Follow & Subscribe to Resourceful Designer
How much thought do you devote to protecting your WordPress website?I want to share something that happened to me this week. I came home from a nice lunch with friends to both an email and urgent voicemail message from a client saying someone had hacked their website and their URL redirected to a porn site. This is a relatively large client of mine that gets a decent number of visitors to their website each day, so there was a good reason for the panic.
When I heard the message and the panic in my client’s voice, my only thought was to get this problem fixed ASAP. But I wasn’t worried because I know I have measures in place for exactly this sort of thing. But more on that later.
WordPress is the most popular CMS in the world. That popularity also makes it the most popular choice for hackers. Fortunately, WordPress is on the ball and releases regular updates to patch any new and existing security holes. But, security as a whole is a reactive process. Patches are only issued once a security vulnerability is known. At its core, WordPress is incredibly secure, but the massive ecosystem of plugins and WordPress themes makes it more vulnerable to security holes. That’s why you should have measures in place for protecting your WordPress Website and those of your client.
It’s not good enough to rely on what your web host provides as part of your hosting package. You need to have your own measures in place. Those measures need to include both a security plugin and a backup plugin.
Step 1: A WordPress security plugin
By installing a WordPress security plugin, you’ll get access to additional features that WordPress doesn’t have right out of the box, including things such as:
- Site, file, and malware scanning
- Protection from brute force attacks
- Regular security scans, monitoring, notifications
- Site firewalls
- Overall security hardening
Sadly, a lot of site owners don’t think about security for their WordPress website until it’s too late. And once a WordPress site is compromised, there’s not a lot they can do besides notify visitors and try to clean up the mess if possible.
If only there were something they could’ve done to prevent the site from being hacked in the first place. Oh, there is. Installing a top-ranked WordPress security plugin is the first step in securing your WordPress website.
Top-ranked WordPress security plugins
- All In One WP Security & Firewall
- Sucuri Security
- SecuPress Free
- iThemes Security Pro (This is the plugin I use on all my sites)
Although not a security plugin, the Google Authenticator plugin is a great addition for protecting your WordPress website. It's something that should be installed on every website. Google Authenticator adds an extra level of security by adding Two Factor Authentication every time someone logs into the WordPress website. iTheme Security Pro, my security plugin of choice comes with Google Authenticator as part of the package. I'm unsure if the other security plugins mentioned above also include Google Authenticator.
Step 2: A WordPress backup plugin
Every WordPress installation should also have a backup solution. Not one provided by your web host, but one you implement and control yourself.
There are too many instances where web host provided backup solutions either take days to provide you with the backup of your website, the backup is outdated, or in some cases, it's corrupted. Don't take any chances with your WordPress backups and install a top-ranked WordPress backup plugin such as one of these.
Top-ranked WordPress backup plugins
- VaultPress (part of Jetpack)
- BackupBuddy (This is the plugin I use on all my sites)
So how did my story end?
First off, let me tell you that I wasn’t surprised that my client's site got hacked. I had seen increased login attempts on it lately numbering in the 10,000s. If a determined hacker wants into a website, there's only so much you can do to stop them. So I wasn’t surprised when it got hacked, but I also wasn’t worried.
The first thing I did was wipe the site. I logged into my cPannel, went to File Manager, found the directory for my client's website and deleted everything in the folder. That immediately solved the first issue of the site being redirected to the porn site since there wasn't a site anymore to do the redirection.
Then it was a simple matter of downloading the most recent backup from the cloud drive I send all my client site backups to and using BackupBuddy, reinstalled the entire site from the backup. In all, it took me less than 10 minutes to get the site back up and running.
After reinstalling the site, I changed the password for the database as well as all User passwords and made sure WordPress, the installed theme and all plugins were updated. Only then did I call my client. When he answered and immediately started asking what can we do about the problem, it felt so good being able to tell him that everything was already taken care of and his site was back up and running.
Please, don’t delay, and don’t rely on your web host's security and backups to handle this for you. If you are not already protecting your WordPress website with security and backup plugins get to it ASAP.
Don’t wait until it’s too late.
Are you protecting your WordPress website the way you should be?
Let me know by leaving a comment for this episode.
Questions of the Week
I didn't answer a question of the week in this episode, but I would love to answer one of yours. Submit your question to be featured in a future episode of the podcast by visiting the feedback page.
I would love to hear from you. You can send me questions and feedback using my feedback form.
I want to help you.
Running a graphic design or web design business all by yourself isn't easy. If there are any struggles you face running your design business, please reach out to me. I'll do my best to help you by addressing your issues in a future blog post or podcast episode here at Resourceful Designer. You can reach me at firstname.lastname@example.org