How to Prevent and React to a WordPress Hack Attack

While no email account or blog can every be 100% secure it makes sense to prevent what you can by preparing for the worst. How secure is your WordPress blog?  Staff has measures in place to protect password guessing or “brute force” attacks but what are your habits? It’s critical recognize that most hack attacks succeed only because the blogger in question did not prioritize security.

UPDATE: To add another layer of home security WordPress has implemented two step authentication a second step to the log-in process that no one but you can access.

Breaking into computer systems for malicious intent is nothing new. Hack attacks have increased since posting my email and posting by voice were implemented. Those who have experienced an email account hack attack or a blog hack attack know how aggravating it can be to deal with the aftermath. One hack attack can destroy all the work you have done and the time it will take to repair the blog and the damage and your blog’s reputation will be costly too.

Sometimes hacking is immediately obvious and sometimes it’s not. A theme change, a post you did not publish, a scrambled or empty blog is easily spotted. But if you don’t maintain and track your links then links to illegal sites embedded in your images, links changed to direct visitors to malware sites instead of  the sites you linked to, or even comments that appear to have been made by you that weren’t may not be spotted immediately.

Prepare for hack attacks

1. Computer security software

Make sure your computer security software, including security patches and firewalls are up-to-date. Configure software for automatic updates and be sure it’s always functioning. For laptops, be sure to use encryption software. You can protect your home or work network by ensuring you have a strong password set up. Create unique user accounts for all so each person has to provide his or her username and password before accessing the network.  Secure your wireless home network, Set up a network security key, change the advanced to limit access settings, and turn on firewall protection. Use a router to connect your network to the internet and change the default SSID immediately when configuring wireless security on your network.

2. Admin access limitations

Be the only Admin on your blog. Have more than one Admin account yourself, and be sure the username and passwords for your accounts are unique. Restrict users to the minimal level of access required by assigning appropriate roles.

3. Backup your content
There are several means available that you can use to backup your WordPress.com blog content.

The Safe Bet – Use an Offline Blog Editor
Raincoatster’s copy and paste work around

  • Highlight all of the post (Control A on windows) and copy it to the clipboard (Control C) and, while everything was still highlighted, click “Publish”.
  • Even if you lose the post, you’ll still have it on the clipboard and it’s the work of a moment to do another.

Subscribe to Your Blog’s RSS Feeds
Periodically Export Backup Copies
Subscribe to your RSS Feed and Back-up using Feedburner and Gmail

4. Strong passwords
A strong password containing both numbers and letters is one of the first lines of defense against hacker attacks. Make sure your password cannot be associated with you in any way eg. it doesn’t contain your name, address, or date of birth. Use a Password manager, review your e-mail accounts and blog accounts,  set strong passwords and use a unique strong password for every account. Do not share your passwords or PINs with others. Never use the same password on multiple accounts. If you used the same password multiple places, then your account can be easily compromised.

“Add a phony email address to your list of contacts [in your email account]: aaaa@aaaa.com. This email address will likely be the first contact alphabetically in your address book, so will be the first recipient of a spam email from a hacker. You will receive a mail failure notice immediately that the email wasn’t delivered. This is also a quick way of checking to see whether changing your password on your email account was effective.”  –What To Do If Your Email Has Been Hacked

5. Secure connections
Avoid logging into important accounts and providing personal information and details over an unsecured Wi-Fi network. The state of security for most home Wi-Fi networks was nearly non-existent only a few years ago. Today wireless network “hotspots” in public areas like internet cafes and restaurants, airports, hotels reduce their security settings so it is easier for individuals to access and use these wireless networks. Hackers increasingly target those open Wi-Fi network connections to steal data.

6. Secure Log-in and Log-out
Use SSL encryption at blog login or administration pages.
Always “log out” to terminate your access to your accounts.

“If you are not logging out of every account each time you use it, you are putting yourself at risk, gambling your online reputation, money, and more. This is because leaving yourself logged in to a social network, bank account, or anything that requires a username/password leaves your account vulnerable to infiltration by hackers. Basically, not logging out is the equivalent of leaving your car unlocked or your wallet unattended in public.” — Why You Should Always Log Out of Your Accounts

If you do use another computer, delete your “Temporary Internet Files” or “Cache” and clear your “History” after you log out of your account.

Do you know how to react to a hack attack?

Blog notifications for the admin (like comment moderation, Likes, new subscriptions, etc) are sent to the email address at Settings -> General in the Dashboard.
Personal notifications (like comments on your post, subscription emails, and upgrade renewals) are sent to the email address at Users -> Personal Settings in the Dashboard.

In your account settings enter a mobile number for recovery purposes.

Keep your blog and email accounts safe and backup your content, so you don’t log-in one day to find your blog is publishing content laden with viruses, malware, obscene material, or that your original content has made into word salad or deleted.

69 thoughts on “How to Prevent and React to a WordPress Hack Attack

  1. thanks for your tips,also most already followed myself-i dont give people,permission,to enter my admin area,and i dont have a path interest account!

  2. Hi TT, I am fairly new to blogging. I perused your site, but I couldn’t find how to add a plug-in feature to my dashboard. Could you explain this. Thank you

    • Hi Geri,
      Thanks for the appropriate recognition when promoting my post. I’m so happy you found enough value in it to share with others.

      I answer a lot of support forum questions and there’s definitely a need for WordPress users to wake up and protect their blogs from hackers. Bad habits create security holes. It’s only a matter of time before bloggers who aren’t security conscious will end up with a hacked blog.

  3. I have to admit, my head is swirling (too much input all at once) but I know how important this is to act on it. Thank you for sharing all of this…may I reblog this article? Lately, several bloggers have mentioned trying to back up their site so thought a reblog may help many others.

  4. Pingback: Online Security Threat Predictions for 2013 | one cool site

  5. Pingback: Moving Your Blog from WordPress.Com to WordPress.Org: Resources and Tips | one cool site

  6. I thought I could backup simply by copying the text of my posts to some text editor app but I guess that can be unwieldy if the blog gets big or if I make random edits in random posts and try to remember which ones to back up or resign to copy-and-paste everything all over again and again so using the export or mirror function would seem much more prudent.

    Dunno why I keep on thinking if you do things earnestly that hackers will just see that and let me be (imagining they’re these noble creatures who just wanna make things difficult for the rich and mighty)…

    • At one point I did use windows live writer and it was good to use as it created a backup of every post and page on my own computer. Now I choose to create backup XML export files instead.

  7. Hello TT! I’m working on my new post about hacking. Can I quote a few sentences from this post giving you backlink? Umm less than 100 words?

    • Hello Hamza,
      Yes you can quote me. Here’s what my copyright policy states:
      “A brief excerpt of content that does not exceed 128 words or 512 characters may be quoted as long as a link is provided back to the source page on this blog and authorship is properly attributed. http://onecoolsitebloggingtips.com/copyright/

      I just read an interesting related article.

      Most of those who have seen an increase, 71%, say that mobile devices are a contributing factor to the increase in the number of security incidents faced by their organizations. … Participants were asked which of the most common mobile platforms they viewed as being the greatest security risk. Among the IT professionals in this study, Android was named as the greatest risk (43%). And, BlackBerry was the operating system that was perceived as having a lower potential for problems than other mobile platforms with only 22% ranking it as the platform with the greatest security risk.”

      THE IMPACT OF MOBILE DEVICES ON INFORMATION SECURITY: A SURVEY OF IT PROFESSIONALS http://www.checkpoint.com/downloads/products/check-point-mobile-security-survey-report.pdf

  8. A few days ago, I had a same password for more than 20 places (Facebook, google wordpress, twitter etc) ( Headache really to remember 20 different ones). But I have changed and chosen a unique one for everything after going through this post. But I fear I will forget those passwords very soon because I don’t open all those within a short period. Have you any idea about it too?
    I have very tough passwords for everything though.
    And I also have done this trick,

    “Add a phony email address to your list of contacts [in your email account]: aaaa@aaaa.com. This email address will likely be the first contact alphabetically in your address book, so will be the first recipient of a spam email from a hacker. You will receive a mail failure notice immediately that the email wasn’t delivered. This is also a quick way of checking to see whether changing your password on your email account was effective.

