Happy New Year, I’m back over a week of recovering from having my websites hacked. As I don’t recommend learning how to protect your websites after you’ve been hacked I’ve decide to share 8 things you can do today to protect your site. Learning after being hacked is the hard way to learn and I’m still learning what I have to do to avoid it again.
It started just before Christmas with a redirect hack on this site which is WordPress based – which basically means that if you accessed any page other than my home page you were redirected out off my website to another page, in my case pharmaceutical “enhancing” websites. This is low level hack, or so I’ve been told, and can be fixed by going to setting/permalinks and re-saving your setting. That worked for day or so and then it happened again. My advice is that if this is happening to you I’d investigate further with your hosting company to see if there is anything else going on.
I did call my hosting company for help but I didn’t ask what else might be going on because I didn’t know to ask which turned out to be a big mistake.
On Dec 29th I received an email from my host saying that my web hosting account had been DEACTIVATED. All of my websites were shut down and I’d been blacklisted on spamhaus. A quick call to my web-hosting company resulted in having to pay to have them run a “site doctor” to remove the hacked code and set up my websites with a dedicated IP address. After that was completed it still took several calls to get all of the bugs out and my site up and running. Overall my websites were hacked and down in different ways for 8 days.
Here are some simple steps you can take to avoid having your WordPress based website hacked and many of them apply to non WordPress sites as well.
- Do not have a user-id: Admin – if your user-id is Admin, create a new user with administration privileges, sign off from the Admin account, sign in with your new account and delete the Admin user (you will be able to reassign all of the post from the Admin account to your new account).
- Keep up to date – Make sure everything is up to date including WordPress, Themes, and plugins
- Clean up old themes – Delete any old themes that are loaded that you are not using or keep them up to date.
- Clean up all websites on your host account – If you have registered URL that are in your hosting account but are not active remember to keep them up to date as well. This can apply to website that are under development or as in my case a website that is only live one or twice a year.
- Remove FTP accounts – If you are not using FTP regularly remove the FTP accounts. Re-add them when they are needed.
- Run Virus Software on your desktop – Malware can come from your desktop onto your website. Make sure you are using reliable Virus software regularly.
- Back up your websites daily– There are a number of plugins available on WordPress or services provided by hosting companies that enable you to back up your site daily, weekly or monthly.
- Create strong passwords – Make sure password are strong, mix them up and change time frequently.
This is not a complete list as I’m still learning what else I need to do. However this is a list of 8 simple things you can do immediately to protect your sites from being hacked.
If you know anything else that someone should be doing to protect their website please share it below.