SHOCKING! Last year over 170,000 WordPress sites were hacked!

41 replies
I wanted to get feedback on what everyone else is doing as WordPress security procedures to make sure you're not leaving any doors wide open to hacker attacks. Do you'll use plug-ins? services? How do we make sure our sites are safe?
#170 #hacked #shocking #sites #wordpress #year
  • Profile picture of the author artflair
    The number is so high for last year because a huge number of wordpress users were actually using logins like 'admin' with a '12345' password... I guess changing that would be the first step to protecting your website
    Art
    {{ DiscussionBoard.errors[9243950].message }}
  • Profile picture of the author writeaway
    That's why you need to make sure your plugins are up to date. Apparently, WP is working on this through autonotifcation and other workarounds...
    {{ DiscussionBoard.errors[9243958].message }}
  • Profile picture of the author stephan2307
    I totally agree. The reason so many sites were hacked was because of weak login details and the reuse of the same login details across multiple sites.

    There are many simple things you can do to protect your site like

    1. Don't use admin as admin account user name
    2. Use a unique difficult to guess password
    3. Use a login restrict plugin that locks down the site after a certain number of failed logins
    4. Keep WordPress and plugins up to date

    Just use common sense and you will be fine.

    I also have to point out that there was an estimated 69 million WordPress sites in 2013. So 170,000 sites is less than 0.5% so actually quite small.
    {{ DiscussionBoard.errors[9243987].message }}
    • Profile picture of the author lerxtjr
      You have to be really careful about "just keeping everything up-to-date" and it makes me nervous when I hear people suggesting it. You don't want to just decide one day to click all those update links in your plugins...

      You need to do a full backup of files and database. Then run the updates/upgrades. Then TEST all the parts of your website to make sure your css and custom graphics came over and be willing and able to restore from your backup if something goes wrong that you can't fix.

      Compatibility issues between plugins will sometimes cause you to get the dreaded "white screen" where your website doesn't display properly. In that case, you would have to remove all of the plugins through FTP first and then once the site is functional again, reupload/reactivate each plugin until you find the one that's causing the white screen.

      My point is that success in keeping your WP website current is dependent on your developer knowing well enough in advance to never hard code anything into the theme files...or they're going to get overwritten by your first WP upgrade. Always add custom css files to store css items related specifically to your website.

      NEVER upgrade/update WP or plugins on a Friday night or it could ruin your weekend if you don't know what you're doing.

      Other than that, WP is the "easiest" cms to work with
      Signature

      Come practice your public speaking skills with us FREE every week! SpeakersSpeakLIVE.com >>

      {{ DiscussionBoard.errors[9244055].message }}
  • Profile picture of the author Jdunhin
    Install Wordfence and keep WordPress and plugins up to date. After Wordfence my sites never been hacked!
    Signature

    We handle all your WordPress Content,Theme and Plugins updates!
    iAdminWP

    {{ DiscussionBoard.errors[9244037].message }}
  • Profile picture of the author MyLuckyYear
    I know it might seem obvious to us but I guess a lot of people do use admin and password123 (examples) and then get hacked. But besides what every one has pointed out above, I was wondering why there are so many services that are very expensive. Wordfence is one I was just looking at and then they are different subcategories like:
    Wordpress security hardening
    Wordpress malware & hack clean up

    Precisely that was what I was wondering. Does anyone use those types of services or even wordpress security audits? Are they of any use? Or are they only for really large and popular sites?
    {{ DiscussionBoard.errors[9244242].message }}
  • Profile picture of the author Katie Rich
    I have a good password and username and use Wordfence. Why would you think it is expensive? You can install the free version to start with, which I did initially. It's still really good.
    {{ DiscussionBoard.errors[9244258].message }}
  • Profile picture of the author MrFume
    There is a really under rated, but excellent security plugin called 'WordFence' this not only protects your wordpress site, but speeds it up too, the free version has lots of features-it has saved my sites countless times-you get alerts when would-be hackers are trying to brute force their way in-it just blocks them-worth looking at
    Signature

    Journalism, the profession is undergoing a massive change since the WWW has arrived. I help people to build their personal profile and create a multi-media platform with WordPress, Podcasting, Writing and Video.
    Digital Media for a Noisy World

    {{ DiscussionBoard.errors[9244333].message }}
  • Profile picture of the author Taraka
    I use Captcha and a plugin that blocks more than five login-password input attempts.
    The plugin shows that every now and then there comes some jerk trying to get access to admin panel.
    {{ DiscussionBoard.errors[9244371].message }}
  • Profile picture of the author Katie Rich
    I have just checked my blog and emails. 47 lockouts for attempted 'admin' logins in the last 40 minutes!

