Don't Do It Yourself

Holy crap, you got hacked! Now what? Options for WordPress security

You just found out your blog is infected with malware.  Your blood pressure is racing and you’re trying not to throw-up on your keyboard.  Do you know who to call for help? Do you have a backup? Is anyone going to visit your blog ever again?

If you’re making any money at all from your blog, being hacked is one of the scariest things you can experience.  You’ll want to puke, I guarantee it.  Not only do you lose revenue while you’re down, but even worse, your site might be flagged by the search engines as a security threat.  If that happens, they’ll stop sending you traffic and it could take weeks or more to appeal.

I know how you feel, I went through the same thing a couple weeks ago.  And I plan to do everything I can to prevent a repeat WordPress security breach.

If you’re trying to recover from a hack right now, take a deep breath and skip to the bottom for my suggestions on blog monitoring and malware removal.

My blog hack actually increased my traffic!

When I got hacked I didn’t even know it for a few days.  Turns out I had an old WordPress theme and the theme files got infected with malware (one of many reasons I’m switching that blog over to Thesis).  At any rate, the hackers were pretty freakin’ smart.  They created a post type that did not appear on my front page so I wouldn’t notice it.  Then they published a series of fake blog posts with links to their own sites (I assume to pass link juice and build authority).  I have to hand it to the hackers, it’s a brilliant ploy.

The funny thing is that these posts got indexed by Google and actually received some new search traffic.  In fact, that’s how I realized I had a security breach.  I noticed in my stats that I started ranking very well for “whitney houston weightloss” right around the time she passed away.

If I was really smart, after I had the malware removed I could have put up a new page about Whitney Houston and tried to earn some AdSense revenue.   But I was so fired up about the situation I just wanted to be done with it.   Wouldn't it be nice if everyone could get a little extra traffic from being hacked?  But I doubt most people would be so luckly.

So what are your options for WordPress security and protecting your blog?

I don’t plan to get caught with my pants down again.  I’ve taken steps to make sure all my blogs are secure and thought I would share what I’ve learned so you can tighten your own blog security.  Here are your three main options:

  1. Do it Yourself Blog Security: If you’ve got some technical chops and want to give it a shot yourself here are a couple good resources to secure your blog and keep it safe from hackers.  Even if you decide to hire outside help, the three most important points everyone should still address are:
    1. Keep your WordPress version, theme files, and plugins up to date.
    2. Change your userid from “admin” to something else.
    3. Use a strong password for your WordPress login, your hosting account, and your FTP client and change your password every few months or so.
  2. Hire freelance tech support: Look for tech support on any of the better freelance websites.  Search for “malware removal,” “Internet security,” or “website security.”
  3. Use a blog monitoring service like Sucuri.  You can do free malware scans of your site anytime, or sign up for service where they scan your site every few hours and do malware removal if the shit hits the fan (at a pretty reasonable price I might add).   And if you’re trying to clean-up an infected blog right now, you can pay for their cleanup services even if you’re not already on a monitoring plan.
UPDATE: I just had a WordPress blog hacked again this weekend (unfortunate how easily that can happen more than once). I signed up for Sucuri malware removal and was extremely pleased at how quickly they fixed my blog with no fuss.  Within about two hours of sign-up (and sending them my FTP credentials), they had removed all traces of malware and sent me an audit log of everything they had removed and changed.  Consider me a big fan!