I got this question in my email box last week:
I have a question about the Atahualpa theme and spam. I just saw a google alert for my blog, and there was a mysterious reference to, uh, I donâ€™t want to get caught in your spam filter, but letâ€™s just say there was spam in the header. Do you know if this is a â€legitimateâ€ part of the Atahualpa theme, or is it likely that my blog got hacked? Aside from upgrading WordPress (did that) and upgrading Atahualpa (reluctant until I understand this better), is there anything I can do to prevent further problems? Thanks!!
–Worried about hackers
Atahualpa definitely does not do this — your website content is totally determined by you, and Atahualpa never inserts content or links (the legitimate exception being the link to the theme’s author in the footer area). I hate to say it but it sounds like Intruder Alert time.
Here are a few quick tips to make your blog more secure:
- Back up your stuff. The WP-DB Backup plugin backs up your database and the WordPress Backup plugin backs up your images, theme, and plugins. Use them both to get a complete backup of everything. Bonus tip: Give yourself some additional peace of mind by having these plugins schedule automatic weekly (or daily) backups. Then you’ll always have the ability to restore a damaged site if necessary.
- Upgrade WordPress, all plugins, and your theme. Upgrading WordPress is a one-click process (assuming you are all backed up as Step 1 suggests). Upgrading plugins is even easier. Upgrading Atahualpa can feel really scary (depending on what version you have — recent versions have the ability to export and import Atahualpa settings files, which lends extra safety and security to the process) but I’d do it (or have someone do it for you).
- Change your username. If your login username is still “admin,” use the plugin WPVN Username Changer to make it something different (because the easiest hacks are on accounts where the username is known, and most people leave it “admin”). New WordPress installations allow you to set a custom username with no need to use this plugin.
- Change your passwords. At least change your WordPress login password and make sure it’s secure (at least 8 characters, with a mix of upper and lowercase and a few numbers or symbols). You may also want to change your FTP password, and even your email password (since hackers can send password-change requests to your email account).
This list is not comprehensive — there are many other safeguards, plugins, and security tricks that exist to protect your website. But these four tips will put you ahead of the pack.
If you want a professional hack-cleaning service, I have heard positive recommendations for Sucuri (not an affiliate link, since I haven’t actually used their services). Sucuri also offers a hack-monitoring service to alert you if anything suspicious is added to your site (and since sometimes these suspicious additions are invisible, unlike the header spam you immediately noticed).
Hope this helps!