In the middle of January 2014 all of my websites were hacked.
Not a pleasant experience.
If you would like to read more about the background to the hack, look at the article I posted to Thinking Torah.
(I’m sure you’ll notice that Thinking Torah is not about websites or security and you’ll probably wonder why I posted an article about the hack there. As part of the recovery I needed to change the theme I was using over there. I wanted to explain to my readers why the design of the site changed.)
However, I’m trying to learn from the experience. Here are some of the steps that I’ve taken based on those lessons.
1. I’ve installed Infinite WP to make it easy to update WordPress, themes, and plugins.
Infinite WP gives a single dashboard that allows access to all of your WordPress sites. Once a day it sends me an email and lets me know if any of sites need anything updated.
To use Infinite WP you need to install the main dashboard and you need to install a plugin on each site.
Infinite WP is free. If you want them to install it for you, then there is a charge for that service.
2. I’m now using as few themes as possible.
The hack of my sites did inject malicious code into certain theme files.
Also, the hack started with a theme that was on a site that I was not actively developing.
I’ve decided to go with Thesis for most of my sites.
Other sites will use one of the current WordPress default themes such as Twenty Thirteen. I know that Wordfence (see below) will tell me if the WordPress default themes have been tampered with.
3. I’ve cut down on the number of plugins I’m using.
Again, the hack of my sites did effect several plugins. If I don’t REALLY need it, then I won’t install it.
All of my sites have these security plugins installed. These three plugins are free (though two have paid options).
1. Lockdown WP Admin
Here’s how the authors describe this tool: “Lockdown WP Admin conceals the administration and login screen from intruders. It can hide WordPress Admin (/wp-admin/) and and login (/wp-login.php).”
In other words, you can change your default login page yourdomain.com/wp-login.php to anything you want.
For example, make it yourdomain.com/timer-login.php.
Remember, many hackers start off by trying to login to your site using the default login page and the user name admin. If you change the URL for the login page, they can’t even try to login!
2. Bullet Proof Security
BPS secures your .htaccess file so that hackers can’t access it. I’ll admit I don’t really understand how it works. It was recommended to me by a friend who does understand these things.
It’s a bit daunting to set up the first time. Look here and follow the instructions under BPS Setup Steps:
3. Wordfence Security
Their main website is: http://www.wordfence.com/. It’s worth looking at the main site to see the map or real-time attacks that are being blocked.
Wordfence Security verifies your website source code integrity against the official WordPress repository and shows you the changes. They also do this for plugins and themes in the WP respository.
Note: that means if you are using premium plugins and themes, they won’t be in the WP repository, hence, they not checked for changes. That’s why I’m using the default WordPress themes whenever I can.
You can use the default settings with Wordfence Security. I prefer to tighten them up a little bit. For example, I decrease the bad login attempts from 10 down to 5.
There are no conflicts with Bullet Proof Security and Wordfence. Use them both to sleep better at night.
There are a number of backup programs for WordPress.
From what I can tell, Backup Buddy is the easiest and most flexible.
You can have it set up and running in just a few minutes. It gives you numerous options about when to backup and where to send the backups.
I should mention that Infinite WP also has a backup function built in. So far I have not tried it.