One of my customer’s WordPress installations was hacked and turned into an attack site over the weekend.
I got a plea for help on New Year’s Day because she couldn’t view her site or log in – she just got an error message whenever she tried to do either.
When I reviewed the file that was referred to in the error message I found some scripts had been added.
Two other files in the wp-includes directory had also been updated at the same time, so I deleted all of them and replaced them with clean versions.
When I then accessed her site to check it was working OK, I got two Malware files dumped onto my PC – so they had infected more than the 3 files I found.
My first step was to clean up my own PC. Luckily AVG, CleanUp! and Malwarebytes did a great job on that, so I was back in action again in an hour or so.
My next step was to access my customer’s site via FTP to delete the database and the entire WordPress installation.
Then I set up a new database and installed a clean version of WordPress.
In the process I took the following security steps:
- Created unrelated usernames and passwords for the database – long and complicated
- Changed the default wp_ database prefix to something else
- Changed the default ‘admin’ username to something else – long and complicated. I set out a process for doing that here.
- Created a long and complex password
- Installed WP-Security-Scan and checked all the file permissions
- Made sure the WordPress version was not visible
- Installed Login Lockdown to lock out anyone attempting to use an incorrect user ID or password to log in
- Installed a blank index.html file in the wp-content/plugins and wp-content/themes directories (to prevent anyone seeing what plugins or themes were installed)
And two and a half hours after I’d completed everything her site was hacked again.
They got in because they had a copy of her FTP login details, which they’d obviously stored so they could use whenever they wanted to.
Although I’d given strict instructions for her to change her FTP password, she’d not had a chance to do so after I’d finished everything.
And the lesson is…
Nothing could more clearly illustrate the point I made in this article that WordPress security involves more than just making your WordPress installation secure.
You need to consider your computer and your FTP accesses – i.e. your entire online environment.
There’s no knowing for sure how the scammers had got hold of her FTP login details, but some of the ways would include:
- Intercepting email which contained them
- Having a keylogger (malware) installed on her PC which captured them and sent them back to the scammers
- Intercepting them during an FTP transfer.
So the message is this:
In addition to taking all the security precautions I referred to above on your WordPress installation itself, make sure your computer is (and stays) clean and, if you’re regularly uploading stuff to your WordPress site, use SFTP rather than FTP.
It goes without saying that you should be using one of the Internet Security products from a reputable supplier. And that means the paid version, not the Anti-Virus version which is usually free.
But I also use two other products:
Malwarebytes, which is an excellent product and free to download.
A couple of years ago I got a Trojan on one of my computers which I couldn’t get rid of. McAfee couldn’t find it, Spybot S&D couldn’t find it and Adaware couldn’t find it.
But Malwarebytes did.
And since then I install and use it on every computer I own and every computer I’m setting up for someone else.
As long as you have one of the Internet Security products running you only need to run Malwarebytes manually every few days (but you should run it at least once a week). Make sure you update it before you run it, because they release new signatures every day.
And, by the way, although I’m delighted with the Internet Security product I’m using, Malwarebytes still picks up stuff that it misses.
The other product I use (also free) is CleanUp!. This focuses more on clearing out your temporary files, but I needed it the other day because I opened a copy of the infected file from my customer’s site to review it on my PC.
Although I didn’t save the file, a copy was still sitting in my temporary files folder and CleanUp! zapped that one for me.
Long story short, then:
- Make your WordPress installation as secure as you can – follow the steps above
- Make sure your computer is clean and stays clean
- Use SFTP rather than FTP
- Check the front of your site each day (as if you were a visitor) to make sure it’s functioning as it should
- Backup your site (database and system files) at least weekly. (I do a full site backup every time I make any changes to content or structure)
And if you’d like to get hold of 7 tips for making your WordPress blog more secure just click here