I recently had one of my servers hacked. These hackers were actually even more sinister than most as they installed several “Phishing Sites” on MY SERVER!
If you’re not familiar with phishing, it is a way scammers attempt to get people’s information such as usernames, passwords, and credit card details by pretending to be a bank or financial institution.
I’m not sure how long these phishing sites were hosted on my server, but it was for at least a few days before I received a notice from Google telling me that my sites had been removed from the Google search engine for hosting phishing pages.
It turns out that the hackers gained access to my server through WordPress.
This blog post is about how to secure your WordPress sites from hackers so hopefully you don’t have to go through what I’ve gone through over the last couple of days cleaning and securing my sites.
I’ve known (and practiced) the basics of WordPress Security for a long time.
Stuff such as:
- Always keep your WordPress install updated to the latest version (each version fixes security flaws in previous versions).
- Don’t use unofficial/untrusted themes and plugins.
- Don’t share your login info (if you need to give someone access to your site create their own login info for them and remove it when they no longer need access to your site).
I thought I was being pretty good about keeping my WordPress sites secure from hackers…
It turns out I missed a couple of things that allowed the hackers in to exploit my site.
Even though I always keep my ACTIVE WordPress sites up to date, that hackers gained access to my server through an outdated version of WordPress for a domain that wasn’t even active any more (I had even let the domain name expire).
It turns out that since the old/inactive domain was an add on domain on my server and the files/database was still live on the server (even though the domain wasn’t active) the hackers were still able to exploit that outdated version of WordPress and gain access to my server.
It was a lesson learned the hard way and a mistake that you’ll hopefully avoid!
Here are the things I did (in addition to the basics above) to better secure my WordPress sites and to minimize the chance of something like this happening again:
- Completely remove old WordPress sites from your server if they’re no longer active. Don’t just let the domain name expire, completely delete all of the WordPress files PLUS the database from your server.
- If the login info for any of your WordPress sites is still “admin”, change it to something else that the hackers can’t guess. For WordPress installs done in the past via automatic methods in cPanel like “Fantasticos”, the default login username used to be “admin”. It is no longer the default, but if you installed your site in the past your login name may still be “admin”. Of my 50+ WordPress installs, about 10 had “admin” as the username. If your login name is “admin” you should change it to something more secure. The problem is, you can’t change the username in WordPress after it’s set so what you have to do is a) Add a new user and set their role as “administrator” then, b) delete the user “admin” and assign all posts and comments to your new user. You will then login to your WordPress admin area using the NEW USER’S login info.
- Just to be extra cautious I also changed my password for cPanel and ALL of my WordPress sites. It’s a good idea to change your passwords on a regular basis.
Hopefully these tips on how to secure your WordPress sites form hackers will help prevent you from having your sites taken over by hackers like mine were!
Please leave a comment and let me know what you think!