    .
    And also added more security and seal to my email address.
    Thank you so much Timethief for sharing this.

    • I’m a paranoid b—–d, so password managers seem to me like a big “HACK HERE” sign. Plus, as you say, you are having to trust the password manager vendor . . . and all their programmers (can anyone say “back door”?).

      My own approach is based on something different . . . passwords are strong not by complexity, but length. With that in mind, my passwords have common components with a unique identifier for each site.

      For example (and no, I am not using these):
      WordPress ==>> MElikesecurityPRESS&5711
      Google ===>> MElikesecurityGOOGLE&5711
      FaceBook ===>> MElikesecurityBOOK&5711

      All of those are both easy to remember and hard to crack. You can easily make them longer by adding space between the words. I use these password checkers to confirm strength:
      http://www.passwordmeter.com/
      http://howsecureismypassword.net/

      Another system: http://xkcd.com/936/

      One of the advantages of this method is the ability to login from multiple computers/phones/etc without having password managers, and when changing passwords you can change the phrase. By the way, I mix languages in my phrase

      One note . . . don’t let applications remember your passwords; even encrypted passwords stored on a PC can be hacked by generating random encrypted strings and comparing them to what is stored.

      Obviously it’s important to not let others know your password scheme.

      I have a suggestion for your e-mail: get GMail. It has a two-step login option. That means when you log on it will ask you for a six digit number code. The number code is sent to your phone when you try to log in, and is only valid for a short time and a couple of attempts.

      If you have a smart phone, there is a google app that generates a code every minute, so when you log-on to your g-mail you check your phone for the code.

      Frankly, I don’t see how this can be cracked as one would have to have both the password and access to your phone. I wish all places went to this method.

      • Wow! You really take this seriously and I’m not saying that in a critical way, quite the opposite. Thank you so much for taking the time to share this important information. Your suggestions on passwords, not letting applications remember your passwords and the g-mail ones are great contributions.

    • What I have is a list of all the names of the programs with the passwords in excel, saved on my desktop, with a password. The headers will read: Yahoo, User Name, Password, Questions asked, etc. My online banking has a list of random questions so I include them in this spreadsheet. It’s a pain to open it up and retrieve the passwords, but I’ve done it this way for many years. Just don’t lose the password to the excel file and close it each time you’re not using it. I don’t share a computer with anyone at home either. This may or may not work for you, just wanted to share my idea.

      • I have a passwords file on 3 different computers, juts in case. I also have 3″ x 5″ index cards for each of my accounts too. lol :)

  9. Pingback: Illuminating Blogger Award | Writer's Block Busters

  10. Hi Timetheif,

    This is a really comprehensive post. The tips you mentioned are really useful.

    I follow all the security practices but there were some newer tips here for me like adding a phony email address.

    Great post, retweeted i

    • Hi Ishan,
      It’s been such a long time since we connected. Thank you for retweeting my post and letting me know there were tips in it that were new to you. I hope you are well and happy too.

  11. I have bookmarked this post into my “Blog folders.” You’re absolutely right, the amount of time we spend on our blogs (for me, more time than I should … need to get a life outside of WordPress …lol). would be a huge catastrophe if we were to lose everything.

