Hopefully, you’ve never had your WordPress site or network hacked. Take my word for it though, you need to be ready because all it takes is one hack to put you out of business. For a long time, I wasn’t a cat that was big on WordPress security, mainly because I didn’t think anyone had reason to mess with me and I figured my hosting company and WordPress had that figured out.
Big mistake.Aabout a year ago, I had a hacker break into one of my primary WordPress sites. They deleted 200+ pages of content, replaced it with their own spam content, linked to it from other spam sites, hijacked my admin account and left me with only the option to delete the site and to start over.
If this concerns you, I’ve got a few tips which will help you to protect your WordPress site. Most important, I’d like to tell you about an anti-malware plugin that you need to get working on your WordPress site or network right away.
Norton for WordPress, Only Less Annoying (Sorry Nort)
WordPress Anti-Malware is a free WordPress plugin which works similar to the way Norton or AVG works on your desktop computer. You simply set the program up to scan your WordPress site using the simple admin settings in the screen shot here:
Notice that you have the option of adjusting the settings so that certain directories or certain file types are excluded. This way, the scan doesn’t waste time checking your JPEG files or PNG files. I suggest you run this scan once a week, or once a day if you have a highly trafficked site.
What Should You Do When You Find a Malicious File?
If you find a file that’s questionable by the Anti-Malware plugin, that doesn’t always mean that it’s Malware so don’t go deleting anything on the spot.
The makers of the WordPress Anti-Malware plugin advise that you should have the file examined by an expert. If you have a programmer who you trust and a couple bucks to pay them, this is probably a good idea.
But if you’re bootstrapping it and don’t have the money to hire a programmer, you can always use Google search to help you out. This works really well for investigating any kind of virus. Even if the malware is only a few days old, you can bet someone somewhere has already had a problem with it and gone to an online forum to ask for help.
I’ve found several questionable programs which I’ve been able to verify as malware and even remove just by Googling the name of the file and adding the words “remove,” “virus” or “malware.” For example, if the file is named “evil-virus-outta-getcha,” type this into the Google search bar:
Remove evil-virus-outta-getcha malware virus
You’ll usually get results from a programming forum where people discuss programming issues or go to ask experienced experts for help. Just be sure you read the responses carefully and don’t follow advice from anyone who doesn’t appear to know what they’re talking about.
Most forums have tracking systems which tell you how many “cool points” a person has on a forum or how much of an expert they’re considered to be by the other forum users. Use these statistics to determine who to listen to. If you have any doubts, you can also ask your hosting provider about the file and see if it’s something they’re familiar with.
Again, just be careful who you listen to.
There are a lot of well-meaning, yet inexperienced people on the internet who are quick to cry “virus” over things which are harmless. If you delete something prematurely, you might find you’ve lost one of your WordPress cron jobs or something even more important for the performance of your site.
In addition to getting a hold of that plugin, let’s look at a few extra steps you can take to secure your WordPress site:
Change Your Usernames and Database Names to Something Less Generic
Theoretically, WordPress has some built in things to protect your site or your network from brute force attacks. I wouldn’t suggest taking a change on these working 100% of the time. Hackers might be scumbags, but most of them are smarter than the people we have sitting in the Whitehouse.
(yes, I went there)
I suggest changing the generic settings on your WordPress site to something which is more specific and harder to guess. This would include your admin username (if in fact you’re using the generic “admin”) and the name of your WordPress database, which is usually something like this:
I created a few posts recently on how to make these changes; it’s simpler than you think. If you want to make these changes, check these two posts out:
Finally, I suggest getting the WPMU DEV Anti-Splog Plugin, which has several layers of protection against people who try to sign up for your site and leave generic comments with links to penis enlargement pills.
Many times, a hacker will start out as a mere spammer. Next thing you know they’ve taken over the admin account in your WordPress site, changed the primary email on your admin account and made it impossible for you to even reset your own password. Call be paranoid, but it’s happened to me…don’t let it happen to you.
Here’s the download for the WordPress Anti-Malware plugin again.