As you all know, the Research Journal was hacked last week. I’ve spend several days cleaning up the mess the idiot left behind. Thank goodness my webhost figured it out because I probably never would have until it was too late.
The email my webhost sent me said that once I deleted the malicious files, I needed to update and secure WordPress. I admit that I’ve been a really lazy Webmaster and Blogger the last three years. I had no clue what “securing my blog” would entail. I was pretty sure duct tape wouldn’t do the trick.
I’ve done quite a bit of reading. I’d like to pass on what I learned this week. Maybe it will help someone else avoid the mess I’ve had to deal with.
These tips apply to wordpress.org blogs that you host on your own webspace (not wordpress.com websites)
1. Always have the newest version of WordPress. WordPress notifies you of updates at the top of the screen. Update to the newest version whenever it becomes available.
2. Remove the user name Admin. Hackers try this first. Here’s how to do it:
Create a new user account that you make up. Do not include the word admin (user or anything obvious) in that name. Give this user Admin rights.
Log out of your blog, then log back in with as the newly created user.
Delete the original Admin user.
(You can’t delete a user account that you are logged in as.)
3. Go through your Plug Ins. Update those that have an update available. Delete any you no longer use.
4. Go through your themes. Delete any old themes you are not using.
5. Check to see if your theme has been updated. If so, install the update. It if has not been updated, and it’s been over a year, get rid of it and install a new theme. The older the theme, the easier it will be to hack.
6. Use FTP and go to the webspace where your blog is located. Delete any old versions of WordPress that you have hanging around. Go through the WordPress subdirectories. If you see old themes and plugins hanging around, delete those folders.
I found that some of the old subdirectories had .htaccess files that prevented me from deleting the folder in FTP. I had to go to my webhost, login, and delete the unneeded .htaccess files from my webspace managemnt utility (it may be called something different on your webhost). From there you can see hidden files like .htaccess. Only then was I able to delete the empty subdirectories.
7. Make sure your password is not easy to figure out. There are articles on the web that help you create them. Change them on a regular basis.
8. Delete any spam comments that you have waiting for approval. I didn’t realize this, but hackers can put scripts that can be run from comments.
The important things to remember are…
Keep WordPress, Themes, and Plugins up-to-date. The older they are, the more likely someone has figured out how to exploit them.
Don’t have a user named Admin. It’s too obvious.
Clean up your webspace from time to time. Remove subdirectories and files that are no longer in use. Don’t leave these around for someone to take advantage of.
Change your passwords on a regular basis.
Be informed about what hackers are up to. Adapt as necessary.
There are probably other things we can do to keep our WordPress blogs secure. These are the things that I’ve done. If I learn anything else, I’ll be doing that, too!
Thank you for taking the time to write about this. I had already changed from admin to another user name and my password is complicated. I do have an old theme, though, and need to change that.
I keep WordPress and plug in versions current, but am afraid to work with ftp and .htaccess files. Do you happen to know of any articles that explain what to look for and eliminate old files?
Angela, thanks for your comment! I hope the tips will help others avoid the problem I had to go through. I’m not sure if this will answer your question, but WordPress has a resource for what to do if you’ve been hacked. Towards the end, it talks about how to identify and eliminate the files. http://codex.wordpress.org/FAQ_My_site_was_hacked