    Thanks again for a very important and informative post :)

  12. There is so much helpful information in this post….I’m wondering if you might be willing to create a very very basic “guide” to backing up our blogs…(and security too)….for people who might not have much tech expertise, or who practically “freeze up/panic/brain freeze” w ith the thought of losing our blog content… the very most basic and simple ideas…. well, I printed out my entire blogs a few months ago from…do you suppose that’s the most basic? : ) …. but I haven’t done that in a few months….any suggestions or perhaps older posts? Is it possible to save the whole thing on a portable drive? thanks ps…I love your new look…beautiful and soothing…perfect images for “panic-y” types of people…me… reading about hacking and blog loss : )

  13. Thank you for an informative post. Now my hair is standing on end :) Going to back up my blog today. Love you new look. If it’s not that new sorry, sometimes I don’t notice things right away.

  14. Thank you, as always, TimeThief, actions taken. Question: If we log out everytime we are through with the admin function… what happens to my visits to the blog on our stats? I know that “normally” the admin themself is NOT counted in stats – I assumed that was because I remained logged in. So if I am not logged in… will my visits get counted? Or is that count / not count based on something else like ip address? Thanks!

    • All sites are hackable. Those that are vulberable to hacking have bloggers who are not cautious. After all the hard work we do on our blogs it makes sense to protect them from being hacked and I hope my posts reaches those who need to change their habits.

    • Hi there,
      I hope you are doing well with your blog and will be cautious so you never experience a hack attack. You’re welcome.

  15. Hmm . . . I exported, and it exports to an .XML file. I’m no expert, but it’s about 11MB.

    I would guess my content would be more than that just based on the embedded photos, and in looking at the file, it has words and tags, and settings, but without the pictures I would be hard-pressed to “recreate the blog”.

    I already have most, if not all, the writing. The work would be arranging it all into my usual narratives.

    I’m not sure how to back up using GMail of Feedburner, but I’ll check it out.

    One place that seems to have all my stuff (viewable, hence I presume it can be saved) is the Wayback Machine.

    That could, and appears to be, a backup of all my work. I only took a cursory look, but it seems all there (except for the very latest stuff(.

    • Some bloggers have the idea that a backup XML file is like a Microsoft WORD file. An XML file is for blog software only. If you do not open the XML file in a plain text editor then you will corrupt it and it will be useless to you. You don’t see the images because they are not fetched until you import the XML file into a blog when you can specify that you do want to include the “attachments”.

    • Hi there,
      Please act on what I have published. I don’t want to sound like an alarmist but I spend hours answering questions on the WordPress.com support forums. There are people whose blogs have been recently hacked and it was because they failed to prioritize security.

  16. Hi timethief, very interesting post. I thought that automattic backed up all blogs so in case of problems they should restore the blog at some point. But now I’ll think to back up the entire blog with the export method, I’ll give it a try during the week if it’s not too much time consuming. Thanks

        • Almost everything I published does apply to all blogs and bloggers but this post is specifically aimed at WordPress.com bloggers. There have been hack attacks this weekend. I’m pretty sure you know about the WordPress.org exploit scanner plugins you can use and the other WordPress.org security tips.

      • Well, I don’t use wordpress.org and a reason why I use wordpress.com is because they try to do the best for protecting from these problems. One thing is if the problem comes from me, another is if automattic system fails. I don’t know about the problems of this weekend and I don’t know the main reasons, I hope it’s not an automattic failure.

        • I used the word “you” I should have said “most” – sorry. What happened this weekend may have been caused by bloggers using the same passwords across multiple sites like Yahoo, LinkedIn, e-Harmony, LastFM, etc.

    • After a while I thought about to find another good solution to backup my content, I’ve maybe found another nice one. I now backup everything to Evernote. I can save the all article or even the full page, and so I can save the text, the images and their positions and even the links I used in that article (it doesn’t save the embedded video links). It’s easy and fast to do. My main concern were the images because I use a lot of them and I think this is an interesting solution to take in consideration.

      • Hi David,
        Using Evernote as a backup is a great idea. The fact that images can be backed-up using it was something that escaped my attention as I thought of it only as a note-taking system. But now you have opened my eyes to another use for it. Thanks for sharing that here.

Comments are closed.