“Hey, did you know one of your websites is redirecting to a Viagra website?” Receiving that phone call or email is probably not the way that you’d like to start your day.
There’s big money in hacking websites, and using them for black-hat SEO or marketing purposes or serving malware to your visitors, so you need to protect yourself by taking a few simple steps to prevent your website from getting hacked.
If you’re running WordPress, chances are you’re already indiscriminately getting targeted by untold numbers of malicious scripts trying to take over your website. No one is targeting you specifically, but they are targeting every website that runs WordPress they can find that may have some sort of vulnerability.
Here are a few steps you should take to prevent your WordPress-powered website from getting hacked:
Run Your Updates – When a new version of WordPress is released or when your plugins are updated, take the minute it takes to press the update button. Keep an eye on the “updates” menu item in the top left, which will notify you when you have new versions of plugins to update as well. The easiest way to get hacked is to run an old, insecure version of WordPress or have insecure versions of plugins running on your website. Keeping your copy of WordPress up-to-date is the single best thing you can do to prevent your website from getting hacked.
Block Known Bad IP Addresses – There are several methods to block IP addresses known for sending malicious traffic. Content delivery networks, such as CloudFlare, stop this traffic automatically before it hits your web-server. There are also plugins like Bad Behavior, which will reject malicious traffic on your website.
Use a Security Scanner – There are a number of security scanner plugins which will tell you whether or not you’re doing something un-safe with your WordPress installation. I recommend a plugin called Better WP Security, which will take a number of measures to protect your website, including blocking known bad IP addresses and hide the fact that you’re running WordPress.
Protect Your Login Page – Recently, there have been reports that bots are targeting WordPress login pages in an effort to compromise websites on a mass scale. They make use of common usernames and passwords and attempt to login. Unfortunately, WordPress does not have a maximum number of login attempts by default. You can protect yourself from these attacks by using a username other than “admin” and an uncommon password. You can also install a plugin which will set a maximum number of login attempts for a given IP address over a set period of time, which will stop these brute force attacks on their tracks.
Check Your TimThumb.php file – Many of the themes available on free theme websites make use of a file called TimThumb.php which creates thumbnail images of images in posts. Unfortunately, many old versions of TimThumb are extremely vulnerable to getting hacked. Install the Timthumb Vulnerability Scanner plugin to check and see if your theme is using an insecure version of TimThumb.php
Do you have any recommendations to add to this list? Let me know in the comments below.