My blog Leaving Work behind was hacked in April.This is something you read often but never really expected to happen you Until it’s too late. To be honest, I don’t consider myself a prime candidate — I often write articles about WordPress security, enough to take adequate precautions. However, these measures are obviously not comprehensive enough.
Being hacked is something I don’t want to experience again. There are many reasons why website downtime is bad for your blog/business: although traffic loss and potential revenue loss are the two most obvious, I cannot underestimate the time and pressure I lost in restoring the website caused me.
In this article, I want to reveal what happened to my website and let you know what I have done to improve the security of the website.
Hacked: My Story
When I woke up on Thursday, April 18th, my website was closed and it had been closed for several hours. I immediately contacted my hosting provider, Westhost, and he told me that their ModSecurity firewall detected abnormal activity on my website and immediately shut it down as a preventive measure. After running the initial recovery on the site, I can immediately see that it has been hacked. Although these changes are relatively subtle, it is clear that some immoral people have been wandering around.
Facts have proved that a large number of WordPress sites have also been hacked, and Westhost’s work has been laid off. Fortunately, they back up the website every day, and in the afternoon of the next day, I was back online again, and my website version was as close as possible to the current version.
This is the influence of hackers on my traffic:
From the perspective of the above chart, compared with the previous week, the traffic this week dropped by about 30%. In theory, this means that income has fallen by 30%.
To be fair, I would like to make sure (as much as I can) that such hackers will not be repeated. I acted immediately.
My instant steps
The first thing I did was to confirm that I have been following the steps outlined in my recent post on securing your WordPress site.
These are the absolute foundations: update my themes and plugins, make sure I have a recent backup, make sure my default configuration file is not named “admin”, change my password, and check the security plugins on my website. With these projects, it’s time to move on.
I do not imagine that my website is now 100% safe-after all, there is no 100% safe website. Having said that, I know it is much safer than before, and I will continue to study site security measures now and in the future. So far, this is what I have done.
1. I installed VaultPress
I have been using VaultPress for a few days, and I can’t believe I’m so cheap that I didn’t work hard for this service beforehand. Their basic package starts at $15 per month-I will pay this fee for any day of the week, so you can rest assured.
In fact, I chose their premium package ($40 per month), which includes:
- Real-time backup
- Automatic one-click site restoration
- Archives, statistics and activity logs
- Prioritize disaster recovery
- Priority “Concierge” support
- Daily security scan
- Security notice
- One-click security threat repair program
- Site migration assistance
Basically, they have provided you with protection.
Although VaultPress cannot guarantee the security of your website, it can almost were able Ensure that your website can be restored relatively easily. Looking at the hourly snapshots of the site stored on the VaultPress server will give you peace of mind:
Although there are many free backup solutions out there, I think nothing is more important than the relative peace I get from VaultPress. They can now restore 90 snapshots of my website, the most recent of which is only 20 minutes. I know that my website is safe in their hands.
2. I manage my personal data
Hackers may access your site from any admin profile in your WordPress backend-not just that you use. When I load my profile, I can see that I have three other profiles-a guest poster profile, and the profiles of two other (trusted) people, and I allow me to visit my website.
I first close these two profiles and change the role of the guest poster profile to author. This is what I recommend you to do-only create absolutely necessary administrator profiles. In addition, you should of course ensure that each account has an appropriate random and unique password, and that the password is changed regularly.
Sometimes you need to allow people (such as your web designer) to visit your website. In this case, I recommend that you create a profile for them with a new password, and then delete the profile immediately if necessary.
Always consider the entry points of your website and whether they are absolutely necessary.
3. I changed my password
You might think this is an obvious move, but I’m not actually talking about my WordPress password.Although I Have done Changing them, I also made sure to change all passwords to particularly sensitive accounts, namely:
- My hosting account
- Amazon Association
- and many more
If you want to know why I made this move, consider the story of Mat Honan, whose entire digital life was destroyed by the hacker who initially broke into his Amazon account. If you have any dissatisfaction with online security, then the above article is a must-read.
Consider this simple chain: a hacker can access your email account from which you recently sent an email to your web designer with login details for your WordPress site. This is all they need to visit your website and do whatever they want. Hackers can be so basic.
4. I upgraded to SFTP
You may not know: any data you transfer via FTP (including your username and password) is completely unencrypted. Therefore, anyone who can successfully intercept FTP transfers will be able to obtain your login details and access your account.
This not only allows them to add and delete files they see fit, but they can also access your WordPress database through phpMyAdmin and finally log in to your site.
In short, if hackers can access via FTP, the security of direct access to your WordPress site does not matter.Therefore, I strongly recommend that you disable FTP access to the site and use the alternate SFTP protocol to transfer files, which Do Encrypt data. Any good hosting provider should be able to help you.
Speaking of hosting providers…
5. Consider the suitability of your hosting solution
I am very happy to be with Westhost. It was their ModSecurity firewall that first discovered the hacking and shut down my website before causing serious damage. They also perform daily automatic backups (for restoring the site) and provide cracked customer support to start.
Can you say the same to your hosting provider? There are many great options out there, and if you are not satisfied with a provider, you will go crazy. You might consider switching to one of the managed hosting solutions (such as WPEngine), as WPExplorer has done recently.
No matter what you choose, be sure to ask them about the safety measures they take. Consider the steps I have taken above and make sure they are compatible with your hosting solution.
The moral of this story is: Don’t compromise on security issues.After all, keeping your website safer than anything Something else. If no one sees your site because your site has been torn to pieces by ruthless hackers, there is no point in having great content or a gorgeous new design.
The evil types that have nothing to do with their lives will not disappear anytime soon. The sooner you accept this and take reasonable steps to protect your website from attacks, the better the long-term security of your online assets.
I would love to know what you think of the measures I have taken. Do you have any additional suggestions? Please leave your comments in the evaluation section!