, , ,

How to Keep Hackers Out of Your Website or Blog

I was uncomfortable and unhappy after I watched someone hack into a site in less than 5 minutes. It was so easy to do! So, I followed “the hacker’s” advice to reduce this from happening to me and then cried (just a bit) when I completely messed up my site’s layout in the process. That was the bad news.

Pardon our mess

Site Under Construction

After I got over my initial panic, I put up a temporary construction sign on my site and posted an apology on my Facebook page. I called my site host for help and felt very embarrassed when the rep sent out a test email to my subscribers before I could stop him. I told myself that my layout and embarrassment headaches were far less severe than the migraine I’d get if a hacker turned my site upside down and then I somehow managed to fix my layout issues relatively quickly.  This was the good news.

Now why would someone hack into your site?  Some do it for the challenge and others do it for financial gain, even if there is no obvious revenue source on the site. For example, malware can allow hackers to invade privacy and earn revenue by monitoring web browsing and internet usage to sell products or browsing habits to others. It can force advertising onto a site and it can redirect affiliate marketing dollars. In some cases it is obvious that a site has been compromised, and in others, the breach is invisible.

In case you’re thinking this doesn’t apply to you, keep in mind that over 2 million new malware strains surface monthly (McAfee) with an increasing cost to consumers of $2.3 billion dollars in 2010. (Consumer Reports). “Google safe browsing” issues over 3 million malware warnings a day and blacklists almost 10,000 sites per day. Users are warned to avoid sites that are compromised in 12-14 million Google Search queries per day but warnings are lifted when infected sites are cleaned up.

So, what makes it easy to hack into a site or blog?  The primary factors are outdated software and weak passwords. Issues on your hosting provider’s end and zero day exploits (malware for which there are not yet solutions available) can also be a cause. But don’t despair! It’s easy to protect against the most significant weaknesses. Here’s how:

1.  Backup and backup often

  • Backup your site on a different server or computer. My site host, Hostgator.com, walked me through each step to teach me the process.

2.  Update your site platform (i.e. WordPress, Tumblr), plugins and themes regularly

  • Outdated software is the cause of most infections. Updating helps avoid vulnerabilities that have since been patched.
  • Update one item at a time and verify your site is okay before moving to the next item. This will let you know what caused an issue, should one arise and it allows you to easily go back a step to rectify it.

3.  Use very strong passwords and keep them private from humans and platforms

  • Weak and exploited passwords compromise sites because open source software (available for free on the internet) easily determines user names and passwords by brute force. In fact, this is how the hacker got into the site in the demo I witnessed. For password tips, read How to Create Strong Passwords.
Plugin Search

Find reputable plugins within your site or blog’s platform

4.  Use only trusted sources for themes and plugins

  • I only install plugins and themes from within my WordPress site.  I do not use any from Google/browser searches.
  • If you don’t use it, remove it! Get rid of inactive plugins and themes – get an updated version when you need it.

5.  Install a plugin to limit log in attempts by humans and by password cracking software

6.  Use auto-updating anti-virus software on your site

7.  Do not log into your site via open or unsecured WIFI

8.  Use admin access sparingly

  • If others need access to your site, give only enough to do their job. Reduce or eliminate access when they are done.
  • Use admin for admin purposes and editor access for creating posts. The less admin usage, the less hacking opportunity.
  • Limit client access to reduce honest mistakes and breaches.
Your site has been hacked

This hacker had no intention of hiding!

Constant updating is annoying because of the time and inconvenience of making sure everything is okay afterwards or the necessary time it takes to repair issues caused by them.  That said, I cannot emphasize the importance of updating enough.  I watched the hacker delete everything from the site he broke into in a matter of seconds.  All that remained was a triumphant graphic announcing his success.

Ouch! I’ll take the frustration of layout issues over that anytime. How about you?

Until next time, … Stay Cyber Safe.

11 replies
  1. David Alexander
    David Alexander says:

    I would recommend adding a privacy policy and Terms of TOS, to require consent for website usage. Though it may seem obvious, disregard of explicit policy and terms of service would put any site owner in a stronger legal standing to defend monitoring & network surveillance, and pursue remedy if needed.

    Reply
  2. Karl Kasca
    Karl Kasca says:

    Great post filled with helpful tips and information, Hayley!

    Any specific suggestions for points #5 and 6 (login limiting plugin and auto-updating anti-virus site software)?

    I use Norton Internet Security 2013 on my computer, which helps with web browsing security from the user side of the equation (to help protect your computer from being infected from malware sites you might end up at after clicking on a link in a Google search).

    Best, Karl

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Glad to hear the article was helpful, Karl.

      Re: login limits: I use”Limit Login Attempts” by Johan Eenfeldt and I like it. I was able to select the number of attempts I’ll allow and when I login myself, it let’s me know how many attempts I have left before being locked out. There were several others that had 5 star ratings from a substantial number of users and had been downloaded a significant times – important criteria to be aware of before making a decision on any plugin. To see the full selection of related plugins, type “Limit login” in the plugin search field from within your platform.

      Re: site virus security: Some companies that provide website virus protection are Sitelock, Sucuri and Stop the Hacker. I use Sitelock. For a plugin, I’m using Wordfence Security by Mark Maunder but that’s a new plugin for me so I don’t have much to report yet. That said, I will forward you an interesting email I got from Wordfence today which describes current plugins with issues.

      Thanks for taking the time to comment.
      Best Regards,
      Hayley

      Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *