WordPress is a wonderful example of what people can achieve when they work together. There are so many plugins available these days that are invaluable … that take many hours to develop … and yet are completely free.

WordPress is a wonderful example of what people can achieve when they work together. There are so many plugins available these days that are invaluable … that take many hours to develop … and yet are completely free.

Without them WordPress would not be the success that it is today but at the same time every plugin is a ticking time bomb. Plugins can be extremely valuable at yet they can also be extremely vulnerable to hackers who want to break into your website and create havoc.

And so we see that just about every plugin that you’re using has to be updated frequently. Sometimes the plugin needs to be updated because there is a problem within the plugin and at other times the plugin needs to be updated so that it will continue to work with other plugins that have been updated.

A never ending cycle that can cause problems

It’s a never-ending cycle and it must be quite a pain in the ass for every plugin developer. It takes hours and hours to produce the plugin in the first place and then they have to go on spending time to keep the plugin up to date.

It’s no wonder that sometimes an update to a plugin is released and problems begin to appear … often because the update was rushed and not thoroughly tested before release. Unfortunately those problems that begin to appear can be quite catastrophic and websites can disappear from the web for days before a solution is found.

So what can you do if you update a plugin only to find that the update has created problems that need to be fixed as soon as possible?

Just last week a major security plugin was updated and somewhere in that update was some code that caused a conflict with other plugins. It didn’t affect every website that we manage but it certainly did block our access to the admin section of a number of sites and began spitting out strange email alerts.

The plugins authors must have noticed the problem quite quickly because another update was released the next day but that wasn’t much help to those of us who couldn’t access the admin sections of impacted websites to install the second update.

Improvise, adapt and overcome

To overcome the problem we:

1. We needed to disable the plugin so we accessed the site via FTP … but you can also do this through your CPanel access.

2. We drilled down to the plugin folder and renamed the plugin simply by adding 4 or 5 numbers to the front of the name.

3. We then logged into the admin section of the website via wp-admin and deactivated the plugin.

4. Once the plugin was deactivated we then updated it.

5. On the servers, that the affected sites were on, the act of updating the plugin automatically renames the plugin back to its original name but you may have to do  that manually on your server.

6. We then activated the plugin, logged out and then logged back in to make sure that it was working.

If that had not fixed the problem we would have gone back in via FTP or CPanel, renamed the plugin, deactivated it in the WordPress admin area and gone looking for a solution.

Fortunately it did work and everything is running smoothly again.

It’s a simple and quick solution but if you feel confident enough to do the work yourself we can always help.

Fast recovery is vital

Over the last three posts I’ve been talking about how to avoid ransomware and when I started this series ransomware was something that everyone was talking about because the Wannacry ransomware attack had just happened.

But now, ransomware is off the agenda for almost everyone. It’s not off the agenda because, by some miracle, we don’t have to worry about it anymore … it’s off the agenda because it’s old news and the public’s attention has moved on to something else.

So, don’t be fooled into thinking that ransomware was a one-week-wonder and we don’t have to worry about it anymore because that is far from the truth. Now, when most people aren’t thinking about ransomware is the very time that we should be redoubling our efforts to avoid being hit by it.

Ransomware hasn’t gone away – it’s still here destroying websites and businesses

Right now, we should be looking at what we can do to protect ourselves from ransomware … we should be paying for solid protection and we should not be trusting anyone who sends us unexpected attachments or links that they want us to click on.

And there is one more thing that we should be doing to protect ourselves and our businesses from ransomware. We should be backing up all our important files on a regular and frequent basis … and those backups should be stored somewhere other than the computer that has the original files.

Sometime before WannaCry hit the world a businessman contacted a friend of ours who is a computer tech. He had been hit by one of the many other ransomware variants that are out there and he had lost his files … but he had backups and he wanted our friend to reload the infected computer with the backups.

Where were those backups? On the same computer that was locked solid by the ransomware and they were just as solidly locked up as the rest of the files on the computer.

Some backups are just pointless

Backing up your files onto the same computer that contain the original files is pointless. Those backup files are just as vulnerable as the original files but I guess some people just don’t think beyond the end of their nose.

