Don’t let your WordPress websites get hacked
On the 26th January 2017, millions of WordPress websites get hacked and are left defaced and blacklisted by Google. WordPress released a patch for a vulnerability that has left many websites either hacked or vulnerable to hacking. the security flaw was first brought to the attention of security firm Securus on 20th January. Estimates say 1.5 million websites have been hacked and much more still at risk.
To patch the security flaw, you need to make sure your WordPress website is running (at the time of writing) version 4.7.2.
This post isn’t about the news of the hacking, but to try and instil the importance of making sure that your website is regularly updated. This means making sure that the WordPress install itself is up to date, and also all of your plugins.
What are the consequences?
We had a customer come to us with a website that had been blacklisted by Google and Malware security firms.
Although we can’t say for certain, the timing and nature of what they were experiencing would suggest it was almost certainly due to this particular WordPress issue. This meant that when people visited their website using modern browsers they would see a red ‘this site is unsafe’ page and Google searches would point out that the website might have been hacked. Not a good feeling and damaging to reputation!
The resolution was long and expensive. It involved ‘cleaning’ their website and then submitting a report to Google and other security providers to inform them of the fixed website.
This took time – almost two weeks – and a good chunk of money. It was also very upsetting for the company owner who felt shocked that this could have happened.
So, what should you do to keep safe?
WordPress websites get hacked, so make sure you’re prepared. Be proactive! The first thing you should do is make sure your website is being regularly backed up to an off-site location. This should go without saying, but many individuals and companies don’t do this (123-reg, the hosting company, had a system meltdown recently and many of its servers were unable to recover lost data – i.e websites. Lots of companies lost their site that day)
Then, make sure you install security tools like Wordfence and Securus to defend and monitor your website for anything malicious. As well as a ‘first line of defence’, these plugins will help alert you to any suspicious activity. They have free and premium options so it’s well worth getting up to speed with how they can help you.
Make a plan to keep everything updated. Don’t make this a monthly plan. It needs to be at least weekly, especially if you have a lot of plugins installed. We recommend the following, weekly procedure:
- Make a full backup of your website files and database
- Uninstall all plugins and themes that you aren’t using
- Use Securus to run a scan of your system and review the results
- Update your core WordPress install (if there is an update available)
- Update your theme (if there is an update available)
- Check your plugins to make sure they are all compatible with your version of WordPress
- Update all plugins that have a new version available
- Test that your website is working as expected. This includes viewing pages on various devices and testing web forms and other functionality. Sometimes certain updates introduce problems.
Do you need help?
If you think you need help with any of the things we’ve discussed in this article, contact us and we’ll discuss how we can help keep your website safe.