Four quick steps to make your WordPress site more secure

August 9, 2010 By

I got this question in my email box last week:

Hi Wendy,

I have a question about the Atahualpa theme and spam. I just saw a google alert for my blog, and there was a mysterious reference to, uh, I don’t want to get caught in your spam filter, but let’s just say there was spam in the header. Do you know if this is a ”legitimate” part of the Atahualpa theme, or is it likely that my blog got hacked? Aside from upgrading WordPress (did that) and upgrading Atahualpa (reluctant until I understand this better), is there anything I can do to prevent further problems? Thanks!!

–Worried about hackers

Dear Worried,

Atahualpa definitely does not do this — your website content is totally determined by you, and Atahualpa never inserts content or links (the legitimate exception being the link to the theme’s author in the footer area). I hate to say it but it sounds like Intruder Alert time.

Here are a few quick tips to make your blog more secure:

  1. Back up your stuff. The WP-DB Backup plugin backs up your database and the WordPress Backup plugin backs up your images, theme, and plugins. Use them both to get a complete backup of everything. Bonus tip: Give yourself some additional peace of mind by having these plugins schedule automatic weekly (or daily) backups. Then you’ll always have the ability to restore a damaged site if necessary.
  2. Upgrade WordPress, all plugins, and your theme. Upgrading WordPress is a one-click process (assuming you are all backed up as Step 1 suggests). Upgrading plugins is even easier. Upgrading Atahualpa can feel really scary (depending on what version you have — recent versions have the ability to export and import Atahualpa settings files, which lends extra safety and security to the process) but I’d do it (or have someone do it for you).
  3. Change your username. If your login username is still “admin,” use the plugin WPVN Username Changer to make it something different (because the easiest hacks are on accounts where the username is known, and most people leave it “admin”). New WordPress installations allow you to set a custom username with no need to use this plugin.
  4. Change your passwords. At least change your WordPress login password and make sure it’s secure (at least 8 characters, with a mix of upper and lowercase and a few numbers or symbols). You may also want to change your FTP password, and even your email password (since hackers can send password-change requests to your email account).

This list is not comprehensive — there are many other safeguards, plugins, and security tricks that exist to protect your website. But these four tips will put you ahead of the pack.

If you want a professional hack-cleaning service, I have heard positive recommendations for Sucuri (not an affiliate link, since I haven’t actually used their services). Sucuri also offers a hack-monitoring service to alert you if anything suspicious is added to your site (and since sometimes these suspicious additions are invisible, unlike the header spam you immediately noticed).

Hope this helps!

Filed Under: WordPress How-To's Tagged With: , , ,

Help! Someone hacked my Twitter account!

March 1, 2010 By

Here’s a timely question from the mailbag:

People on Twitter are reporting getting DMs from me with links that I didn’t send. I don’t know what to do. Sometimes, being on Twitter in the first place feels like a stretch — and now I feel like I need to wear some kind of sign saying Beware – I spread evil phishing crap. Help!

First of all: Big hugs for the worry and the shame. I’m so sorry the evil phishing crap slimed you. You don’t deserve that at all, and it’s completely not your fault. Not! Fair!

Next, here’s a 3-step plan to give you in-the-hard reassurance and info.

Three things to do immediately if you even slightly suspect that your Twitter account has been hacked

  1. Change your Twitter password (on the Twitter site itself, by really truly logging into your account). This will solve the vast majority of problems.
  2. Follow Twitter’s instructions to revoke connections to third-party services that may have obtained access to your password.
  3. Follow @spam and @safety, which are official Twitter accounts for phishing updates and info.

You can change your password again if you have any doubts at all about the timing or legitimacy of where you made the password change. There’s no downside to changing your password multiple times.

If you really want to (and it’s OK if not — if this is too much like wearing a scarlet letter) you can tweet a regular public tweet that says in a friendly way “hey everyone, please ignore any DMs that appear to be from me but contain a strange link. The phish-monster got me and I’ve fixed it now.”

And you can respond individually, if you want to and it feels right, to people who say they got such a message from you.

But don’t feel like you have to do that.

How did someone get into my Twitter account?

What happened to you is fairly common. I’m trying for reassurance-mode here, not meaning to diminish the reality or the pain of realizing someone is using your account for nefarious purposes.

It happens when someone or some outside service gets ahold of your Twitter password. Not through Twitter itself, but through some third-party service that asks you for it for what seems like a legitimate reason. There are certainly legitimate reasons to give your Twitter password to another service — for instance, if you use a Twitter client like Tweetdeck, or you have linked your Facebook and Twitter accounts. The evil hackers usually pose as a legitimate service or invent some reason you need to give out your Twitter password.

So if you change your password with Twitter and then don’t enter it anywhere else, their access to your account is cut off.

I get these DMs-with-weird-links from friends sometimes (I got one this morning, actually. Not from you!). And I usually DM them back to warn them that they should change their password — trying again for supportiveness and helpfulness and reassurance, which can be hard to get across in 140 characters!

But I never blame them or think they’re evil. I blame the evil phishers for being mean to my nice friends. And I think most experienced Twitter users feel the same way. We know it’s not your fault, and we know you’re not an evil phisher.

Filed Under: From the Mailbag, General How-To's Tagged With: , , ,