So you wake up one morning to a voice mail or email that says to go look at your website and when you bring up your usual web address you see this in place of your website.
It is an all too common occurrence. But more often than not if your site is hacked, you may never even know about it.
We finished out 2012 urgently moving 4 sites for a client from their previous hosting provider to our servers. The move wasn’t typical as we had to complete it within days and we did not have access to the previous sites. We had to search for backups and from our own files and piece the sites back together. You see there was a problem with the previous sites, one of them had been hacked and the hosting company had shut down access to all 4 of the sites and our client was missing out on new business.
In this case the sites had not been defaced by the hacking. Instead the hackers had installed a spamming program to blast out emails. Regardless of what platform your website runs on, hacking or unauthorized access is a real problem. And in the case that our client experienced, your site could be hacked and you would never even know about it unless your hosting provider informs you.
Our server administrators work around the clock monitoring our hosted sites for performance issues and suspicious behavior. And as a result, we regularly receive abuse report notifications such as the one below.
Your site admins should take similar measures when suspicious activity is noticed on your site. In the case of our client mentioned earlier, the web hosting company decided to shut down all access to the sites instead of blocking the malicious software. It is a good idea to find out what your hosting provider will do in such an instance before it happens. The goal should be to have everything back up and running with minimal disturbance to site visitors.
Like I said, every website is vulnerable to hacking. But today we are going to look at some particular vulnerabilities in the WordPress platform. Many of these same vulnerabilities are shared across all content management systems with similar functionality as WordPress. As we know, WordPress has become a very popular site platform even for very large sites. With that popularity comes the benefit of a well tested, actively developed, very stable and feature rich platform. But it also means that a hacker who finds a vulnerability has access to many more sites. So here I am going to lay out for you the four most common vulnerabilities in WordPress. But for any one of these you could replace WordPress with your content management system of choice and the vulnerabilities are about the same.
Using WordPress themes from an untrusted source
WordPress themes are one of the coolest features of WordPress. Clients love to see how their site can completely change in look and feel with only a couple mouse clicks. A huge advantage to WordPress or any well designed CMS system is the separation of content from design which allows for this easy switching of themes. But before you can switch your site look and feel to a new theme, someone must create that theme. And whoever creates the theme for you has the capability to open a back door into your site.
Just like hiring a locksmith you trust. You should have complete trust in whoever is developing your WordPress theme.
Using WordPress plugins from an untrusted source
Plugins are one of the primary reasons for the widespread use of WordPress. Plugins allow for the easy customization of any WordPress installation. Plugins power the common social media buttons, forms and analytics you see on sites across the web. And just like themes, plugins are a prime source of gaining unauthorized access to a site. When choosing plugins for your site, you should only install from a trusted source and only install plugins that are still actively developed.
Using weak WordPress passwords
Ok, this one shouldn’t be news to anyone. You always want to use strong passwords on the web. If your password can be found in a dictionary, it is only a matter of time before your site is hacked. The best trick I know of for creating strong passwords that aren’t hard to remember is to use sentences with punctuation. Everybody loves to use their pet’s name or spouses name for a password and that is fine. But put it into sentence form first and you will end up with a strong password. Here’s an example for my wife Angie.
“MywifeisAngie!” or I could improve it further with the year we were married, “In2001mywifeisAngie!” — there you have it, a strong password that is easy to remember.
Not updating your WordPress installation
A huge benefit to the popularity of WordPress is the frequent release of WordPress updates. Vulnerabilities can be found in any software. The key to quality software is how quickly are the vulnerabilities found and handled in a new release. On average WordPress releases about 12 updates per year. Most of these updates are minor but generally there are 3 or 4 each year you want to take notice of. In fact WordPress is in such wide use and keeping your installation up to date is so important that even Google sends out reminders to WordPress site owners through webmaster tools. Chances are if you are running WordPress, your webmaster has received a message similar to the one below.
You can read more of what Google says about site updates here. WordPress is currently on version 3.5 and you can always access the latest version here. Much like a car wreck, it is easy for us to think it won’t happen to us. But once it happens, it is too late. Ask your webmaster if they have updated your WordPress or other CMS system recently. If they haven’t, get an update scheduled and if possible have them schedule regular updates (every 3 to 6 months) to ensure your site is always protected.