So, to get the best protection against any form of ransomware you need to do the things I mentioned in the first three posts and also have a regular schedule for backing up everything and keep those backups on an external hard drive that you should only plug into your computer when you’re actually doing the backups.

When you’re not doing backups keep that external hard drive in a safe and secure place … and don’t get lazy. Keep on doing those backups because you never know when ransomware … or some other disaster … will take out your important files.

Be responsible, be vigilant, pay for protection and backup regularly and you will be doing all you can to avoid ransomware.

Tune into reality – don’t trust anyone

I first started working online back in 1996 … yep I’ve been around longer than Google has and in that time, I have learned one major lesson that has kept my computers free of ransomware, malware and trojans.

What is that one major lesson? Don’t trust anyone.

Don’t trust your wife.

Don’t trust your husband.

Don’t trust your parents or your siblings.

Don’t trust your boss.

Don’t trust the people you work with.

Don’t trust anyone who sends you attachments that you weren’t expecting. Don’t trust people who send you lots of attachments either … you know, those people who send you jokes and other time wasting rubbish.

Trust no one

Why shouldn’t you trust them? Because any one of them … even members of your family … could unwittingly be sending you some nasty little monster that is going to destroy your files and ruin your business before you’ve blinked.

You never know when someone you trust is going to end up with an infected computer and, as soon as they do, their computer will start spewing out emails and messages in an effort to infect as many other computers as it can.

If you’re not expecting an attachment from someone … and one arrives … scan it before you open it or contact the sender and ask them if they really have sent you an email with an attachment. And don’t open it till you have an answer.

Attachments can destroy your business in the blink of an eye

If you get lots of emails and attachments from family members just don’t bother opening them at all because it’s like playing Russian Roulette. Sooner or later one of those attachments that’s usually full of jokes or political garbage will be full of nasty things that will ruin more than just your day.

I know that can be hard … not opening those rubbish emails that come from family members is so rude … but what would you rather be, rude and safe or nice and trying to salvage something from a hard drive that has been turned into a brick?

Your business is too important to risk it by opening every attachment that arrives in your inbox.

Links can be very dangerous too

Your business is also too important to risk it by clicking on every link that someone sends you.

Yes, I know that we have been conditioned to click on links. We want to know what is on the other end of those links and we just have to do it … we just have to click on them … we’ve almost been brainwashed into clicking on link … but be strong.

Don’t do it! Don’t be tempted by offers that are too good to be true.

Don’t be tempted by lurid headlines about the latest star’s naked anatomy.

Don’t be tempted because you’re being told to “Click Here and you could win a gazillion dollars!”

Don’t be tempted because any one of those links could lead to a website that will instantly download a pile of malware and trojans and you won’t have time to stop it from happening.

These days I only click on links that are important to my business, my hobbies, my family and my interest in current affairs. I work hard at ignoring all the other links that I come across. That may sound strange but …

The net is not a fun place anymore

The Internet used to be a fun place to go surfing and discover new things but these days the risk of dropping into a website that is loaded up with piles of nasty trojans is just too great. Even the websites of reputable banks have been infected so it’s time to treat the Internet as a very dangerous place.

It’s time to treat the Internet like a minefield and make sure you do all you can to avoid stepping on something that is going to explode in your face.

So, there is the next thing that you can do to avoid ransomware. Stop thinking that the Internet is a wonderful place to be and start thinking that every link that someone sends to you is a potential threat.

And start thinking that every attachment that you receive could be the one that will unleash a torrent of nasty stuff that will lock up your files, ruin your computer and destroy your business.

Your survival is in your hands

Teach yourself to have the right mindset and you will survive.

Fool yourself into thinking that nothing could possibly go wrong and your tears will join the torrents that are being generated every day by people who have been hit with viruses, trojans and ransomware and have lost everything.

You have to spend some money to save money.

None of us like to spend money … in fact marketers will tell you that it is psychologically painful for people when they have to hand over their hard-earned cash.

Add to that the fact that we’re all on the Net where we believe everything should be free and it’s no wonder that none of us like to spend money on anything … not even the safety of the things that are most important to us.

