Is Your WordPress Website Safe From Hackers?
A few months ago, just as we were about to launch a new WordPress website, I received an email early one morning from the client telling me that one of his friends had tried to look at the site only to be redirected to some other completely different domain selling some weird product.
I went to the site myself and could find no obvious problem with it. Everything was loading properly and it looked great. It took me a while to discover that the website was redirecting to the unknown site only when people clicked on results from search engines. It did not happen if you went to the site directly. I realized then that I was probably dealing with a smart piece of malware.
Malware is software used by hackers to interfere with your computer’s operating system or get personal information or access to private computer networks.
I called the hosting company and the customer support rep investigated the problem and told me that the site was indeed infected. He recommended we contact a company called We Watch Your Website.
I have subsequently seen many more sites that were infected and I have researched the subject and attended some useful seminars. I will summarize here the useful facts and advice that I have gleaned from these investigations:
1) According to Dre Armeda, from Sucuri Security, in 70% of hacked sites is because of outdated software. The lesson here is very simple: Always keep your WordPress software up-to-date. This includes WordPress core version, plugins and themes. And it does not matter if you do not use a theme or a plugin. If WordPress is installed on your site, make sure it is up-to-date.
2) If you suspect your site has been hacked, you can scan it for free on sucuri.net. If your site was infected and you need it to be cleaned, you can call your hosting company and they will probably do it for you without charge. Otherwise you can subscribe to the services of We Watch Your Website or sucuri.net.
3) Always backup your site because not all malware is that easily disposed of. I highly recommend BackupBuddy which allows you to create a full backup of your site including all the files that are not part of the WordPress database such as WordPress core installation, themes, plugins and images.
4) Choose a good, secure user name and a robust password (never use ‘admin’ as a user name – if you already have – change it now!).
5) If you want to learn more, take a look at this post: WordPress Security Tips which will direct you to more in-depth information about the subject.
I hope you have found this brief explanation and links to further information useful. Please do not hesitate to contact me if you have any questions.