Eeek! My blog was hacked! It wasn’t a fun experience, but I learned a few ways to avoid being hacked in the process. Now I want to share the tools that will help you keep your blog or website protected. Here’s my story.
Sometimes it seems like life is one learning curve after another. Just when you get the hang of diaper changes and the right number of naps a day, your baby starts walking and you’re shoved into the world of parenting a toddler. Children are a constant roller coaster ride but they’re nothing in comparison to the endless learning required to be computer literate. I’ve worked on Adobe Photoshop for over two years and I still have only scratched the surface. The program frequently drives me to tears.
My foray into creating and running a website has been fraught with confusion and frustration. I had to buy a book to understand how to use WordPress and just the mention of HTML makes my eyes cross. Two weeks ago the launch of this website was stopped cold by my hosting company, who informed me I had gone over some electronic limit of something, and that I needed to pay $169 a month so this wouldn’t happen again. Thankfully, like most things connected to WordPress, there’s a free plugin for that. I have no idea what it does or how it works, but hopefully the insert of “Quick Cache” will solve the problem.
But my worst problem yet came this morning when I woke up to find my website had been hacked.
Someone, or more probably some roving program, managed to get into this website, and from here jump to my two other sites. Not fun. I contacted my hosting company who ejected the bug. Meanwhile, I spent the morning installing MORE plugins and updating both my passwords and user names. Unfortunately, I lost three posts, and basically everything I worked on this week is gone, as well as a large number of my follower’s comments. This part is especially upsetting, because I love your comments and I can’t bring them back.
After my hosting company Just Host cleared up the hacking thing, they sent me a very nice letter explaining all the things one can do to make one’s site safe. Since the only safety measure I knew about prior to today was to install a strong password I thought I’d pass some of their advice on to you, just in case any of you use WordPress for your blogs.
How to Avoid Being Hacked
Here are some things you can do to secure your WordPress blog. (Please note, although I added some thoughts of my own here and there, almost everything about that is written below came directly from Just Host.)
1: Encrypt your Login
Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login Plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.
2: Stop Brute Force Attacks
Hackers can easily crack your login password and credential by trying hundreds of different combinations. To prevent that from happening, you can install the Login Lockdown Plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.
3: Use a Strong Password
Make sure you use a strong password that is difficult for others to guess. (Ok. I knew I was supposed to do this but I was lazy.) Use a combination of digits, special characters and upper/lower case to form your password.
4: Change your Login Name
The default username for many sites is “admin”. You can make it more difficult for the hacker to crack your login credential by changing the login name to something unusual.
In your WordPress dashboard, go to Users and set up a new user account. Give
this new user administrator role. Log out and log in again with the new user
Go to Users again. This time, check the box beside admin and press Delete. When
it asks for deletion confirmation, select the “Attribute all posts and links
to:” and select your new username from the dropdown bar. This will transfer
all the posts to your new user account. Press Confirm Deletion.
5: Upgrade to the Latest Version of WordPress and Plugins
The latest version of WordPress always contains bugs fixes for any security vulnerabilities, therefore it is important to keep yourself updated at all times.
6: Backup your WordPress Database
No matter how secure your site is, you still want to prepare for the worst. After reading this post, the writer of Beautifully Invisible suggested a plugin to back up WordPress blogs. It’s called the WP-DBManager Plugin.
Update July 2013: My blog was hacked over two years ago, but I installed these plugins and used all the tips I explained above to protect my site. I have not been hacked since!