It has been about 5 years now that I have been designing websites almost exclusively in WordPress and after awhile it was bound to happen. Malware. Hacking. Bad Code Injected. Site Down! The first time I panicked…well every time I panic but now I panic less. Now I know where to go for help! Now I know how to protect my sites and train clients on how to protect theirs.
Having a site go down is no fun, especially when you learn it was from a “bad guy” (really a bad robot) who figured out how to get into a back door of your site. Often times I am asked “Why would they do that?” Quite frankly, because they can.
In fact, recently I logged into a non-profit school website and plastered all over the home page was “I am Muslim and Islam is my Way of Life” with very loud and obnoxious music playing in the background. The interesting thing is that the hijacked home page also listed who hacked it. I visited the website and sure enough the school website was listed in a long string of growing sites that were hacked during a hacking contest! Much of the time the answer to why so many sites get hacked is for fun, for glory or for marketing the hackers’ own message or purpose. You can see it worked for me – I went to the hackers website to find out more. There is no way I am telling you the website; they get no more recognition or visits from me!
This is just one example of many that I have seen. Some others: Viagra messages were dropped all over a singer songwriter website. Logins were hijacked on an artist website and he couldn’t log in to grab his work. The home page on a seafood market’s site was completely blank with no message at all. Any of these situations could cause a severe loss in business.
So the question is not Why but How & What. How do you protect your site from being brought down? What do you do if your site is hacked?
You must be diligent with protecting your website asset because a loss could be a matter of starting all over and a major loss of income.
STEP 1: Develop a Backup System & Schedule
First of all it doesn’t hurt to know if your hosting company is making backups of your site and even email accounts. Ask them if you can access them. My hosting company makes daily backups which has saved me a couple times when I failed to create a backup schedule. But DO NOT RELY solely on this method. What if your hosting server is down and you cannot get to your backup files? It is like leaving important documents in a locked cabinet in your house. It will not make any difference if the cabinet then burns down. A copy of those important documents should also be kept away from the house as well.
There are several WordPress plugins that can be downloaded for backups – some are better than others; some are free and others you pay for. When it comes to a good backup system, you don’t want to skimp, because it is not how well your site is backed up but how easy it is to restore with that backup.
I have 2 favorites: Vaultpress and Backup Buddy. Honestly Backup Buddy is mostly what I use primarily because it backups and restores so seamlessly and quickly. I have moved sites between servers in literally minutes with Backup Buddy. Files can be backed up to off site cloud storage such as Dropbox, Amazon S3 and in Backup Buddy’s Stash which is what I like to use. Vaultpress works well too but I find it a bit slower to backup. However it is a little easier to understand for a newbie when it comes to backing up and restoring.
Scheduling your backups will take a lot of worry off your shoulders. The schedule I generally like to use for a site that gets updated 2-3 times a week is to backup the database weekly and the entire site monthly.
STEP 2: Update WordPress & Plugins Regularly
After you have your backup system in place, then you can be confident about updating all those plugins and WordPress. There are times where plugins can break code in a site and you will have to restore the backup so it is important you backup before your update.
Updating WordPress versions and plugins is crucial. Not doing so invites “bad bots” to visit your site and sneak in through an open door.
STEP 3: Add Security Measures
It used to be that Step 1 & 2 were just about all you needed to keep your WordPress website safe. Lately though it doesn’t seem to be enough. Plugins can have malware and you don’t know it. Passwords can be too weak. Install a feature rich security plugin called Wordfence that will protect your files from being changed by anyone else but you and block attackers trying to log into your site. The plugin will start by scanning your site for infections. Then it provides you with recommended steps to take to further protect your site. A bit of a warning here. At first you will be shocked at how many messages you receive from unknown users trying to log into your website. This is actually normal. There are automated bots trying to log into every WordPress site all the time. It is if they get in when its a problem. Wordfence is always working hard and will send you lots of email notifications as a default. I suggest turning off a majority of them by reading through the settings.
Where to Go When Your Site is Hacked
What if your site gets invaded and then flagged by Google for having malware? Yes, Google puts a big ol’ “This site might be infected by Malware” flag in your search description if they notice something fishy. How embarrassing. Is my site doomed?
No it is not. There are heroes to the rescue…but they are expensive heroes. Securi is a service that scans your site for free and will clean your site plus clear your domain name with Google starting at $200. They will do it fast too! Usually within a couple hours. I have gone to cheaper services but these guys are the best. They have cleaned 5 really bad hacking jobs for me. If you have come to the point in your business where you are at a loss if your site is down, hiring Securi is money well spent. The key is to protect your site first so you never have to use their service.
Why all this madness? You just want to run your website, not deal with nondescript maniacs who want to bring your site down for thrills. The reason is WordPress is a FREE platform and it is plain awesome because of its flexibility and ease of use. Wordpress has far outpaced any other Content Management System and is now running 25.5% of the worlds websites. So despite some critics of the security issues with WordPress, if you protect your site, it is more than worth it to stick with this solid platform.
WordPress Security & Maintenance Services
Now if you got this far and all of this seems like a big pain and you just don’t have the time, then let us help! Cascade Valley Designs offers you the peace of mind that your site is properly backed up, updated and secure. For a monthly fee we will take good care of your site, monitor for break ins and protect your valuable online asset.