I hope you had a relaxing Labor Day weekend with friends and family. I was worried that my weekend might have a lot more emphasis on the labor part than the relaxing part. Recently, a plugin called Tim Thumb, built into a lot of WordPress themes to help with dynamic image resizing, was found to have a security flaw causing WordPress sites that included it, to be hacked.
Last week, I spent several days tracking down my client’s sites that incorporated the TimThumb plugin and repairing the problem. I had a scare Friday late afternoon when several of these sites were running extremely slow which had me worried that they had been hacked. After several hours Friday evening, I discovered that none of these sites had been hacked and it was another plugin, Twitter Tools, that was slowing these sites down to a crawl. When I deleted Twitter Tools, all was well. What I had worried was going to take me all weekend to fix was resolved just like that. Poof. And I lived happily ever after. And so you don’t have to worry, here are some tips to help you keep your site safe and secure.
I routinely write about the need for backing up your WordPress websites. There are the theme files and the database files where the content is stored and all of that needs to be backed up. A lot of people use WP-DB backup and using that will help save your content if your site gets hacked or the server crashes or someone erases your site ( it has happened). But that plugin alone will not back up your theme files that may of you have spent time or money or both to modify to create your own branded look. It would be a shame to lose them. You can learn to back your sites theme files up to your computer yourself through FTP. Or, if you are not inclined to fool with that kind of technical house cleaning, look into using a plugin called BackupBuddy or a service called VaultPress. There is a charge for each of these, but they will back up everything on a daily, weekly or monthly basis and give you peace of mind.
One other easy backup method if you have Bluehost is their $12.95 per year, Pro Backup service. This makes backups that are the quick and easiest way to restore your site or a particular file. The downside is that their backups are stored on the Bluehost server so if something happened to Bluehost you would lose your site and your backup.
Versions: Keep Current
Once you have your site backed up, you must update your plugins and upgrade the WordPress software when it tells you on your dashboard that there are new versions. WordPress and Plugin developers are always working to not only increase functionality but also to provide security patches when vulnerabilities are discovered.
Plugins: Prime Suspects
The first thing to check when your site is not working quite right is your Plugins. Disable your plugins, one by one, and see if the problem is resolved. Start with the plugins that you may have added recently or that run a j-query script or that interact with an outside application, like Twitter Tools does. If everything had been going fine, you could expect that it might have been a plugin that was upgraded recently. It might have been changed in some way that it was working before but now causing issues.
As an extra precaution and as good site maintenance, get rid of plugins that you are not using. Go through your plugins and deactivate those that you think are not being utilized. Check your site and if everything is working right, delete it. Often we get carried away with all of the things plugins can do. But in this case Less is More.
Themes : Use them or Lose them
Delete any themes that you are not using. In the case of the Tim Thumb hack, even if the active theme did not use the TimThumb plugin, the hackers could get into the site through a nonactive theme that had been uploaded. Often we try out a bunch of themes before settling on one we like. So go ahead and clean house and get rid of those that are sitting around. You can always load them up again if you need them again.
Additional WordPress Installations on Your Hosting Account
You must also take care of any other WordPress installations that you have on your main account. If you don’t keep them updated, hackers may get into your main site through vulnerabilities on your additional business, hobby or test sites. This has happened to some people I know who lost three business sites because one got hacked and then the others were soon to follow.