    WordFence works.
    {{ DiscussionBoard.errors[9244417].message }}
  • Profile picture of the author Alexa Smith
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[9244470].message }}
    • Profile picture of the author WPGuardNerds
      Some tips on not getting hacked:

      When installing Wordpress, one of the firs things you should do is to delete the "Hello World" posts and the powered by Wordpress tag line in the footer. These 'signatures' are often crawled by hackers as they are indicative of a WP site being new. New sites are often yet to implement security measures. We see a lot of defacement & pharma hacks on new WP installs.

      Install a plugin to limit login attempts to help prevent brute force attacks.

      Make sure to use strong passwords, an admin name that is not admin, and change the admin user role number to something other than "1". Also make sure usernames are different than display names.

      Disable plugin / theme editing from the WP Dashboard.

      For new installs, change the database prefix from wp_.

      Install the iTheme Security plugin (formerly Better WP Security).

      And of course, always keep off server backups in case of any incidents.
      {{ DiscussionBoard.errors[9244638].message }}
  • Profile picture of the author seobro
    Here we see a problem that is even worse. MySQL is a resource pig. Who is the biggest user of MySQL - word press. OK so what does that mean. Basically, we do not have a problem while traffic for your internet presence is near zero. However, once your web site gets max pop. Oh yes, you get a call from your web hosting company. They can no longer host your web pages. Like what is the reason. Actually, they accuse you of excessive resource use. Personally, I recommend using plain HTML for your web pages. Here is why, it allows you to scale up. Yeah, word press is easy. Folks, we are not into this game because it is easy. Do look at the big picture, which is that we want to make money. Just understand that to make money, you are going to need traffic that is massive. Expect bandwidth costs to be your number one expense.
    {{ DiscussionBoard.errors[9244852].message }}
    • Profile picture of the author Jesus Perez
      Originally Posted by seobro View Post

      Here we see a problem that is even worse. MySQL is a resource pig. Who is the biggest user of MySQL - word press. OK so what does that mean. Basically, we do not have a problem while traffic for your internet presence is near zero. However, once your web site gets max pop. Oh yes, you get a call from your web hosting company. They can no longer host your web pages. Like what is the reason. Actually, they accuse you of excessive resource use. Personally, I recommend using plain HTML for your web pages. Here is why, it allows you to scale up. Yeah, word press is easy. Folks, we are not into this game because it is easy. Do look at the big picture, which is that we want to make money. Just understand that to make money, you are going to need traffic that is massive. Expect bandwidth costs to be your number one expense.
      Or get the best of both worlds. A CMS that doesn't use MySQL.


      GetSimple CMS - The Fast, Extensible, and Easy Flat File Content Management System
      http://picocms.org/
      Signature

      {{ DiscussionBoard.errors[9244864].message }}
  • Profile picture of the author Jason Stewart
    Wordpress is a HUGE platform and therefore a big target for hackers. Choose strong passwords, make sure your plugins and wordpress is up to date, and you should be fine.
    Signature

    Beat the competition with better long tail keywords:

    http://keywordstreamer.com

    {{ DiscussionBoard.errors[9244949].message }}
  • Profile picture of the author SonnyKing
    Banned
    I think it has already been said on this post but I will say it again. The large reason why so many of WP sites get hacked because the password and username is generic. It helps by choosing a stronger, more lengthier pass/user. Also brute force plugin works pretty well...
    {{ DiscussionBoard.errors[9245031].message }}
  • Profile picture of the author wyatt2011
    Thanks to all, this is really good information. I will definitely go in change-out Admin and update my passwords on all of my sites tonight. But being a little naive- can you tell me how I would even know if I've been hacked?

