Coming down from the almost 20,000 foot summit of Huyana Potosi I wasn´t looking for another mountain to climb. Unfortunately though hackers had another idea by hacking into LivingIF. We had fallen victim to the massive “brute-force” WordPress attack affecting millions of sites across the internet. The physically exhausted me, the one that had just come down from the literal mountain, was forced to scale mountains of techno gobbly goop to figure out what had happened, why, and how to fix the damage.
The quick lesson: LivingIF didn’t get hacked for personal reasons, it got hacked simply for being on the internet and our failure to secure the site.
The hard lesson: getting hacked massively sucks. In fact, to recover may require completely reinstalling your entire website from a backup. (What if you don’t have a backup? Ugh…you’ll probably need professional help!)
The good lesson: there are simple steps you can take to make your website hackproof. OK, it won’t actually be hackproof, but will make hackers move on to easier targets.
If you have a website, here are five steps you need to take to make sure this doesn’t happen to you.
1. Set up “two-step” authentication. WordPress websites have a standard login page at myblogisgreat.com/wp-admin. Hackers set computers to search for WordPress sites, visit the login page and start pounding in passwords to gain access. What if they can’t even get to this page? They’ll probably just move on. Here are two tutorials to add an authorization to get to your login page: lock down your “.htaccess” on your server or use Google’s key generator.
2. Get craZIE!2bEAThackerz with your passwords. Hackers aren’t sitting in front of a computer keying in passwords, rather they’re having computers input passwords until one works. Want to beat hackers? Make crazy password that mix capitals, symbols and numbers to make it hard to break. Things like “ilovesmalldogs” not only highlights your own personality issues, but is pretty simple. Mix capitals, symbols and numbers to make it hard on hackers, something like “D@*nPACKerfan8mychEEz”.
3. Kill your “admin”. OK, that’s not what I meant…please put down the gun! I’m just suggesting you have no WordPress, FTP or web server login named “admin”. After giving admin privileges to another account go ahead and kill any accounts named “admin”.
4. Delete themes and plugins you’re not using….update those you are. Once we overcame the hack I had the wonderful people at HostGator scan my files (HostGator is what keeps LivingIF online). They found that there was another backdoor located in a theme I wasn’t using. If you’re not using a theme or plugin you’re probably not updating it…therefore it may become vulnerable to evil hackers. Delete them! Those that you are…update them!
5. Backup your website. As often as you can backup your database and website. It will seem like a waste of time…until you need it. If you do get hacked you will need to restore some files from backups. If you don’t have a backup you may have a hard time recovering from a hacking.
What to do if you’ve been hacked? I’ll outline the steps we had to take in a future post. If you’re currently kicking out a hacker and need help feel free to contact us!
(Borrowed the hacking image and great tutorial on how hackers hack here).