Why Its Crucial To Update WordPress Scripts and Secure Your Site

WordPress Security UpdatesThe most common cause of hacked websites and malware injections for WordPress users is outdated scripts like plugins, themes and WordPress itself.

If you don’t update all your scripts and secure WordPress, you may find your site gets hacked and injected with malware or malicious code of some sort.

If a hacker can gain access through one outdated script on one site they can access all your sites and databases on that server.

This is how you will normally find out:

WordPress security malware warning

What happens is a hacker can access vunerable scripts which have known security issues before you update the plugin or theme.

They can then inject malware and you could accidently download a trojan or other malicious file  to your local computer if you or a site visitor clicks a link on the infected site.

Another way they hack in to your site is via an outdated script and gain access to your server and add malicious redirects in your .htaccess file so your site redirects to a site distributing malware. This will cause the Google bot to report back that your site is associated with malware.

I’ve recently found an old blog which i don’t use very often has been infected and i noticed the warning in Google Webmaster Tools. The most common entry point would have been an outdated script as i haven’t updated any plugins or themes on that site for several months.

Note: The warning only displayed when using a Google or Firefox browsers or when viewing Google’s search results pages. It didn’t display using Internet Explorer or in the Bing SERPS.

Contact Your Host

I contacted my host to find out what to do and this is their response:

Malware on your account that you did not put there is indicative that an attacker has found and exploited a vulnerability in a script on your account. The server has not been compromised, just your account on the server.

This happens due to non secure code or outdated installs of Php/MySQL based scripts such as WordPress.

How do i update my scripts without logging into my dashboard from the front end?

You’d just do that through the files and cPanel directly. If you don’t have the knowledge as to how to fix the code yourself, you could always contact a website security company

The best website security company I can recommend is http://wewatchyourwebsite.com

The programs that operate database-driven sites are vulnerable to hackers, who can (and do) exploit bugs in those programs to gain unauthorized access to your site. While our servers are exceptionally secure, your scripts may not be.

The best course of action is to always keep your scripts updated, your code clean, and your passwords secure. Here are some steps that can help you secure your site.

 There are only two ways that an account can get infected:

  •  You are running an insecure script on your account that is used to break in.
  •  Your computer is infected and they have hacked into your account through your own computer, or by grabbing your password.

Securing your scripts and securing your PC are both your responsibility.

What Actually Hapened

The hacker gained access to my server from an out of date plugin and this is the reply from my host:

It looks like your hosting account has been hacked. /home2/austrar2/public_html/da/.htaccess has malicious redirect code. You’ll want to review your files for additional malicious content. I’d also recommend this to you: .

Cannot Login To Hacked Site

You may find that you cannot login to your WordPress dashboard which was the case in my situation when using Google chrome.

You database will probably be infected with malware so the only way to fix your site is to restore backup which was taken before the hacking and malware was injected.

Fixing Hacked Site

Rather than spend time trying to fix all the .htaccess files, i simply deleted the entire public_folder and all databases from my server and restored the full backups.

I did actually find that all my .htaccess files on that server had redirects in them to a Russian site

The restoration was very easy because i always take full backup after adding new posts and store copies of them in multiple locations.

Some of the best locations to store full backup are:

  • Local computer
  • External hard drive or memory stick
  • Dropbox
  • Amazon s3

If you take full backup after every new blog post and copy it to multiple external storage locations, you have nothing to worry about.

Local Computer Security

Make sure you are using an anti virus if you store your full backup on your local computer. If you don’t have anti virus installed, here’s a link to a free download of Microsoft Security Essentials for Windows users.

Don’t Rely On Your Host For Backup or To Secure Your Server!

What happens if you don’t store full backup offsite?

Here’s a real life example of what happened to 4800 hacked websites lost with no chance of recovery!

Restoring WordPress Backup

I use the best backup & restore plugin for WordPress, backupbuddy, which has come in very handy for restoring backups and moving to a new server, host or domain as well.