    Thanks again, Angela
    {{ DiscussionBoard.errors[9245077].message }}
  • Profile picture of the author renukoot
    I would suggest that:-
    1) Should have good hosting account - avoid free hosting
    2) Update all thing regularly
    3) Keep some security plugins always or secure software
    4) Don't ever use the obvious passwords or admin as user name
    5) Try avoiding free themes from internet
    6) ALWAYS BACKUP
    7) Regularly watch login attempts and if anything suspicious found - changes passwords and try limit login for failed attempts.
    Signature
    www.caressl.com - Upto 75% Discount on SSL Certificates & Website Scanner. If you don't find what you looking for, raise a support query and we will get you that SSL Certificate.
    {{ DiscussionBoard.errors[9245142].message }}
  • Profile picture of the author yukon
    Banned
    Most people don't understand the difference between being hacked & inviting trouble.

    The biggest problem is base64 scripts built into the free plugins/themes before it's ever installed on WP sites.
    {{ DiscussionBoard.errors[9245164].message }}
  • Profile picture of the author Corey Geer
    That doesn't seem too shocking actually.

    I deal with clients all the time that have logins like "Admin" for both the user and the password. It's scary how easy it is to get into someone's database and find a password.

    I randomly generate all of my passwords to look something like:
    +1@jou$z*9W(

    They're always random. You also have people who have been keylogged, but that's an issue aside from Wordpress.
    Signature

    Skype: Coreygeer319

    {{ DiscussionBoard.errors[9245184].message }}
  • Profile picture of the author Vincent Denali
    My WP site was hacked. I did not use admin as a user name and had a strong password but there was enough holes that they easily got through. I have implemented several security plug-ins to help detour any future hacks. It's still is not 100% safe but a lot better than before the incident. It was a tough learning lesson. Even if you secure your WP site, if your on a shared server you are still vulnerable to server-side hacks if the other domains on the sever fail to implement proper security measures.
    {{ DiscussionBoard.errors[9245456].message }}
  • Profile picture of the author troy23
    Yes it's a truly awful platform.
    {{ DiscussionBoard.errors[9245474].message }}
    • Profile picture of the author Corey Geer
      Originally Posted by troy23 View Post

      Yes it's a truly awful platform.
      So, because a small sample of the massive number of Wordpress sites out there got hacked, it's an awful platform?

      It's the number one platform for websites in the world because you can literally customize it to look and do whatever you want.

      I don't think hackers getting through via vulnerabilities or people choosing stupid passwords makes a platform awful. Believe me, hackers and anti-hacker security is always an on-going battle.
      Signature

      Skype: Coreygeer319

      {{ DiscussionBoard.errors[9245828].message }}
      • Profile picture of the author Jason Stewart
        Originally Posted by Corey Geer View Post

        So, because a small sample of the massive number of Wordpress sites out there got hacked, it's an awful platform?

        It's the number one platform for websites in the world because you can literally customize it to look and do whatever you want.

        I don't think hackers getting through via vulnerabilities or people choosing stupid passwords makes a platform awful. Believe me, hackers and anti-hacker security is always an on-going battle.
        It's insecure by design. For example, allowing the writing of files on the filesystem (htaccess/robots.txt, etc)... This allows easy administration but at a steep price.

        Like you, I would not agree that WP is awful though. The ecosystem of plugins, themes, and add-ons make it a truly awesome platform to create quick content sites.
        Signature

        Beat the competition with better long tail keywords:

        http://keywordstreamer.com

        {{ DiscussionBoard.errors[9245957].message }}
  • Profile picture of the author SEOJerry
    Wordpress sites are easy to hack if they are created with Fantastico. If you dont want your site hack do a manual install.
    {{ DiscussionBoard.errors[9245939].message }}
  • Profile picture of the author MyLuckyYear
    All great feedback and thoughts. Thanks guys for replying to my thread and providing great insight.