The cost of protection is far less than the cost of recovery

So accepting the premise that we need to spend money if we want to avoid the impacts of ransomware is hard to do until you have to spend a lot more money to get your files back.

You may think that investing real money on some anti-ransomware is terrible and you just don’t see any value in it … but what are a few dollars when you suddenly discover that every business file that is vital to your business has been locked up and you can’t get them back.

If you find yourself facing a situation like that you will suddenly realise that you’ve valued your business at even less than a few dollars … and how foolish is that?

So if you want to avoid ransomware then be prepared to spend some money on software that is specifically aimed at blocking ransomware.

Keep your anti-ransomware software updated

Don’t think you’re safe because you happen to have an anti-virus program on your computer because most of those won’t do anything to stop ransomware. You need software that clearly states that it blocks ransomware and, at the time of writing this, there are a few to choose from and a quick search on Google will reveal them.

And don’t forget to keep that anti-ransomware updated!

Of course, installing an anti-ransomware programme is just the start and there are other things that you need to be doing to avoid ransomware and we’ll look at the next step you need to take in the next post.

Remember, it’s your responsibility to avoid ransomware

There were some very positive aspects, from a security point of view, that came out of last week’s WannaCry ransomware attack that hit thousands of computers and hundreds of large and small businesses across the planet.

Positive aspects? Yes … suddenly people are beginning to take ransomware seriously. In the past ransomware attacks have hardly been talked about outside of the IT security industry and when news did manage to get out most people weren’t interested because it wasn’t their problem.

But now ransomware is front page news across the planet … it’s all over the TV and cable news … lots of people are talking about it.

Sadly though, most of the talk is wrong. To try and get the message across experts have had to dumb down the explanations and, in doing so, the message has become corrupted.

Headlines on the day after the WannaCry ransomware first hit talked of governments across the planet racing to block the ransomware to protect businesses and consumers and, right there was a major error.

Ransomware can’t be blocked by any Government

Ransomware is not something that can be blocked, or stopped, or prevented by governments. The precursor to any form of ransomware is delivered by email or by downloads from the Internet when someone clicks on a link to an infected website.

It’s delivered personally. It’s hidden inside innocent looking emails and websites and there is no way to stop for governments to stop it … unless you want your government to completely unplug your country from the Net.

If you really want to avoid ransomware and all the hassles that it brings then it is up to you … and every other individual on the Net … to take four or five simple steps to reduce the risk of getting hit with ransomware and to make sure that you can recover quickly if your computer does become a victim.

Sadly, most people will never take those steps. Most people will go on thinking that ransomware is something that happens to other people and never to them. They will go on thinking that ransomware is something that government can block so they don’t have to worry about it.

Staying save is your responsibility

Most people will be far too lazy to do anything to protect themselves and they will eventually pay the price. Even if they don’t pay the ransom the price of getting their computer repaired and losing all their important files will be a lot more in dollar terms than they expected.

But you don’t have to be like other people. You can avoid ransomware at almost no cost to yourself. Anyone … even the most computer illiterate … can take the simple steps that I’ll outline in the coming posts and when you take these steps you will avoid ransomware at home and in your business.

See you in the next post.

We’re around the 48 hour mark … 48 hours after ransomware suddenly become big news as the WannaCry variant began shutting down everything from radio stations to entire health systems across the world … so what do we know at this point … apart from the fact that the damage done has been considerable?

The drama is not over … WannaCry ransomware is back
A few hours ago newspapers and television stations were happily telling everyone that an English geek had found the kill switch that everyone was missing and the drama was over.
Now we know that removing the kill switch worked on version one of WannaCry but now there’s a new version out there that has no kill switch so the threat to your business and the associated drama is far from over.

Who was targeted?
This ransomware was designed to target any computer that accessed the Internet via a proxy server. If the ransomware found itself in a computer that accessed the Internet directly it took no further action and became dormant.

Accessing the Internet via a proxy server is very common in large and small enterprises; it is not so common for home users or home-based businesses that do not use a proxy server. That would suggest that it large scale users who were the target for this ransomware.

However that doesn’t mean that you can be complacent and think that you don’t need to worry … because you do and you definitely need to start taking precautions.

How does WannaCry work?
As soon as the ransomware was downloaded it checked to see if Internet access was via a proxy server and if there was an unpatched version of part of the Windows operating system on that computer.

Windows patched this vulnerability back in March of this year but there are tens of thousands (if not more) Windows computers out there that have not had their operating systems updated and they are vulnerable.

If conditions were favourable for the ransomware then it attempted to contact a specific domain name … one that had not been registered.

If the ransomware got the expected response to its attempted contact it began locking all the files on the infected computer and spreading to every other computer on the network that had a vulnerable version of the Windows operating system.

At the same time, every computer that was locked began displaying a message that told the user that their computer files were encrypted and they would remain that way unless a ransom of $300 (paid in Bitcoin) was not made to an untraceable user.

Did anyone pay the ransom?
I’m yet to see reports of anyone attempting to pay the ransom so it’s impossible to say if paying the ransom would have led to the files being unlocked but it’s worth considering the amount of the ransom that was being asked.

If this ransomware really was targeting large entities then why only ask for $300 per infected computer? So was this a one-time grab for cash where there would be no attempt to provide a key to unlock the files or was it at attempt to establish some credibility so that more people would feel comfortable about paying the ransom in future?

How did WannaCry take control?
We may never know exactly how this version of ransomware found its way into so many computers but the usual way that ransomware is spread is via bad links in email and trojan downloads from infected websites and, in this case, my bet is on email.

Sending out emails have dodgy links is a business in itself … and a very profitable one … and it’s a foolproof way of distributing something like this ransomware across the planet in the shortest possible time.

All it takes is one employee of a company, government department or public utility to click on a link in one of those dodgy emails and, if the conditions in the computer and computer network are favourable for the ransomware, the end result is inevitable.

How was the spread of WannaCry stopped?
A self-trained IT specialist in the UK discovered that the domain name the ransomware was trying to contact was unregistered. Once he registered the domain name the response that the ransomware got when it tried to contact the domain name changed and the ransomware was programmed to shut down.

The domain name was the kill switch and now that it has been exposed the purveyors of this nasty piece of software appear to have re-written it to remove the need for the ransomware to get a specific response before it infects the computer that it’s on.

What can you do to avoid ransomware
It is so simple to reduce your chance of getting hit with ransomware. There are 4 very simple steps that anyone can take and you will find them by following this link.

What comes next?
Expect more attacks from the people who brought us WannaCry … and expect more from others as well.

Gone are the days when we were facing low-level attacks from kids working from their bedrooms. These days hacking and ransomware is BIG business … and it’s run like a business by organised crime and they are not going to go away any time soon

If you own a business … large or small … you probably have a website for that business because, if for no other reason, these days a website adds credibility to your business.

Unfortunately having a website also leaves you vulnerable to attacks by hackers but how bad is that risk of attack?

Well back in 2013 it was estimated that 30,000 websites are hacked every day … and you can be sure that number has continued to increase.

So why are the numbers so high? Obviously many hackers find their way into websites because of lack of security. Easily cracked username and password combinations would have to rank right up there as one of the major ways hackers find their way in and there are plenty of other ways that hackers use to get into a website.

Any website that’s built on a content management system … and a huge number of websites are built on content management systems … have potentially thousands of vulnerabilities built right into the code that goes to make up the software that runs each website.

Thousands of coding errors that hackers can exploit

How can there possibly be so many vulnerabilities in that software?

To answer that let’s take a look at the most popular content management system of all … WordPress. However, I should say right now that I’m not about to bash WordPress; what I say here can be applied to every content management system … they are all vulnerable.

Every website built on WordPress requires the WordPress core to be installed on a server and that is just the beginning. A plain WordPress website is an ugly thing to see and most people would not bother to look around if they landed on a website that was built on nothing but the WordPress core so we need to add a theme to give the website some personality … to make it look pretty.

But even that is not enough because, no matter how pretty a website that has the WordPress core and theme installed might look, it still lacks functionality. It might look pretty but it can’t do much so every website built on WordPress needs a number of plugins to be added to the mix to give it the functionality that people expect.

So now we have a website that’s built on WordPress, a theme to make the site look attractive and any number of plugins that make the website function and all those components are built using code … lines and lines of code.

Thousands of coding errors in your WordPress website

The WordPress core has over 484,000 lines of code. The average WordPress theme has over 36,000 lines of code and the average number of lines of code that go to make up the plugins that we use is anybody’s guess

So for every website that’s out there that’s built on WordPress … and that includes your business website … there are well over 500,000 lines of code and that is an important number to think about.

In fact it is such an important number that it probably keeps some security specialists awake at night because of what it means and because they know that people make mistakes and people who write code make just as many mistakes as everyone else.

Experts know that when it comes to writing code most coders will make, at the minimum, five mistakes for every 1,000 lines of code that they write … and that number can go much higher.

And every mistake in the code that goes to make up the core, every mistake in the code that goes to create a theme and every mistake in the code in the plugins that are used is one more potential vulnerability that hackers can exploit.

So you can be sure that right now there are at least 2,500 errors in the code in your website and every error is a potential access point that hackers can use.

It’s not that coders are careless or that they intentionally make mistakes so hackers can gain access … it’s just that they are human and humans make mistakes. Even checking the code for mistakes does not result in perfectly clean code.

There are mistakes in every piece of code and you will never know

Every piece of code that is released for every piece of software … whether it be the WordPress core or a system to guide a rocket carrying a nuclear warhead … will have mistakes in it. Some will be harmless, some offer hackers potential exploits and some offer those hackers an open door that they can stroll through and take control of whatever is using that software.

And that’s why you need to worry about the security of your website.

You will never know how many mistakes are in the code that is running your website.

You will never have advanced warning that a hacker is about to find an exploit in the code that is running part of your website.

If you’re not paying attention then you will never know when some part of your website needs to be updated to close off an exploit that hackers are using.

If you’re not monitoring your website every day you may never know that a hacker has gained control of your website and is now using it for his own dishonest purposes.

That’s why you need to take the time to worry about the security of your website … you need to focus on the security of your website or … if you don’t have that time … you need to pay a trusted security service to take care of your website’s security for you.

Sure it’s going to cost you money but that cost is nothing compared to what it might cost you and your business if a hacker does find one of those 2,500 vulnerabilities that exist in your website right now.

My team at WP Security Workshop can do it for you for as little as $1.00 so shoot me an email or give me a call and let’s add some real security to your website.

Discover why having good security is vital for your bottom line.

Sometimes when I stop and think about security for WordPress websites I wonder why anyone would bother taking the time and effort to focus on security for their websites.

Sure, you can build one barrier after another at the “front door” of your website. You can have wonderfully layered defences with strong usernames and passwords, captchas, IP blockers and blacklists, limited login attempts, two-stage authentication, brute force protection and more and hackers can still get in.

You can let hackers in
You can do everything in your power to keep hackers out and they can still walk right in because all you are doing is protecting the admin section of your website.

You can lock that down so tight that a flea couldn’t find its way in and yet your WordPress website can still be open to any hacker with modest skills.

You can also open the door wide and usher hackers in if you don’t keep all the plugins in your website updated.

Your hosting provider can let hackers in
You can choose a host that has a strong focus on security (and there are some who don’t … even some of the best-known hosts are less security conscious than others) and still the hackers can waltz right into your website.

WordPress programmers can let hackers in
How can they do that? By the very nature of the beast that is WordPress. The foundations of your WordPress website is a collaborative between the WordPress team who build the core and those many individuals who build the plugins that you, or your web designer, have used to add functionality to the WordPress core.

Every one of them has to bring his or her A game every time they sit down to write the code that goes into the core and the plugins. One tiny mistake, one distraction, one little bit of inexperience and the code that you rely on stops being bulletproof and starts being a potential vulnerability that hackers can exploit.

Is resistance a waste of money?
And there’s no way you will know if the core or the plugins that you are using are bulletproof or vulnerable … and there is no way you can build a wall, or any form of layered defence around them. If there is one small vulnerability hackers will find it and exploit it … and there’s nothing you can do.

So what’s the point of trying to keep hackers out if you can’t have total control over every access point to your website?

What’s the point of spending time and money to try and protect your website?

Why you MUST focus on security

There are two very good reasons why you do need to focus on maintaining good security for your website even though there are so many ways that hackers can break into your website and no one can guarantee that you will keep hackers out.

A little resistance is a good thing
Hackers are no different to you or me. We like the easy life. Sure, we enjoy a challenge but if there is a hard way to achieve a goal and an easy way to achieve the same goal we’ll opt for the easy solution every time.

Hackers want to get into as many websites as they can. It doesn’t matter too much to them who owns it or what the websites are about; they just want to get in.

They’ll try to break into every website they can find but most of them will look for the quick wins that they know are out there. Most hackers don’t want to spend too much time trying to break into because they know that there are many websites out there with little, or no, defences.

So, they’ll try to get into your website, they might even make it past the first lines of defence but, if you’ve got a layered defence in place, it all starts to get too hard for them and they’ll go looking for an easier target.

That means that you, if you ever knew that the hackers were there and trying to break into your website, can breathe a big sigh of relief … until the next hacker comes along in a few minutes.

Ignorance is not bliss
What if your defences don’t hold or the hacker has found a vulnerability in one of the plugins that is part of your website? How would you know that a hacker left his malicious files buried in your website?

If you have the right security plugins installed in your website, you will be warned that someone has been tampering with your website so you will know. You will know where they have been and what they have done and that information tells a specialist what needs to be done to clean up your website.

But will you even bother to read those alerts that come from your website?

Sadly few website owners ever have time, or the inclination, to pay any attention to those alerts and if you never read them and you’ll never know that you have been hacked.

… and the point is …

It’s all about money … money that stays in your pocket.

When a hacker breaks into your website you and your business lose credibility with Google and with your customers. A defaced website will drive your customers or clients away and they may never come back.

A warning from Google that appears in front of people when they visit your website after a hack also drives people away and many of them will never return.

And people will continue to be driven away from your business until the mess is cleaned up and, of course, that will cost you lots of money … once you realise that something is wrong.

Spend some time and money on monitoring your website and keeping all the plugins updated and you will have a much better chance of keeping hackers out.

Yes, it takes time and time is money but that is a small cost when you compare it to the cost of cleaning up the mess that hackers leave behind them.

If you don’t have the time to devote to maintaining the security of your website then you will have to spend money to employ professionals to monitor your website but that cost is nothing compared to the cost of cleaning up the mess that hackers leave behind them.

And ultimately the point is that spending money on security for your website, even though it remains vulnerable, is something you must do if want to avoid much bigger costs when a hacker does find a way in.

Need to talk to someone about website security? Pick up the phone, email or connect with Skype and talk to us here at WP Security Workshop.

For as little as a dollar a day you can have professionals keeping watch over your website.

4 Steps to Securing Your Website is the core of the presentation on website security that I gave at the 2016 WordCamp Sunshine Coast held here in Queensland last weekend.

I wrote this post and put together that presentation because Google tells us that they find over 100,000 hacked websites every month and I want to help at least some people avoid the all the hassles that can destroy your business and your spirit when you find that someone has hacked your website.

So what are those 4 steps to securing your website?

Understand that there is a very real threat and you are not too small to be hacked.

Understand how hackers get into your website

Discover and install the security plugins that will help keep the hackers out of your website.

And then start monitoring your website every single day.

Understand the threat
There are five basic types of hacker that want to get into your website. They range from bored kids who want to create havoc to organised crime syndicates that want to use your website to infect the computers of those who visit your site and turn those computers into yet another part of their network of bots.

You don’t need to collect payments to be a target of hackers. You don’t need to have a religious or political position to be a target. You can run a charity site or a site that talks about blue widgets … the subject matter is of no concern to a hacker.

The only thing you need to attract hackers is a website because it’s not what is in your site but what they can do with your site that matters to hackers.

Some of those hackers simply want to deface your website. Some want to fill your website with links to their own websites … and not all of them are porn sites.

Others want to add short snippets of code to the backend of your site so that they can sent out hundreds of thousands of spam emails.

