I believe many bloggers are as ignorant as I was of what to do when I got my WordPress blog hacked. Fortunately I got everything back to normal as the penetration was mild. Otherwise I would’ve been doomed. So I thought I’d share what happened to me and how I did overcome the hack.
It was yesterday, when I was back from a 3 days vacation and I find that one my website has been hacked. It had never happened to me before. Literally I had a heart attack. My whole body broke into a cold sweat. My lungs refused to breath. I just fall apart and was wondering WHAT NOW?
When I got conscious, my first thoughts were, “what the fuuuuu–ukkkkk.”
I knew, due to the recent promotion of my website, it had a lot more traffic than usual. In fact the traffic was almost triple. But to make matters worse, I was suppose to show the blog to a potential client who was interested in an advertisement offer and hire my content writing service.
It was scary. I mean a really horrible situation. When traffic is at its apex and potential client is looking into my professionalism, I HAD LITERALY LEFT WITH NO WEBSITE.
Now, my home page was a plain white page and in the middle there was a terrifyingly BIG HUMAN SKULL with red burning eyes.
Finding something you have put so much emotion, effort and money into has been completely tore apart; at the worst possible time. SHHH…
So let’s begin by looking security vulnerabilities in WordPress and how to Harden WordPress.
Hack through Local Computer
Most of the web owners do not keep their system clean and virus free. So often the malware and other malicious scripts residing in the local system infect the server through the ftp client software. So you need to install a good antivirus to your local system and run regular malware/virus scans.
I was sure; I had never any issue with the local system as I always use antivirus and my windows 7 was up-to-date.
Hack through your Shared Hosting Provider:
When it comes to hosting provider, a security breach to a shared hosting server affects multiple sites within the server. That means when a hacker hacks a website in a shared hosted server, he can hack all the sites in the shared server through auto running scripts that change the wp-confing.php files with the WordPress in minutes.
For me, it was my shared host that had been actually compromised. The hacker got the control over my admin access and changed my wp-config.php to the above described message on my home page and all other inner pages too. But fortunately the effect was not intense and I was able to fix that. All I did to remove all the changes made to my config file. But I did a complete removal of the files and installed my backup.
Hack within WordPress
WordPress no doubt is the greatest CMS for website and blogging. As an open source platform, it is just too OPEN for hackers to attack in various ways. I have the 4 loopholes discussed here.
Weak and generic Usernames/Passwords are one of the most vulnerable parts of WordPress sites. However it got tightened now. As of WordPress 3.8, there is “password strength detector” to force you to create extremely strong password. Still you need to set an unpredictable password. The mixing of letters, numbers and special characters makes the password strongest.
Many of the novice users always set their username as default i.e “admin”, which is well known to all the bad guys. You must go for a more difficult one as possible.
Cheap and Shoddy Themes
The most common way of hacking a WordPress site is through the themes. Mainly hackers distribute infected free themes for people to download. Once you install these themes to your website, they get the control of your website in no time. Even in some cases the premium themes have unexpected security issues. To avoid security flaws, theme owners release updated version of the themes time-to-time. So keep your theme always update.
Always download theme from a secured source or official website.
Likewise the themes, hackers also distribute free plugins with malicious codes and hack websites through it. So a lot of headache can be avoided, by reading the online review for the plugins that you want to install. Download the plugins from the official websites only. Choosing only the 4-5 star ones would be a wise decision as they are tested by other users. Also avoid using cheap plugin which lacks the strong security layers.
Not Updated WordPress Core
Up-to-date WordPress core is the very vital part of the security as it comes with updated security patches. You may find your themes and plugins are sometimes incompatible to the new release of WordPress. However the high quality and reliable plugins have the compatible version released within the days or even hours of the WordPress core release. So you must update your core within the days of its release. You can find more details on hardening your WordPress site here.
Getting your website hacked is obviously a headache. But you have to recover that anyway. So stay calm and ask for support if you are unable to fix it yourself. At the same time choose a webhost who can provide you auto back up facility for your website and can fix your issues for free.
If you have a similar story, please feel free to share in the comment.