a few months ago. I absolutely love it, as I can use really long, difficult passwords and it stores those securely for me.
- Remove any themes and plugins that you are not actively using. If you want to log into your site via FTP and download those to save them to your computer for future use – that’s fine; but then delete every single one that you do not have activated and are not using.
- Update your WordPress installation to the latest version. I highly recommend using the WP Automatic Upgrade Plugin to make this process complete. It will do all the required steps for you (i.e. backing up your files and database, downloading the latest WordPress version, deactivating plugins, puts the site in maintenance mode, installs/upgrades, reactivates plugins and removes site from maintenance mode). The built-in upgrade function within WordPress will upgrade your installation to the latest version, but even it fails to do all the steps that WordPress themselves recommends when upgrading your site. I have no clue why they would offer a built-in function that doesn’t do everything it should – so get the WP Automatic Upgrade plugin and problems solved.
- Upgrade any plugins and your WordPress theme, if an update is available. After you’ve upgraded your WordPress install to version 3+, you’ll find the Updates area under the Dashboard tab in the left column. Click that to see if you have any plugins and/or themes that need upgrading. Yep, the 3+ version of WordPress will upgrade your plugins and your themes! Sa-weet!
- One final bit of advice: check the Users that are registered for your site to make sure that there are no questionable users registered. I personally have the registration feature turned off on my blogs, so no one can register. I do know that on my hacked blog, at one time, I did have that feature turned on and I saw several user accounts listed and that could have been one possibly way they gained access to my site. (I deleted all user accounts except for my own). So if you do not have need of folks registering on your site, then turn off that function within your settings and thoroughly check any registered user accounts for your blog, paying particular attention to what their permission/user level settings are.
That’s it. Again, I’m clearly not perfect and let one of my sites slip into dormant status and the result was I left it open and vulnerable and a hacker got in. So when I talk about WordPress security, and the steps needed to protect your blog, you know that I have first-hand experience. 
To YOUR Success,
Traci
P.S.Have you ever had your blog hacked? What did you have to do to fix it?
Your Website Needs Some Traffic F.U.E.L.!
Drop by today and discover website traffic strategies that are…
F=Free + U=Understandable + E=Effective + L = Lasting
http://genesisblogging.com/traffic-fuel
Thank you Traci – When I see that kind of title I jump right in because of past experiences of being hacked.
Good advice about registered users – I must admit I have so many spammers stuck in there
Something that I am sure a few fail in is reading carefully the setup instructions for many plugins like WP Super Cache where some directory may remain open for attack if the permissions aren’t changed. Read the manual always
Hey Shawn – the frustrating part for me, is that I knew better. I should not use the excuse of being busy to not get to all my sites and get them updated. Lesson learned; thus why I posted this to help someone else avoid this issue. ;
Well taking time out to write that up is appreciated.
I think what happens is you are aware of the dangers but you balance risk with current priorities and it takes the back seat. A bit like backing up your hard drive
Thanks Traci. I’m wondering what your thoughts are about this article: http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/. There are some hard core suggestions.
Hi Sculley – that’s a pretty good list. Most of those I either use, or have used. Some I’ve not heard of.
Hi Tracy,
I hate to hear what happened to you. Word Press Hacking and internet security violation is getting worse for sure.
Wordpress blogs hosted with Godaddy are the latest target. I am not sure of the numbers…but MANY blogs have been compromised in the last couple of months who use Godaddy as a host.
I have been following a website called WP Security Lock and they have been keeping me updated.
I have been so impressed with it I became an affiliate with them because I feel their services are so critically in need and will be more so as the years go by.
Here is my link if you want to check out the site: http://www.wpsecuritylock.com/x.php?adminid=2517&id=8798
I have been putting together a Cyber Security info (watchdog) website to help spread the word about this growing issue and hopefully share many of the solutions I have been researching.
Hopefully, together, we can all find the protection needed to tend his problem soon as the damages this crime causes is too mind-boggling to really comprehend at times.
Thanks for your blogging and keeping us updated!
Christine
Thanks Christine. I have heard of WP Security Lock.
While I think Godaddy is great for registering domain names; as a web host – they stink. I personally prefer either my own web hosting
– or HostGator.
As a service provider, I have to deal with all sorts of web hosts, and some are just a plain pain in the rear and scary as to how little the tech folks actually know about hosting. LOL
Traci,
I think my blog was hacked as well. Not my blog that I regularly blog on, but one that I just blog on occasionally. There are a bunch of blog post drafts that I know for a fact I didn’t write. Besides the fact that the english is horrendous, they are writing about belly dancers.
I checked the users and there is only me, so I’m not sure how they hacked me. I did have plugins that needed updated, but my wordpress was up to date.
Why would they hack my blog and just add drafts? It’s not even a blog that is making money. You better believe I will be checking it a lot more often.
Thanks for a great post.
Mary
Ugh! Sorry that happened to you Mary. As for why – that’s the million dollar question, isn’t it? Why do hackers hack and spammers spam. LOL
To annoy folks I imagine.
Coming soon – a tutorial showing how to edit your WordPress database table prefix and other overly technical security goodness.
Thank for the info..may i know what is the most secure..WordPress or blogger.com?? sorry..i’m not on the way to compare coz i’m new on this thing. Probably you have experience also about blogger security. Many thanks for advice.