sign up for the Newsletter
subscribe to the RSS Feed
subscribe to the Podcast
follow us on TwitterHow To Take Care Of WordPress
October 12, 2009
A number of our WordPress sites got hacked recently. The same thing happened to Robert Scoble and Allen Stern – A-List bloggers. This has become a widespread problem and will inevitably get worse. Don’t worry, the latest version of WordPress fixes this problem – but the threat exists. As with other popular software and services – Windows and Twitter come to mind – that have enormous critical mass, WordPress has succumbed to being a target of hackers.
If you had visited this site recently (or our company website, tech blog, and internet business podcast site) , you may have seen something like this…
Some of you may see similar warnings now. This sucks.
Our sites are being “reconsidered” by the powers that be – which is a process we’ll cover in a separate blog post. We’ve taken many steps to ensure that this disturbance in our business is not felt again. We want to share this with you – so you to can avoid having your WordPress site compromised. This is business afterall – and we need disaster plans.
Here is our plan for keeping our WordPress sites humming like a well oiled Honda.
Keep WordPress Up To Date
This is huge – and also the reason we got hacked. You see, we were too busy to update our WordPress sites when WordPress 2.8.4 came out – which happened to include major security fixes. Lesson learned.
- Subscribe to this RSS feed to stay in the loop on new WordPress releases
- Subscribe to the email newsletter on this page
- When you are notified of a new release, upgrade immediately – it is easy
Had we been doing this previously we would have avoided this outcome. You see – we should have known and taken action when the founder of WordPress alerts both aforementioned lists that…
“A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.”
Again, lesson learned.
UPDATE: WordPress 2.8.5 Released
Always Have A Backup
We had been backing up WordPress when it got hacked – but only the database using WP-DB-Backup (an excellent plugin but only has database backups). The problem is this security vulnerability had something to do with the filesystem and the files were targeted, not the database. Specifically, your theme files were targeted and malicious code was placed inside of the footer.php file in every case we had.
So we developed a WordPress Backup Plugin that met our needs. This plugin backs up both the WordPress database and files – including themes and uploads – to Amazon S3. This literally costs us pennies per month across a network of WordPress blogs. Our backups run daily and it’s a great relief knowing that if this happens again we can fix it immediately and don’t have to worry about storage.
While we charge for the plugin, there are many free alternatives. You can very easily manually backup WordPress to your hard drive, Dropbox, or Amazon S3. You could also use plugins like WP-DB-Backup in combination with another plugin like WordPress Backup to run automated WordPress backups.
It doesn’t matter how you backup your WordPress site – it just matters that you do it. So go do it. Now.
We’ll be here when you are done =)
Keep It Clean
How many of those plugins are you using? Do you really need that one? How about all those themes that you never used? That’s right – get them out of there. Delete them or, if you want to keep them for some reason, put them in Dropbox or on Amazon S3. The less clutter you have, especially in unused or inactive plugins, the better your site will run.
Keep the spam problem under control. Delete spam comments on a regular basis or use a comment system like Intense Debate or Disqus. Always use Akismat to help out – it’s by WordPress for WordPress to control spam comments. It has blocked hundreds of thousands of spam comments for us. An out of control spam problem will affect performance and create tons of busy work for you when you want to clean it up.
Use The Right Tools
We found out our sites got hacked via a notification from the extremely useful Google Webmaster Tools. If you don’t have an account get one immediately. There are several reasons you should – among them you get malware notifications telling you about your problem.
Use the WP Super Cache plugin. This plugin makes your site run much more efficiently and helps it to load faster. Another plugin we recommend – aside from a WordPress backup plugin – is WP Security Scan. This excellent plugin scans your WordPress site for security vulnerabilities and tells you how to correct them. Do this once a month.
UPDATE: Check out the WordPress Exploit Scanner to see if this has happened to you!
Summary
- Stay Up To Date
- Always Have A Backup
- Keep It Clean
- Use The Right Tools
Do you have a question or comment? Let us know below or jump into the forums!
Also – we want to thank those of you who dropped us a note to tell us about the issues on some of our sites. It is great to know there’s a community out there looking out for you! Thank You!