Spread the love


I’ve had a few major break-ins on my WordPress blogs. Since none of them are particularly profitable it was more of a hassle than a life altering event. But I’ve learned a lot about the issues. In this post I’m going to give you my two top security plugins and help you set up a few traps that will keep you spammers and hackers at bay for a long time.

WordPress patches the application all the time. Always keep your WordPress install up-to-date. BUT, some plugins behave erratically when they are upgraded. I’ve had an issue with my Post Index plugin. When I upgraded on one of my sites, I no longer had the pretty post index I had come to expect. And it was easier to upgrade than to roll back. You can do it, but it’s a pain. So pay attention before updating all your plugins. I’ve yet to have an issue with updating WordPress, but I’m sure it has caused problems for some folks.

But the biggest break I had occurred about three years ago. Someone got root access at my server and posted a single repetitive graphic (the electronic equivalent of graffiti) that replaced all the graphics on my site. This was a disaster from a user experience. All of my charts and graphs were now a smiling devil’s face. There was no benefit to the hacker, except for knowing he brought my insecure WordPress site to its knees. The clean up took a lot longer. But it was doable.

Here’s what you have to do if your WordPress instance has been hacked.

  1. Change your password immediately to something stronger.
  2. Install some security plugins. I use BPS – Bullet Proof Security.

There’s another step you must take, but let’s get to that a bit later.

Immediately changing your password will let you know if your hacker has installed at the root level or if they simply hacked an account or a password. In my case they had gotten to my wp-admin page and installed some malicious code into my setup.php script. I didn’t discover this until later. But when the same hack occurred a few months later on a different blog, I was able to troubleshoot the problem down to the setup.php file.

BPS – Bulletproof Security did a great job of shutting out the perps, for a bit. But the problem was the code was already injected into my php files. So while the ugly faces were replaces on my site, and everything looked normal it was not fixed. Simply opening the php config files from within WordPress was not enough either. The hacker had written the code in such a way that it was invisible to the WordPress Edit tool.

I found the malicious code in two steps. 1. Even though I had secured my site Google reported a phishing attack was happening on my blog. They were going to list me as UNSAFE. This spells disaster for any blog, so I got serious about my hunt for the bad code. 2. I downloaded the config file from the web and opened it in one of my better txt/code editors and there it was. What looked like spaghetti mash code was actually an encrypted redirect link. Once I cleaned the code out of my config files, I was able to reset with Google, and my site was never listed as UNSAFE. Whew.

Things went along for years without a hitch. Then about six months ago someone set a log-in hacker script to run every hour and try to guess my login password. With BPS I was able to see the attempt and set the shutdown on the site. The problem was, every time the hacker script ran it triggered a three-attempt lock out from BPS. And then I couldn’t login even with my valid admin address. I had to wait an hour and hope my login attempt beat the script’s preset timer.

Again, this wasn’t too bad. The BPS plugin was doing a fine job of denying the hackers access to my site, but I was unable to edit or post during a lockout. The biggest pain in the ass, was when the script expanded out and began attacking 4 of my blogs every hour. And I would get an email from BPS that a login attempt had been blocked. My inbox was flooded with 4 emails ever hour about the intrusion attempt.

While it was very unlikely that a 3-and-out password guessing program was going to gain access, but the lockouts were preventing me from writing and managing my blogs. So I went in search of the next solution. I found one.

Today, all of my blogs are protected by BPS and a newer plugin called iThemes Security. And what iThemes allowed me to do was shutdown the default WordPress login page. So now when these hacker scripts try to login the page they were using no longer exists. And the new page has a creative URL they will never guess. My inbox is quiet again, and I can actually do some work, rather than waiting for the lockout to expire.

If you need further help with your WordPress install let me know. I’ve been through a lot. I have several other plugins running, but for the purposes of this post, and for most of you, these two plugins will keep things humming until the hackers design a new script.

For now, practice safe hex and keep your WordPress instance up-to-date. Good luck.

The Plugins I use for WordPress Security:

John McElhenney

@jmacofearth (also seen on Google+: jmacofearth)

Other posts of interest:

Sharing is nice for everyone.