The importance of securing your site
After taking a sabbatical for a few months from WA, I returned with a new focus and jumped on board the Annual Upgrade offer.
Great!
The following day, one of my WA-hosted sites was hacked and the site URL was repointed to a spammy script on blueeyeswebsite.com. Fortunately the hack was inept because the script didn't execute, it was shown in the browser as plain text instead.
The really funny thing is that if I hadn't chosen to get back to work on WA thanks to the annual offer, I wouldn't have checked my WA-hosted sites and spotted the redirection.
As it happens, the hack didn't really worry me as I was planning on tearing down the site and replacing it with somehting that looked a bit more professional.
Once I'd reinstalled the site, picked a new theme, and imported my old posts, I set about securing the site.
I installed a plugin called All In One WP Security and spent a good thirty minutes configuring all of its options.
Since I did this, there have been three attempts to brute force the admin user's account, all from the same IP address (which apparently is in Sweden). The persistence with which they keep trying to get in suggests they were the source of the original intrusion.
The moral of this story is:
- Check your sites regularly to make sure they look as they should.
- Don't keep the default admin account. Every hacker on the planet knows the username of that one. Create a new admin user called something unguessable like radish_34Y6J. Don't worry if you can't remember it - the WA control panel will show the new account and enable you to login into it. Once you've created a new admin account, delete the old admin account. When you delete the old account, Wordpress will ask which user to assign your old posts and pages to and you can transfer them to the new account.
- Install a security plugin. The one I've got is awesome as it detects attempts to brute-force your admin login and automatically blocks the IP address of the hacker for a period of time. I've now added their IP to the permanently banned list.
- Backup your site (including the database) regularly). Make sure you download these so they're not on the same server as your website.
- Hackers will always be trying to get into your site so don't become complacent (as I did).
I'm not naiive enough to believe that my measures will always keep the hackers out but at least I'll have a backup to restore if or when they do get back in.
A note about Wealthy Affiliate hosting
Some people have commented that this shouldn't have happened because WA has a number of security measures in place to guard our websites.
I'm not suggesting for a moment that there's anything wrong with WA's security!
Bear in mind, Kyle & Carson's team implement as much security as is possible to protect our sites but they can't guard against every eventuality.
It's up to us to keep our Wordpress installations up to date (this means updating Wordpress, the plugins and the themes to make sure that any flaws that might exist in previous versions don't remain exposed).
The important thing is not to worry, just do what you can to keep your website files up to date.
If you do get hacked, just restore your website from a backup (if you have one) or ask the WA site support to help because they take regular backups of your site for you.
Recent Comments
16
Interesting post, Phil. I'll have to have a wee look-see at the All In One WP Security.
Now I must go and back up my site!
I'm really appreciating it now that I've had it installed for a day.
I've been surprised how many notifications I've been getting for IPs locked out for trying to log into the admin account!
There's a really good tutorial on this website:
https://www.enginethemes.com/change-wordpress-admin-username/
Before deleting your old admin, make sure your new admin user is visible in WA's Site Manager (when you click the blue login button) and that you can login as that new user, just to be safe.
hey hi Phil -- good to see you back in action! ...
... uhm -- interesting post -- would you say, even with the SSL toggled on, it's still 'hackable?' ... or simply less likelihood of being 'hacked?' ...
... sounds like there are too many intruders roaming about the net and i have to shake my head as to why bother with such activity -- such a no-no ...
... thanks kindly for sharing & posting as I agree -- it is important to secure one's website ...
.... all the best, cheerio ... 😊
SSL will protect your password from being 'sniffed' as it's transmitted between your computer and the server but sadly it doesn't protect against a good old brute-force hack.
Honestly though, I wonder if it was even that - I can't imagine the WA hosting platform would allow attackers to keep sending usernames and passwords to one of the sites here.
As I was saying to ToLiNoLi, I don't really know how they got in, I'm only guessing but as they've picked my site as a target, I've made it as hard as I can for them so hopefully they'll get bored of trying and go away.
I actually appreciate them in a way - I'd not backed up the site for a while and it gave me a push to update the theme earlier than I'd planned. :)
... maybe it was a robot?! ... most humans aren't that persistent, are they? ... chuckle ...
... appreciate your fulsome reply and taking the time to educate / inform us here --
..... thanks kindly ... 😊
What happened exactly, as according to Kyle, WA is secured with 17 layers of protection and a security plugin is surely not required for your website, he has stated that again and again as this discussion was often on WA.
According to WA, no one needs to worry, you won't be hacked on WA.
So it would be nice to know, how you got hacked if according to WA this is not possible?
Adding another admin account and removing the named admin account is good anyway.
Backup is not needed either as WA is doing that already.
I like to hear your story to this, because it will surely clear things up.
Thanks,
Stefan, ToLiNoLi
I can't really tell you much more than I have already.
My only guess, based on the reports the new plugin is emailing me about the continued attempts, since I replaced the site, is that they brute-forced the admin account (it was still the default 'admin').
At the time I downloaded all the files and the database dump to look for any other intrusions but couldn't find anything suspicious.
As for backups - I always like to manage my own backups, even if the hosting platform is doing it too. That way I can keep a local copy in a development environment to work on.
I'm not blaming WA at all - I've been a developer long enough to know that there's no such thing as a truly secure website.
See more comments
Really useful information, Phil. Being a non-techie person it's useful to know this :)
Best Wishes
Hazel