Yesterday my website was hacked. I noticed this when my domain rank suddenly dropped from a healthy 52 to a rather depressing 34. All my hard work had gone down the toilet. My pages (cached by Google) were peppered with sentences like ‘Buy amoxicillin online’ and ‘Cheap Prozac without prescription’, destroying my carefully orchestrated keyword saturation.
The bug was one that only appears to Google bots (spiders) so the site looked ‘normal’ to my customers but, as far as my Google natural search was concerned, my site was no longer about ‘SEO copywriting’, or even ‘Sydney copywriter’. Worse still, my 2nd and 3rd place rankings suddenly dropped out completely and I lost a whole day trying to sort it all out.
So, to save you suffering the same fate, here are some recommendations to make your site safe (or as safe as it can be) using WordPress.
- Choose a strong password: Include characters and numbers, caps, digits. Make it memorable and unique.
- Uncheck the ‘Anyone can register’ box under Settings > General.
- Limit the number of users on your website to the bare minimum.
- Keep your WordPress installation up to date: At the time of writing, the current version is 3.01.
- Choose only 4-star plugins: The more well-known a plugin is, the more likely it is to be safe (you hope).
- Keep all plugins up to date: Old software can be troublesome.
- Delete any plugins you are no longer using. (See above).
- Consider downloading some security plugins. I now use:
- Paranoid, which notifies me every time something happens to one of my files (so I know if someone, other than me, is fiddling with it).
- AskApache Password Protect 126.96.36.199, which does lots of clever security stuff.
- Do all the things recommended in this Security article.
If the worst happens:
Keep calm and follow this 7-step guide:
- Run a virus check on your desktop/laptop. (I used ClamXav.com for Macs.)
- Change your WordPress password.
- Change your FTP password.*
- Change your database password.*
- Read this support article from WordPress.
- Read this article for Sucuri.
- If all else fails, contact these guys Sucuri.net who will fix your site for approx A$100. (You might have to wait a few hours as they’re based in the US.)
When you’re nice and clean again:
1) Change WordPress user password again.
- Change the FTP password again*.
- Change your database password and update your wp-config.php file with the new password*.
- Run another virus check on your desktop/lap top, just in case.
- If you’re not running the latest version of WordPress, install it now.
- Update all your plugins.
*If you’re not sure how to do this, speak to your hosting company.
My site seems to be all better now, and I’ve learnt a lot about how security works and what to look out for. So thanks Mr HackerVirus-makingGIT this was a great learning experience.
If anyone has any other security tips I’d love to hear them.
Want to have a chat?
If you need a copywriter, seo consultant or information architect, then please call me for a chat and an obligation free quote. I'm in Sydney Australia on +61 (0) 418 166 458 or contact me.