    A member asked a good question above. For those of us noobs and non techy inclined, how do we know when we are being hacked. After implementing all the safe strategies, how would we know? Will it always be obvious like site down? Or are there sneaky things hackers do where we don't even know somethings wrong?
    {{ DiscussionBoard.errors[9245990].message }}
  • Profile picture of the author Travis Wade
    I use the free InfiniteWP program to manage and update all my wordpress sites at once. I haven't had a problem with hackers since I started doing this everyday. I also make sure to remove old plugins and themes that are inactive as well.

    I just recently started using ithemes security on my sites and have seen a lot of blocked brute force attempts and where people have tried to access certain blocked files. It seems to be doing a good job keeping my sites safe.

    You are never hacker proof but if you can frustrate their attempts enough they might just move on to something else hopefully. Update daily and use some form of security. This will keep 99% away.
    {{ DiscussionBoard.errors[9246014].message }}
    • Profile picture of the author MyLuckyYear
      Thanks but anyone know the answer to how do we find out if we're being hacked without availing of any services or plugins ?
      {{ DiscussionBoard.errors[9250474].message }}
      • Profile picture of the author Travis Wade
        Originally Posted by MyLuckyYear View Post

        Thanks but anyone know the answer to how do we find out if we're being hacked without availing of any services or plugins ?
        The only real way to know is to have some kind of security program in place that reports back to you. I use ithemes security plugin and it tells me who has tried to login and from what IP so I can block it. It also tells me if files have changed, which is a common way they hack your site by adding files like html and php files to mark your site as being hacked. These security programs will email you instantly when something is going on so you can react if needed.

        Without a plugin or service, you can go file by file to see if something has changed. You can search directories for files that shouldn't be there. If you have root access to your webhost (vps or dedicated) you can check the firewall logs but they usually don't reveal much in regards to site specific hack attempts. There has to be some system in place for monitoring, reporting and recording access attempts. Otherwise, you will never know you have been or are being hacked. They usually just deface a page or the main site with their stuff. Sometimes add another page and leave your site alone completely so you will never know. It depends on what level of access they can gain.
        {{ DiscussionBoard.errors[9250818].message }}
  • Profile picture of the author Alex The Lion
    A lot of hacks were through brute force, which basically means spamming different common passwords until the door opens.

    One method for preventing some of this is to install a plugin that locks you out after X number of attempts
    {{ DiscussionBoard.errors[10385596].message }}
  • Profile picture of the author Dave37
    One of my site got hacked before and I discovered it a few months later because I didn't visit the site for a while. I tried to do a restore from my hosting's CP but it didn't work since the hack has occurred over a month from that time.

    So my suggestion would be to first ensure that your hosting company backs up your data on a daily, weekly and monthly basis; and check your website often, even if you just load the home page, just to make sure everything is alright.
    {{ DiscussionBoard.errors[10385626].message }}
  • Profile picture of the author Saad4u
    The most important factor is to change the username for admin and keep some really tough password that cannot be guessed easily.. !! I think WP have kept some efforts on increasing their security ...
    {{ DiscussionBoard.errors[10386522].message }}
  • Profile picture of the author godinu
    I have 4 or 5 wp sites on shared hosting and they ALL got hacked. Once one is hacked, the others are just as easily.

    Here's what I've learned:

    -use a plugin to change your login page so it is no longer the default wp-admin
    install security apps such as securi or siteguard that will notify you when someone tries to log in
    -do not use a basic password such as simple words, numbers
    -add math captcha or another form of captcha so a bot can't easily crack in.
    -do not use "admin" as a name. Change the admin name to something other than the name of your site. For instance, if your site is booksrule.com, do not use "booksrule" as your username.
    - run site scans with securi/whatever you choose if you suspect anything fishy at all. I first thought my hacked site was a simple javascript injection in a header, but it is much, much worse. There's an entire Chinese store hidden on one of my sites thanks to the hackers.
    {{ DiscussionBoard.errors[10392372].message }}
    • Profile picture of the author Jill Carpenter
      Last number I heard was that WP powers about 25percent of the web - so that number you gave of sites is relatively small and most likely quick site put up with not much thought put into security.

