We Got Hacked and We Have Learned To Protect WordPress

It was a targeted attack. Obviously by now we know the webmasters’ domains as well. They are not actually websites with great content, but get some traffic, which is declining sharply.
In this article we will share our experience with someone who is at risk like us and we received a post-mortem from some authority as well. So, everything is actually very clear to us. In this situation we can give you tips which will help your WordPres blog not to be hacked by any means.

Understand your blog can be hacked

Sharply rising traffic, high rising SERP along with some treat emails are quite indicative that you are at risk to be hacked.

Our WordPress installation itself was very strong. We followed all the main points mentioned by WordPress Codex to harden WordPress, tips from other well known bloggers, specially Darren Rowse’s one tips to check the working condition of the database backup, Matt Cutts has provided excellent tips to harden the security with .htaccess in his blog and most importantly, Perishable Press’s tips for install.php, all these were employed. We have no Themes or Plugins from questionable source, so practically we were safe from almost all parts except – our FTP username and password was very weak and the hosting company itself was not a great brand.

8 weeks ago we started to receive almost spam from a domain hosted on the same domain at 2 / min interval. We blocked from .htaccess. I must emphasize this is a tell-tale sign of attack. It is a brute force attack to break the protective layer of Akismet. Yes, Akismet was the first hacked plugin, it was the gateway for entry. I will suggest to use Akismet premium account for serious blogs rather than the free one, you will get better support.

If you are a recognized person, like Brian Gardner, you are definitely at risk.

Ways to prevent your WordPress blog from getting hacked

We will emphasize on one biggest factor – Host. Definitely Rackspace or Media Template like brands has the history of getting compromised but they have the quality stuffs to harden it. Our personal choice is Rackspace, we understand that it is costly for most beginners, you can go for Media Template or the Hosts officially mentioned by WordPress. By the way, Rackspace has a cheap option as well – their empty VPS, Cloud Server costs $ 49 / month. It is better if you purchase a licence of cPanel ($200 / year) and install on it. Its very easy to install. You can go to cPanel’s forum to ask and before that you must ask Rackspace yourself.

Host factor alone can reduce the chance of getting hacked. Next is the weakest point on the server side – FTP. Basically if you have cPanel access, do not keep this FTP open. Simply do not activate it. Use the cPanel’s file manager to transfer the files, which is not only safe, but also fast and has advantages like unzipping the uploaded files.

If you are using Rackspace Cloud Sites, Rackspace will provide you SFTP, which is much secure (but more slow) than FTP, use Private Key to ensure connection, change the key at a closer interval.

For both FTP and SFTP, WinSCP is far better choice than popular FileZilla, simply because in case of Windows OS, FileZilla can be exploited easily as the password is saved without any encryption and the Malware can be passed to your nice server. Even if you use FTP, use an unusual username and very strong password. Change the set frequently.

Next is Operating System. Windows OS is itself risky. It is far better to use any flavor of Linux, most are free or Mac for using FTP or SFTP. Simply, Linux or Mac is unlikely to pass the Malware as the system themselves can not be infected like Windows. Furthermore, it is easy to operate the server too. You can follow this tutorial to remove malware, if you are a Windows user.

Next point is hardening the WordPress and installing important security plugins. WordPress Codex itself has tips to harden your WordPress.

The last point is for WordPress proper, try to create only one account for the Guests. Name it Guest and never give any guest to login to post. Obviously, change the password frequently. Presently we have no way to use the secured authorized login option like Google+ ; when we will get API, it is a good idea to implement. It will be better if WordPress themselves add such option in some next version. Using SSL for login can be a good idea to protect.

Any abnormal behavior of WordPress, like Pingbacks and Trackbacks not working, Images are not getting uploaded, you are reaching the resource limit can be indicative of ongoing hacking attempt or an existing exploit.

Our loss is more than $ 500 and counting, you can be more than us if you loss the posts. So, it is very very important to take database backup manually and test on your test blog, downloading the full web content through cPanel file manager (you can zip it and download) or SFTP. Also, take backup through WordPress Export-Import feature. ZIP files should be written on CD (preferred over DVD) and Online Storage. You can use Vault Press too. Rackspace takes 6 hourly backup. So, its almost impossible to loss any post. If you lost any post, use Google’s Cache to get them back.