This week there were several scares from hacking attacks on WordPress sites or plugins.
One of these was a well known and much used plugin, Social Media Widget which had some code put into it by someone who was working on it (accidentally or on purpose, we don’t know.) The code injected links to a spammy PayDay site that you would not have seen, but Google could have black-listed you for.
This was re-mediated fairly quickly and sites could continue to use this plugin after updating it which removed the injected link code.
The second problem was a bigger issue, a brute force attack by bots trying to hack into WordPress sites.
Once they gain access to a site they would inject malicious code which could be activated at any time. Specifically, they were making an assault on sites that were using “admin” as a user name. If you are using “admin” please change it immediately. And check out the tips below as well as instructions on how to change your WordPress user name from “admin”.
8 Tips to Keep Your Site Hacker Safe
- Back-up your WordPress website files and database. Suggestions are Backup Buddy, VaultPress, BackWPup. You might want to check that you know how to restore your site from a backup and test that your backup method is working. This way, if you are ever in need of restoring your site you will be able to do so.
- Do not use Admin or an easy password for your WordPress site login. This is the number one reason sites get hacked.
- Keep your plugins updated. If you have plugins in your folder you aren’t using, delete them.
- Keep your theme updated and other themes in your theme folder. If you have a lot of themes you are not using delete them.
- Update your WordPress installation to the latest version.
- Use a plugin called Limit Login Attempts to set the number of login attempts you can have before WordPress locks you out and you have to wait. This stops your site from being the subject of brute force attacks by bots.
- You can use a program called Sucuri to monitor your site for malicious activity and if ever infected will clean it for you. It is $89 a year for a single site. You can go to their site and run a test on your site free. And if infected you can sign up and they will clean it for you.
- If you have multiple test sites on your server, make sure you go in and do these things above on all of your sites.
There are other things you can do depending on your level of activity and the importance of your site. But in most cases, doing the above regularly will keep you in good condition. If you haven’t already done so, check out these instructions on how to change your WordPress user name from “admin”.