      There is a thread in the war room which I pointed out recently which I personally found helpful:

      http://www.warriorforum.com/war-room...urity-wso.html

      There are more resources in there as well and some plugins in the room.
      Signature

      "May I have ten thousand marbles, please?"

      {{ DiscussionBoard.errors[10392519].message }}
  • Profile picture of the author vishwa
    In my opinion if you are insensitive about your WordPress site security and doesn't take any precaution than you will probably get hacked by hackers.
    Signature
    Techbizmasters.com- Blogging, Technology, and Digital Marketing
    {{ DiscussionBoard.errors[10394895].message }}
  • Profile picture of the author urmilp
    I use Wordpress as my main platform of choice for both my own websites and those I do for clients.

    However, being an open source platform (which basically means anyone can see the code), hackers love to try to manipulate the code to get access for their own benefit.

    As more and more people set up more and more websites using Wordpress, the opportunity for hackers grows, especially considering most people setting up their first sites are often not as aware of the need for security.

    Here's what I recommend to protect yourself from getting your websites/businesses hacked:

    1. CPANEL USERNAME (your web hosting could get hacked!)
    -Never use the first 7-8 letters of your domain name as the CPANEL username, when you set up your web hosting.
    -use something random, and make sure its different to your wordpress username

    2. Wordpress USERNAME
    -Never use "admin" as your wordpress username.
    -Never use your domain name or a shorter version of it as your wordpress username.
    -Choose something completely random
    -Go into your WP dashboard and into USERs and change your "Display name publicly as" option, so it doesn't display your username when you make posts.

    3. CPANEL & Wordpress PASSWORD
    -Never use simple patterns like "12345abcde". Hackers use software to systematically try all of these.
    -Never use the same password for your CPANEL & WORDPRESS accounts
    -Always ensure your CPANEL & WORDPRESS passwords are different, but also ensure they are NOT the same as password you use for things like your email (hotmail, yahoo, gmail) etc...

    TIP: running an online business means the number of usernames and passwords you'll create will increase and to keep safe, you need to try not to use the same ones for different websites.

    I use 1Password from a company called AgileBits. I've used them ever since they launched and they are amazing.
    Check them out, if you need help managing your passwords. (I have no affiliation with them, I just find their product extremely useful).

    4. KEEP WORDPRESS UPDATED
    -Ensure your Wordpress Version is the latest one and always updated.
    -You can do this simply within your WP dashboard, just click the Updates menu in the left.
    Normally if there is a newer version of wordpress, you'll see a message alert at the top of the screen in your WP dashboard.

    5. UPDATE PLUGINS and THEMES
    -Ensure the wordpress themes and plugins are up to date. This is one of the easiest ways for hackers to take control of your website. Its a simple fix. Just login into your WP dashboard and if you see any number in a RED circle, next to the word "Updates" in the left column, then click 'Updates' and see what needs updating.

    6. FAILED Login Attempt Protection
    -Most hackers don't know your password and username or at least the combination. So to hack into your website, they must make multiple attempts with different username and password combinations. The easiest way to stop this is to restrict the number of times someone can try to log into your wordpress site with the incorrect username and password.
    -use a wordpress plugin like Login Lockdown or WordFence.
    My preference is WordFence.

    7. WEBSITE MONITORING
    -Finally you could pay for subscriptions of services like Sucuri Security, to monitor and protect your websites.
    Ultimately if you run a full time online business, having your site hacked and being unable to reach your audience and sell your products and services is NOT a risk worth taking. A solution like Sucuri (at sucuri.net - again, I'm not affiliated with them), will monitor your website, protect it and if in the event it gets hacked help fix the problem fast, and probably before you even realise it's been hacked.


    Having you website hacked and losing control of it is one of the biggest problems you can face as an online business owner.

    You can however, using some or all of the steps above, really minimise your chances of being this happening to you.

    Protect your sites today, because you'll be kicking yourself if you don't!
    {{ DiscussionBoard.errors[10395208].message }}
    • Profile picture of the author oadvantage
      I used to get hacked, until I tried WordFence. It's free.
      {{ DiscussionBoard.errors[10395266].message }}

Trending Topics