Being hacked or hijacked is about as bad as a hurricane coming ashore to many bloggers. I know it was for me! Like many things though, what doesn’t kill us makes us stronger.
And I have indeed become stronger, coming back fighting the ongoing plague of hackers and hijackers!
The first thing every blogger with their own domain and not on a hosted platform (like Blogger or WordPress.com) needs to know is that they have to keep their own backups for their webhost to reinstall after a disaster. Your webhost will have provided some sort of interface–mine is cPanel–and it’s easy to do a weekly backup simply by clicking the backup option.
You can also periodically “export” your content within WordPress itself, however, be warned that if you restore your site from a WordPress backup you don’t get any of your server information (like statistics) or all of the modifications you’ve made to your theme (like those nice, neat plugins) or, as I discovered, sometimes the images weren’t included either.
At any rate, if you find your content has been hijacked, so someone else’s banner is emblazoned on your URL, or that you’ve been infected by someone hacking into your WordPress site, you’ll need to have your site completely wiped out and restored. Your webhost can do this easily if you have a cPanel backup. If not, they restore you to brand new, and you can import that exported file that at least has your posts, if nothing else.
You can, however, avoid having this nightmarish experience altogether–or at least only once–by taking some precautions.
These are some of the things I’ve done:
- Remove all users and the option for people to register as users, or hide your dashboard from them. With RSS feeds, I had absolutely no reason to allow users as I don’t have any additional authors, and if people aren’t allowed in at all, there’s less chance they’ll be able to figure out how to get from being a subscriber to being an author. Here’s a WordPress plugin to hide the dashboard–http://wordpress.org/extend/plugins/wp-hide-dashboard/
- Change all passwords to gibberish, and I do mean gibberish such as 8h)Bx#!o92. Don’t use anything that even remotely resembles a word. Include all types of keyboard strokes, not just letters and numbers. Make your password at least 10 characters long, so no hacking technology will be able to “guess” your password.
- If you end up having to start from scratch (in the event that you didn’t have a cPanel backup), don’t use Admin as your username. Once you’re set up the original username can’t be changed, so if it’s Admin, you’re stuck with Admin. If hackers can tell it’s Admin (so your posts show up as being posted by “Admin”) they only have to guess at one thing–the password, otherwise they have to guess at both a username and a password to get into your site. Of course, hackers are going to guess that what’s given as the name on a post is the username, so make sure you change that display in WordPress. Change the display under Users / Your Profile / Display Name As to something relevant and not related to your user login name.
- Install the WordPress plugin–Better WP Security. You can find it by searching in your WordPress dashboard plugins or read about it at: http://wordpress.org/extend/plugins/better-wp-security/ – go through all of your options and turn them on after you read them carefully and decide they’ll work for you.
- Install new WordPress and theme updates as soon as they become available.
I know this doesn’t seem like a lot, but it has stopped hackers in their tracks–I get the evidence every day in my Better WP Security updates that tell me who has tried to hack into my site. I also paid for a subscription to SiteLock through my webhost that alerts me if there are any security issues on my site, and displays a daily guarantee to my visitors that they won’t get any viruses by visiting.