I just found out that five of my websites had malware! Two were already blacklisted by Google.
I was listening to Terry Anglin’s WordPress webinar on GVO Academy this week, when he was explaining why you need website security and how to secure your website if you’re using WordPress. Since I joined GVO, I have found their free training webinars invaluable. This time was no exception.
Between my wife, Billie, and me we have ten “active” websites. We have both been busy with other things lately, so the websites have been neglected. Most of them use WordPress, which is excellent for building any type of website: WordPress is free, and it’s no longer just for blogs.
Unfortunately, websites attract hackers, and a free security scan from Sucuri showed malware on my five most active sites, two of which had been blacklisted. After I found the first, I spent about a day trying to fix it, and was left with two files that I couldn’t see how to get to. It was then that I decided to check my other sites, and found that four more websites were infected with malware – so much for my website security!
At this stage, I had a choice. Either create a clean website myself, or call in reinforcements. I decided the time had come to get a professional to do the work, so I bought a year’s subscription to the paid version of Sucuri.
Sucuri claims it takes them about 4 hours to clean a website. Given my limited experience, I doubt I could do it in four days, but these guys are doing it all the time so they know what they’re doing! For me it was worth the money to have the sites cleaned and all my sites monitored for a year.
Prevention is always better than cure, so if you have a site, WordPress or otherwise, I suggest you might like to secure your website now before it gets hacked. If you do get hacked there is a danger that innocent people going to your site will also be attacked. In any case, the least that is likely to happen is that you will be blacklisted by Google, meaning that you’ll lose most of your traffic.
How to Secure Your Website
Sucuri has the following recommendations:
- Change your FTP (or SSH) domain password to a good strong one, preferably using a password generator. Mine was pretty strong on some of the sites, but not the really strong kind that a generator, such as that included with GVO, gives you. I use Roboform to remember my passwords, but they suggest that Peguta and Lastpass are also good.
- Change your administrator password if you are using WordPress or any CMS. Clean out any admin users that you don’t need, and change the passwords of the others.
- Change your database password. You may need to change the wp-config or configuration.php file to recognize the new password, depending on how you change it. If you’re using GVO’s Web Host Manager, this is all automatic when you change the domain password.
- Run a virus scan on your PC – it may also be infected. Microsoft Security Essentials (MSE) is good for this if you’re using Windows.
- Update your site to make sure you have the latest applications running
- Back up your site regularly.
These are all excellent recommendations. If you’re using WordPress, I would also suggest that you install the free BulletProof Security plugin. It may not catch everything, but along with the other items you will be pretty safe, and you can run a free Sucuri scan right from BPS. (That’s how I found my problems originally.)
Terry Anglin has several other recommendations for WordPress users – catch his webinar on GVO Academy if you need to know more. GVO Academy alone is worth the price of GVO for me. You can get it with HostThenProfit, at a bargain basement price (under $10/month.)
GVO, HostThenProfit and Sucuri all have affiliate programs – they don’t cost anything to join, so I joined them all. So check out your site now – if it’s a WordPress site, install the BulletProof Security plugin and run the free scan. Then start securing your site if it’s not already done.
Here are those links again: