We were asked to step in and take on a couple of ecommerce sites recently by a new client who had spent the last few months tearing their hair out whilst their sites were hacked on a daily basis.
Their incumbent agency had obviously hit a wall with trying to resolve it and had resorted to rolling each site back to the previous day’s backup every morning.
“Eat. Sleep. Rave. Repeat.”
Yeah I know, right?! I feel for them but sticking a plaster on these things isn’t the optimum solution. You need to understand what’s happening and why, and then block those attack vectors as quickly and as securely as you can.
We investigated and found a number of unpatched vulnerabilities that had been introduced by someone leaving a virtual back-door open at some point in each site’s past. We secured the back-door by bolting it shut, bricking it up, and putting a guard dog in place (thanks WordFence), and then cleaned the sites manually.
Moving them across to WP Engine helped too as their additional security layers kicked in on top of the protections we had already put in place.
“WordPress is Vulnerable”
We’ve all heard it. The thing is it’s not true. Well, not in the basic sense. WordPress, like your house, is vulnerable if you don’t lock your doors and shut your windows. We’d all love to live in those glorious days of our grandparents when they could go out and leave all their doors and windows open and nobody would touch anything but sadly we don’t. (That’s even if that was even true then, and not just nostalgic thinking). The world is full of people looking for an angle; anything that can get them ahead, and if your site is ripe and inviting then it won’t be long before someone is along to have a poke about.
So what can you do?
The Golden Rules of Securing WordPress
- Make sure you’re hosted somewhere safe. If it’s cheap, it’s not likely to be as secure as you need it to be. Do your research.
- Make sure your host is running your site on the latest secure versions of PHP and MySQL.
- Keep WordPress updated. That’s the core files. Run the latest version.
- Update those plugins.
- Update your theme.
- Don’t install plugins willy-nilly. Less is more.
- Don’t install unlicenced premium plugins.
- Don’t use common passwords and don’t re-use passwords on mutliple sites. Better yet, use a password manager like LastPass or DashLane to manage unique passwords for all your logins.
- Don’t add a bunch of editors and admins – restrict access like you would to your house. Not everyone gets a key right?
Keep your site up to date and if you don’t have time, find someone who offers wordpress maintenance support plans. Naturally we like to think that we’re the best at this but there are others out there – just don’t grab the first and cheapest person you find on Fiverr.
If you’ve been hacked or you need some help maintaining your site – reach out to us and we’ll leap into action. We can even train you how to do it yourself if you’d prefer things that way.
We’re a digital marketing agency based in Amersham, Buckinghamshire covering London and the South-East.
We’ve been around since 2009, providing consultancy and strategic services to clients across a number of sectors such as Healthcare, Technology, Telecoms, Publishing, Retail, Finance, and Travel.
We build digital experiences for companies and organisations that are finding their feet, pivoting, or who require a refreshing change.
If you need help with your next project click the big button below to get started: