Apparently, my website has had a large red target painted on it for the last two months! About 2 months ago my site was hacked (entry point unknown) and malware was placed on my site. No one viewing the website from the public side would have noticed… I just noticed some weird things on the back-end. I worked with Bluehost to get the site cleaned and in a matter of a couple of days, all was back to normal.
This last weekend was a whole different matter. My site was attacked by the SoakSoak malware attack (as described by Sucuri here). You can only imagine how my heart dropped when I received an email from Google telling me that not only did my site have malware on it, but that I had also been blacklisted by Google!
Thankfully, I worked with the wonderful folks over at SiteLock and they cleaned my site for me. One of the things they did differently was that they manually cleaned my site… working through each file manually vs. running an automated site cleaning tool. This allowed them to look at every file and see if there was something wrong.
So what can you do to keep your website safe? There are no guarantees but here are some key elements:
- Keep your WordPress themes and plugins updated to the latest version – AT ALL TIMES – This particular malware came in through the RevSlider plugin. This plugin was packaged with the theme I use but I do not use the plugin itself. So although it was outdated, I didn’t know it since I don’t use it.
- Have your website monitored for malware at all times – Some hosting companies include malware scanning in your hosting package… but some do not. If you do not know if malware scanning is included in your package, stop reading this and contact them immediately to find out. I use SiteLock for my monitoring company. I know Sucuri also monitors websites. Regardless of who you use, make sure your site is being scanned daily.
- Add a firewall to your website – None of us would think about surfing the internet without a firewall enabled (i.e. through Norton Security) so why wouldn’t you add a firewall to your website to keep intruders out? Again – check to see if this is something that your hosting company includes. If not – add it on.
- Make sure your website is backed up daily – My hosting company provides this service to me automatically but not all do. If something does happen to your website, they can restore your website with an older version. You might lose a blog post you did yesterday, but it is better than losing your whole site!
- Make your username and password hard! – I’ve written before about using the default “Admin” as your user name. NEVER do it! The people writing the malicious code know that there are a lot of sites out there with an Admin user name. That means they are already half way in to hacking your site. And if you are one of those people that use the same password for every login… be forewarned. Once they figure out the login to your website, if they know of any other sites you visit they have access to those as well. So play it smart and use unique passwords for every login you have.
Even by following these steps, there is always a chance your website will still be hacked… but these will help lower your chances.
Questions? Put them in the comments below.
Image courtesy of Keerati at FreeDigitalPhotos.net