Most hosts only provide nightly backups which could also be affected so they would be useless. Taking your own nightly backups and storing them away from your server in a secure location, is the best way to ensure you have full backups which don’t contain malware.

Preventing Hacking

Here is a security checklist that you can review which can greatly help secure your account sites:

1. Change the Admin Email on your account.
2. Change the Password on your account.
3. Change the Credit Card on file on your account.
4. Update and apply any patches, upgrades, or updates that the 3rd party vendor or web developer of your scripts may have available.
5. Fix any loose file permissions (this may be the most common exploit vulnerability)
6. Delete all non-system Ftp Accounts that were created, or at the very least, change the passwords to the FTP Accounts.
7. Remove any Access Hosts by clicking the “Remote Mysql” icon and clicking the Remove Red X by each entry if there are any entries.
8. Check your scripts for any Header Injection attacks, Sql Injection attacks, Cross-Site Scripting attacks, etc., as well as your php.ini file settings.
9. Check your home/work computers for any viruses, trojans, or keyloggers.

WordPress Security Plugins

There’s a few WordPress plugins which have been created to secure WordPress and prevent hackers gaining access to your files and databases.

Conclusion

I have already reported on Bitly and how they blacklist legitimate links before they even test them so be careful using a link shortener for tracking.

If you have links in your comments or anywhere on your site and the linked site distributes malware or has been reported, you can get blacklisted by Google & Firefox as well.

I never thought this would happen to me but it can happen to anybody and finding the malware could be a nightmare which you would have to do if you don’t have full backup stored locally which is unaffected.

Never Miss a Tip from WP Sites

Get my latest web design tutorials, elegant coding solutions & useful tips.

5 Reasons Mad Mimi Works Better

mad-mimi
  1. Sends From Your Email Address - More personal & higher open rate
  2. Cheapest - $42 for list of 10,000 emails, unlimited sends
  3. Ease of Use - The easiest system to create & setup campaigns
  4. RSS to E-Mail - Auto send list of latest posts
  5. Auto Send Any Number of Days - enables you to offer multiple newsletters at different frequencies.

Click here to create a free account.

Comments

  1. Sunday@skincare says

    Sir I read ur post and I need help.
    I install Better wp security plugin.
    My visitor have been complaining that they can not read my post,
    There are lways error maessage.

    I want to change it bc I too experience such.
    I installed better wp security plugin, wp fire wall plugin and some others.

    Pls advise me .

    • Brad Dalton says

      Your site looks fine to me but if its still a problem, simply login to cPanel or FTP and delete the plugins causing errors.

      You may have installed too many plugins which conflict with each other.

    • Brad Dalton says

      Your site looks fine to me but if its still a problem, simply login to cPanel or FTP and delete the plugins causing errors.

      You may have installed too many plugins which conflict with each other.

  2. Philos says

    Thanks for the list of plugins Dalton. I use some of them but I got to check the others. I really know how ‘frustrating’ to have ones site’s taken over by a hacker. Had one of my sites hacked a while a go and I learnt a lot.

    • says

      Hi Philos

      I’m writing a tutorial on how to setup BulletProof Security which protects your.htaccess files from malware like redirects. The Secure WordPress plugin basically monitors your site for malware and displays a list of alerts starting at critical which you can delete from your server to make it more secure.

  3. Paul B. Taubman, II says

    Anytime you have any work performed on your WP site, you should ALWAYS check the users that are on your site. Make sure that a temporary account was not added and just ‘left’ there. While the developer may have had good intentions, if the password was not strong, you could be open for hacking as well!

    It is my personal opinion that many people give out their user ID and password as if it meant nothing.

    Thanks, Brad, for a great post!

    Paul.

  4. Okto says

    Wow … what a great technical post about wordpress. You have precious experiences and excellent skills.

    Glad I am one of your subscribers

Leave a Reply

Your feedback is always appreciated.

Your feedback is always welcome & appreciated however WP Sites does not reply to anonymous comment authors or approve loaded questions. Members get answers to unlimited questions.