Here, from the voice of experience, is some advice for protecting your WordPress blog from hacking, or recovering quickly in case it happens to you:
- Take upgrades seriously — Check this list, and if your WordPress version is one of these with known vulnerabilities, or if you are using anything lower than the latest version, upgrade immediately. Not sure which version of WordPress you are using? Log in to your WordPress admin panel dashboard. Scroll down to the bottom of the page. You will see the version listed there. Remember, you can always find the latest version of WordPress software here. If you do your own tech work, download it yourself. Or contact your webmaster.
- Carefully research any plugins before you download them – See if there are any reported insecurities. Plugins sometimes are backdoors for hackers to exploit. Go here to see known plugin vulnerabilities.
- Do not allow self-registration for new users – Self-registration gives hackers a way in. Once in, they can exploit certain versions of WordPress and gain control of parts of your site. Go into your WordPress admin dashboard; click the “Options” tab and then on the “General” sub-tab. Make sure the box stating “anyone can register” is unchecked.
- Change all your passwords — This is just a good thing to do periodically. And it’s a must if you’ve been hacked (you never know — your hacker may now have your passwords).
- Check your site to see if it’s already compromised — I discovered that a friend’s blog had been compromised without her being aware of it! You want to check for hidden links. In your browser, click on the “View” menu, and then choose “Source.” This will open up a little window where you can easily see your code. Look for links to sites you do not recognize. They may appear near HTML code “display:none” or “hidden.” Both codes mean what they suggest: that links are being hidden from casual view. Maybe there’s a legitimate use for such HTML in your site — but then again, it may be the work of hackers. Even better, use this tool to view your site as the Googlebot sees it, including hidden links.
- Check your site’s outbound links – Another tool to check your site is the Outbound Links Report from Vertical Leap. This free report will show you links emanating from your site that may have been hidden by hackers in directories you normally do not see. This report will help you identify if part of your site has been hijacked without your knowledge.
- Do not download templates from unofficial sites — Some vulnerabilities have been linked to free design themes downloaded from disreputable sites. Once your site is infected, the malicious code will keep re-creating spammy links even after you delete them. Unless you know how to scour a theme file to spot added “surprises,” stick to downloading design templates only from the official WordPress theme site.
- Get qualified help immediately — I’d like to think that intelligent business people could recover on their own from a hacking. However, I could not have cleaned up all the hackers’ gunk and recovered without the help of my webmaster and hosting company. These hackers are crafty. It took more technical expertise than I have to fix the sneaky damage. In fact, my webmaster Tim has set up a service called Fix WordPress just to help those whose WordPress installations have been hacked. (In every dark cloud, there’s an entrepreneurial opportunity.)
- Forewarned is forearmed. Educate yourself — Read up about hacking activity. Better yet, think like a hacker. Even if you have a technical staff to handle the details, you can save time, money and worry by being a proactive site owner or user. The more knowledge you have, the better able you will be to (1) spot suspicious activity or (2) avoid behaviors that leave you wide open.
For more educational sources that are especially helpful, see:
Lorelle also has good advice for protecting your WordPress blog
White paper: Trends in Badware 2007
White paper: How to Create a Secure WordPress Install (PDF)
If you’d like to read my experience with a WordPress exploit, read:
Hacked: It Could Never Happen to My Site (Famous Last Words).