Over the weekend news came out that ISIS / ISIL hacked several sites (at least) across the US. Since I’m a web (and WordPress) designer, security-minded and insatiably curious, I wondered if there was a common factor among such disparate sites — credit union, hotel, zoo, church, pub, racetrack, for example. None of these seem to be high-value targets, except maybe the credit union, but no data was reported compromised. So, with a handy-dandy listing of some of the hacked sites courtesy of NBC, I set out to see what I could see.
Wouldn’t you know… they are ALL, I repeat, ALL WordPress sites.
Don’t Blame WordPress!
The good news is, this doesn’t have to happen to YOUR WordPress site! If you follow WP “best practices,” your likelihood of being hacked drops dramatically.
First of all, I predict that it will be revealed that each of the hacked sites had several things in common:
- User name of “Admin” with admin privileges
- User ID of “1”
- Login page address: wp-login
- Content directory address of: wp-content
- Plugins, themes, and/or core in need of update
- A non-awareness of security issues
- Lack of monitoring
If You Have a WordPress Site
You need to read, understand, and implement the items on the WordPress.org “Hardening WordPress” page. A bit simpler version is available on the ProBlogger site written by John Phillips (of SSLs.com): 10 Vital WordPress Security Tips. Note that while items 1 & 2 in that article are good ideas, I manage several WP sites not housed on secure servers that block hackers and spammers just fine. Item #4 only works if you have a secure server, again, you can have a hardened WP site on a non-secure server (http vs https).
Another good read is the WordPress.org “My site was hacked” FAQ.
There are several great plugins to help with security. A search on “security” from the “Add New Plugin” screen will help, but some of my go-to ones (in various combinations depending on your site need) are iThemes Security, RegisterIP, BadBehavior, StopSpammers, BulletProof Security, AutomaticBan IP, Ban User By IP, to name a few.
You need to actively monitor your sites. For most low-traffic sites, that may be once or twice a month. You need to stop (and remove) spam user registrations and spam comments. Blocking traffic from certain countries is also beneficial, which can be done with by plugin.
Do it NOW!
The steps necessary for your site will vary depending on its complexity and usage. But, as made clear with the weekend attacks, if you have a WordPress site, YOU ARE A TARGET! If you do not understand what to do, please contact KP Services to help you prevent and discourage such attacks. We will check out your WP installation for vulnerabilities and develop a plan of action to ward off hackers.
Note: NO system is 100% secure. No one can promise you that your site will never be hacked. KP Services offers measures to discourage, disable, and disallow hackers from your site. These break-ins, much like auto theft, are a crime of opportunity. If a hacker gets to your site and doesn’t find the backdoor he expects, he will just move on to the next one.