And then there are those that I already mentioned who want to turn your website into an attack mechanism that will turn visitors’ computers into parts of the hacker’s botnet.

“… it’s not what is in your site but what they can do with your site that matters …”

Those guys are probing your website right now and unless you have some security measures installed they will get in and you won’t know.

I know because my website security business monitors hack attempts for my clients and the figures I see are frightening.

• A health and beauty site – 40,000 attempts in 3 weeks
• A very small land subdivision website – 3,000 attempts in a weekend.
• The website for a brand new B&B – 3000 attempts in the first 2 weeks after the site went live
• A website about plastic pipe welding – 2000 attempts in the first week
• A signwriter’s site – over 5,000 attempts in five or six months

So how many attempts are being made on your website?

Understand how hackers get into your website
There are 2 basic access points to your website that hackers want to exploit.

The easiest access point of all is your front door … your WordPress login page where you have to enter your user name and password. If you have a simple username and a simple password you have the welcome mat laid out for any hacker who wants to drop by.

Even if you have a difficult username any hacker can still find it because Google indexes it … but that doesn’t mean that you should be lazy and settle for the tired old ‘admin’ username.

The password is the really important factor here. More recent versions of WordPress require you to have very difficult passwords but you can change them … if you want to make it easier for a hacker to get in.

Even harder passwords can be hacked because even the most unsophisticated hacker has access to scripts that can run hundreds of username/password combinations in just a minute or two. So using a hard username and password combination is just the start.

The other access point that hackers us is old versions of plugins, themes and even the WordPress core. Updates are frequently issued for the plugins you use because vulnerabilities have been found that hackers can exploit.

Once they gain access through outdated plugins, themes or the WordPress core they have access to everything they need to take control of your website. They can even shut you out and ensure that there is almost no way for you to regain control of your site.

“…no level of security … no matter how strong … will keep a determined hacker out …”

Security plugins – building walls to keep them out
I know that it probably all sounds like a game of Russian roulette and all the chambers are loaded when it is your turn to hold the gun to your head but things are stacked far more in your favour than you may realise.

There are a number of security plugins available that you should install but it is important to remember that no level of security … no matter how strong … will keep a determined hacker out of your website.

The best you can hope for is that you’ve built enough walls that a hacker has to climb over to gain access to your site the he gives up and goes in search of sites with weaker, or no, security.

So what plugins do I recommend?

Wordfence Security – it not only has a firewall and automatic blocking after a set number of failed login attempts but it will also alert you whenever there is a plugin, theme or WordPress core update available.

Jetpack – it’s the Swiss Army knife of plugins it will do just about anything you want it to do. For security all you have to do is install Jetpack and activate the ‘Protect’ and ‘Monitor’ options.

The ‘Protect’ option blocks incoming traffic from IPs that are known to be used by hackers. It won’t give you much information about where these attacks are coming from but it will let you know how many times it has blocked access attempts and that number can grow alarmingly.

The ‘Monitor’ option will let you know when your site is off-line for any reason.

Sucuri Security – Auditing, Malware Scanner and Hardening – it’s a big title for an important plugin. Sometimes hackers can get passed all the security plugins and when they do you need to know that they are in. When you install this plugin and set up the Alerts system that is included you will receive notifications if things are changed on parts of your website.

Recovering from a hack is also important and the faster you recover the better. To do that, you need to be responsible for your own backups so it’s important that you keep a copy of every image and every PDF that you have posted to your site.

You also need to back up your website’s database and have those backups delivered to your computer. Of course, there are plugins that will help you do just that.

My recommendation is WordPress Database Backup by Matzko. It’s simple to install and set up and it will email you a copy of your database every week, day or hour. All you have to do is keep that back up in a safe place, where you can find it if you should happen to need it.

You will find links to all those plugins here.

“When it comes to security nothing … absolutely nothing … beats eyeballs on the subject.”

Start monitoring your website
When it comes to security nothing … absolutely nothing … beats eyeballs on the subject. You need to do a quick visual scan of your website every couple of days to make sure that no unauthorised changes have been made to the web pages that face the public.

