I was always so sure it couldn't happen to me–and equally sure that it just wouldn't. I mean, I'm not a superstar online, so it's not like I'm that much of a target for hackers, right? I've never had any trouble with malware, so I'm not likely to start now, right?
But then, one day, what I was sure wouldn't happen… did.
I got a concerned email from a friend telling me they were getting redirected to some pretty shady websites when they tried to access my site.
I tried to log in to my site, but I couldn't. I tried to log in to my FTP… I couldn't.
Cue the cold sweat and the sinking feeling in my stomach.
I actually felt dizzy when the reality began to settle in: My site was hacked, and I was locked out of it.
I tried remedying the problem myself, and long story short, I realized that though I am expert level on many things in the computersphere, dealing with the aftermath of a hack is not one of them. Many panicky hours and one skull-crushing migraine later, I emerged worn, weary, but wiser. Now, a year and half down the road & having helped several other folks navigate the waters of website damage control, I've learned a few things.
In the interest of saving you the sweat-inducing “I think there's something wrong with your site” email and those panicky hours (or days) that follow, here are the basics* of securing your website.
* This is not a complete list, by any means; this is the bare bones, must-have, “no excuse for not having every single one of these in place within the next hour” security steps.
1. Do not use the “admin” username for your WordPress site.
Also stay away from common generic usernames like administrator, webadmin or support. These sorts of usernames are common targets in brute force attacks.
Others to avoid are those in your URL. For example, my URL is marissabracke.com so I would not want to use “marissabracke” as my username.
If you have a username that you use everywhere on social media, avoid that one too. For example, if your username on the social media sphere is always SammyJ, don't make that your website username too.
2. Choose a strong password.
I know, it's super obvious, but I'm amazed how often folks are still using passwords like “blue6” or “cr@y0n5”. (Using symbols & numbers that resemble letters in place of letters will stop exactly zero hack attempts–every hackbot knows that trick by now.)
It's true: just because it is obvious does not mean it's being put to use.
I'll restate the obvious: Use strong passwords or good passphrases. I know you know this, but for real, DO IT! 😉
Concerned about remembering them all? For password management, I use & happily recommend LastPass.
3. Update your software and plugins.
Keeping out of date software and plugins on your server is sort of like laying out a nice, plush “Welcome” mat for hackers and bots. Some of the biggest widespread malware infections of the recent past came about because of vulnerabilities in out-of-date WordPress installations and out-of-date plugins.
Here's a tip: Even if a plugin or theme is not active, you STILL have to keep it updated. It is a common misconception that deactivating a plugin or theme somehow quarantines it or makes it impervious to malware. That is not at all true. Keep all of your themes, plugins and software up to date–even the ones that aren't currently activated. And if you're not using the theme or plugin anymore, delete it. (You may want to back it up first, juuuuuuuust in case… see tip #5, below.)
No excuses: Keep your software up to date, or hire someone who can do it for you.
4. Do not live without Sucuri for one more minute.
The guys at Sucuri have earned gold stars every time I've needed them. They're fast, they're thorough, they're friendly, and they know their stuff. I didn't get an account with them immediately when I first heard of them because I thought, “Well gee, I don't want to spend $100 per year on something I might not need…” but when the inevitable hack happened, I very quickly realized that the Sucuri subscription pays for itself several times over, the very first time you use it.
Even if you have a Sucuri subscription for three years before your first hack occurs–it will pay for itself several times over the very first time you use it. It is worth every penny and then some.
And Sucuri doesn't just clean up the malware for you: it keeps on the lookout for anything hinky happening behind the scenes of your site, and alerts you the second it finds something. Thanks to Sucuri, a few of the sites I've managed have had malware found, flagged, and resolved before anyone else even noticed anything was wrong.
Seriously: Sucuri. Go, get it now. I am being emphatic in this recommendation.
5. Back up your site! ALL OF IT!
I've seen an awful lot of people stung by running those free Database backup plugins, only to discover when their site gets hacked that whoops–those plugins don't actually back up everything. (It's not just hacks; I've seen a lot of DIY-ers cry a lot of tears when they realize they did something to their site they can't undo, and they can't rollback to the pre-problem site using only the database backup they have.)
You need to back up your database AND all of your important files. And you need to do it regularly. BackupBuddy is good, easy to use software that lets you schedule full backups and database backups of your site, and it can even automatically store the backups on a separate server. That's good, because if your site is in trouble, you may be S.O.L. if all of your backups also live on the same server. Not sure how to get BackupBuddy set up & running for you? Hire someone to do it. It shouldn't take them very long at all.
Do not forgo backing up and securing your site because you don't know how. Either learn how, or hire someone to do it for you. No excuses!
6. Do not rely on your host to take care of your website for you.
I'm surprised at how often I hear someone say, “But doesn't my host just do all of this for me?” In a word, NO.
There are hosts who offer some limited backups, or some level of malware monitoring. But do not make the mistake of assuming that your host is taking care of all of your security. Who has more to lose if your website is the target of a vicious bit of malware: you, or your host? (Hint: the answer is YOU.)
So if your host is providing some of these services, grand–consider them as another layer of security. But you still need to cover your own butt, and cover it thoroughly. Keep in mind: If you ain't looking out for you, ain't no one looking out for you. (Improper grammar aside, that's a good rule of thumb in most situations.)
7. Come to grips with the fact that a hack, or malware, or website apocalypse of some sort is GOING TO HAPPEN.
If you're online long enough, you WILL have the pleasure of the learning & growing opportunity of dealing with a hack, insanely hard-to-remove malware, or the icy feeling in your stomach when you realize you just made a change you reallyreallyreally shouldn't have made.
Even if you're careful. Even if you do everything right. Even if you're the perfectest perfectionist in the whole wide world when it comes to security and best practices. It's just the nature of life online: stuff goes wrong sometimes.
This is why it's downright foolish to put off taking these basic steps with the thought that, “Well, it probably won't happen to me,” or “It hasn't happened to me yet, so it probably won't.” That's a losing bet. That's like walking up to a roulette table and going all in on the hope that it won't be black OR red. It is a bet you absolutely will lose.
8. Whatever excuse you've got for not taking these steps right now will rattle around in your head when the inevitable occurs, and you will kick yourself for not taking action.
Not that I speak from experience, or anything. 😉
Don't be a cautionary tale. Don't learn this the hard way. There's just no reason to. Google “website hacked” and read through the panicky forum posts for a while if you want further proof beyond my word of the fun you're missing out on in the “I've been hacked” experience.
And then, go do these steps. If I can't convince you to do all eight, heck, do even one of them. Let my lessons learned save you a bunch of time & agony, pretty please.
Bottom line: What you're creating online is worth protecting.
If you're online and what you're doing online matters at all–to you, to your livelihood, to your family's financial wellbeing, to the dreams you hope to make come true–then set up some basic protection for it.
An hour now will save you time, money, and oodles of stress on down the road. Take it from me: I learned it the hard way. 🙂