19 {{ upvoteCount | shortNum }}
19 {{ upvoteCount | shortNum }}

HELP! ALL MY CLIENTS WEBSITES HAVE BEEN HACKED

by afokalakala
14 replies
  • WEB DESIGN
    • |
I Always Design With Wordpress And Unfortunately, All My Clients Sites Have Been Hacked.
Please What Can I Do To Prevent This From Happening Again. All Suggestions Will Be Appreciated And Welcome.
Thank You Very Much!
#clients #hacked #websites
  • Profile picture of the author johnben1444
    Here are some few pointers:

    Step #1 – Keep platforms and scripts up-to-date
    Step #2 – Install security plugins, when possible
    Step #3 – Lock down your directory and file permissions
    Signature
    Grow your social media account, Spotify Streams, YT Views & IG Followers & More
    Software & Mobile APP Developer
    Buy Spotify, Facebook Bot & IG M/S Method
    {{ DiscussionBoard.errors[9519242].message }}
    • Profile picture of the author AnniePot
      In addition to the above I always install WP Firewall and iThemes Security.

      Over many years, the only website I've had hacked was, ironically a non-Wordpress site - touch wood
      {{ DiscussionBoard.errors[9523232].message }}
  • Profile picture of the author ninjaboss
    There's a wordpress plugin called "Security Ninja" that identifies all your WP site's weaknesses/backdoors. You might want to buy that for your clients.

    Also, don't get themes or plugins from warez sites or other hack forums because they are normally filled with sketchy code. Always buy wordpress themes and plugins. You'll be happy you did in the longer run.
    {{ DiscussionBoard.errors[9524462].message }}
  • Profile picture of the author georgeweb13
    Also, you have to BACKUP your sites and your server often.
    Once per month it's good, and you can restore all your sites.
    {{ DiscussionBoard.errors[9525434].message }}
  • Profile picture of the author RobinInTexas
    Lots of tips and suggestions here Hardening WordPress « WordPress Codex

    If you have sites that have been hacked, there is likely one or more back doors left behind
    that will allow them to come back as fast as you repair the sites.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[9526906].message }}
  • Profile picture of the author Softsell1
    Bulletproof Security is a great free plugin. I was hacked several years ago and had a phishing expedition installed on my server, which led to my sites and account being shut down. Since I installed Bulletproof I haven't had any problems. The other thing you will want to look at is making your login something other than admin if you're not already. It's relatively easy for a script to brute force attack a site that uses admin and get the password. Hope this helps.
    Cheers,
    John
    Signature

    There is no greater gift to the world than that of service to others.
    http://www.johnmichaelchristian.com
    http://www.consciousrealitycreation.com
    http://www.theorganicgardeningblog.com

    {{ DiscussionBoard.errors[9527390].message }}
  • Profile picture of the author vaurent
    You really want to check with your webhost. Most hosts run software on the server side that looks for suspicious or malicious activity going on the servers. If the intrusion detection doesn't check anything the brute force protections should kick in.

    Most Wordpress attacks are actually simple brute force attacks because there is no limit on the server how many times you can login to /wp-admin (Pretty simple brute force signature)

    Another quick tip is to never leave the default admin account named "admin". Renaming /wp-admin also will help hide botnets and hackers from their radar.

    Cheers,
    {{ DiscussionBoard.errors[9533414].message }}
  • Profile picture of the author 07knev
    if you are using default word press login "admin" change it and use very complex password to login to wordpress site, and never save that password with password reminder on browsers.
    Signature
    Now it's your Turn to Earn from CPA
    {{ DiscussionBoard.errors[9539541].message }}
  • Profile picture of the author Himanshu1988
    The below mentioned tip is from one book on WP that I am currently reading.


    " Moving the wp-config.php out of the root WordPress directory is a good
    security measure, making it nearly impossible to potentially access this file from
    a web browser.

    WordPress looks for the wp-config file in the root directory first, and if it can’t find that file it
    looks in the parent directory. This happens automatically so no settings need to be changed for this to work."
    Signature

    Web Design | SEO | WordPress | Mobile App @ ZOTO Solutions

    {{ DiscussionBoard.errors[9539670].message }}
    • Profile picture of the author twersk
      Originally Posted by Himanshu1988 View Post

      The below mentioned tip is from one book on WP that I am currently reading.


      " Moving the wp-config.php out of the root WordPress directory is a good
      security measure, making it nearly impossible to potentially access this file from
      a web browser.

      WordPress looks for the wp-config file in the root directory first, and if it can’t find that file it
      looks in the parent directory. This happens automatically so no settings need to be changed for this to work."

      Now that is cool. Didn't know that one...
      {{ DiscussionBoard.errors[9541303].message }}
      • Profile picture of the author Himanshu1988
        Originally Posted by twersk View Post

        Now that is cool. Didn't know that one...
        Thanks.Further using .htaccess to restrict the access to WordPress admin area is good security measure.

        Edit .htaccess & replace xx.xxx.xxx.xxx with your IP address

        <Files wp-login.php>
        order deny,allow
        Deny from all
        Allow from xx.xxx.xxx.xxx
        </Files>
        Signature

        Web Design | SEO | WordPress | Mobile App @ ZOTO Solutions

        {{ DiscussionBoard.errors[9545603].message }}
  • Profile picture of the author Emir Hayric
    I do not know much about securing wordpress but I am a network engineer. Assuming you are hosting all of you clients websites what does your network security look like? Are you in control of your servers and keeping them up to date? What is the point of entry into your network and are you you using a firewall? Any backups to roll back to?
    {{ DiscussionBoard.errors[9539675].message }}
  • Profile picture of the author Action Man
    Hi,

    Further to the above suggestions, which are all great, many businesses now use managed solutions-- as doing security completely by yourself can get pretty technical and time consuming.

    Managed solutions can be expensive--but I found this free one:

    https://www.cloudflare.com/plans

    This will assist to reduce many potential vulnerabilities.

    I am sure other solutions like this exist if you search Google.

    regards

    Jim

    PS This article might gives us a flavour of how involved security can become--but has valuable practical suggestions:

    http://blog.sucuri.net/2012/08/wordp...gh-the-bs.html

    (the above site has good paid security solutions also)

    Note: its interesting that he points out the problem is very often NOT Wordpress!
    Signature

    "Love conquers all things except poverty and toothache" (Mae West)

    {{ DiscussionBoard.errors[9539959].message }}
  • Profile picture of the author Jeff Hope
    The suggestions given in this thread are generally good practices, and can certainly help prevent brute force attacks.

    However, server admins know that the vast majority of successful Wordpress hacks are achieved by attacking vulnerable plugins, so that a login to WP admin isn't necessary at all.

    That's why it's important to always keep all plugins you're using up to date, and of course that applies to themes and core WP files as well. Use as few plugins as possible, and only use those from reputable sources. Remove all unused themes and plugins. ( not just deactivate, but delete them ). Back up your sites regularly, and store your backup files offsite.
    {{ DiscussionBoard.errors[9545715].message }}

Trending Topics