You also need to take responsibility for your own updates. A number of plugins, and the WordPress core, offer automatic updates but what happens if one of those updates fails … or there is a conflict between the WordPress core and a plugin that was updated automatically?

Conflicts do occur? Every time there is a WordPress core update there are complaints from website owners that their sites are having problems or even failing to appear.

Do all the updates manually and visually check the website each time you update something and you will be on top of any problems. There is nothing worse than finding that your website has been down for a week … or longer … because you’re too lazy to check it regularly.

Conclusion
The security of your website depends entirely on you and what you choose to do. You can do nothing or you can start building barriers to make it harder for the hackers to get in.

Website security is boring and repetitive work. There is nothing sexy or exciting about it but if you don’t do it hackers could destroy your site, your business and your dreams.

What I have outlined is fairly basic stuff but, if you feel that handling the security of your website is beyond your capabilities or your time, you can always use the services that I offer here on the website.

Click the link and you will be on your way to having a far more secure website in a matter of hours.

Over the last 2 years or so we here at WP Security Workshop have been watching something of a slow-motion train wreck as ignorance, and a desire to save money, have opened up a breach in website security and given hackers a chance to break into two WordPress websites.

Background
Let me set the scene by giving you some of the background to this story.

A local business that is located here in the same town as we are has a very successful franchise for here and for a neighbouring town. The owner of that business had our sister- business, Total Website Management (owned by my partner), build two fairly simple WordPress websites for their client.

As is their practice, Total Website Management optimised the websites for the major search engines and included a number of security plugins to ensure that hackers would not find an easy path into the back end of the site.

After a few months the client was dissatisfied with the way his websites were performing in the search engines and decided to hire a marketing specialist to promote the websites.

To save money he instructed Total Website Management to stop monitoring the websites and updating the plugins because the marketing specialist would look after everything and keep the plugins updated.

That was not a problem and my partner handed everything over to the marketing guy.

The problem
Unfortunately it soon became apparent that the marketing guy had no idea about website security. He made no attempt to change the email address that update alerts were going to and so he was often late doing any updates.

To be fair to him, he certainly did lift the sites’ rankings and has brought a lot of business to the owner of the website. However, his lack of knowledge about security, combined with a plugin that never got updated because he never saw the alerts, and was a well-known target for hackers, was a ticking time bomb that blew up in his face this week.

The disaster
The first I knew of the problem was when my partner rang me and asked me to run some scans over the two websites. The marketing guy had rung her in a panic because he was locked out of one of the websites.

Fortunately, our old access codes had never been deleted or changed and they worked. Once I was in the back end I didn’t have to run any scans to know where the problem lay.

Revolution Slider was sitting right there in the list of plugins and it was so old.

It was soon obvious that plugin was the access point for the hackers on both sites but they almost certainly hadn’t stopped there.

Old versions of Revolution Slider can be exploited to allow hackers to give themselves shell access to the server and once they have that access they can drop their malicious files just about anywhere.

We had to report to the marketing guy that it probably took the hackers all of five minutes to breach the site but it would take many hours to ensure that all traces of their activities had been removed.

I also had to tell him that until the sites were completely clean there was a very real danger that Google would find that the sites had been hacked and once that happened the sites would be out of the paid and organic listings till Google was satisfied they had been cleaned … and satisfying Google can take weeks and sometimes months.

No search engine listings mean no traffic and no traffic means no business … and the business that owns those two websites employs around 20 people.

The takeaway
Ignorance of the need for website security is no excuse … hackers won’t stop and politely ask you if they can come in and destroy your website and your business. Saying that you didn’t know is no excuse either.

It’s your business and your responsibility to ensure that people can’t break into your website and destroy your business. If you don’t know what to do, then employ the services of experts who do … and then check to make sure that they have done what they said they would do.

If you are going to allow third-party service providers to access the backend of your website, make sure that they know how important good security is and make sure they know how important it is to you.

If they don’t understand then employ the services of some security experts who can look over the shoulders of the marketing people and prevent them from making security blunders.

Sure, keeping your website secure may cost you money but then think of how much money you will lose if your website goes down for weeks … or even months.

Spend a little on security now can save you a whole lot more in the future.