Since moving home five weeks ago I’ve been living on painfully limited mobile data (thanks to a certain ISP who decided to cancel my fibre installation twice!). As a result, most of my digital life been neglected and almost everything needs an update. This is the reason my anti-virus was out of date for weeks and why I failed to update WordPress when a huge security flaw was discovered in February.
My first run in with said security flaw was when I logged in to my WordPress dashboard a few weeks ago. I checked through my recent comments and noticed that my latest post had been renamed to; “HACKED BY ****** TEAM”: I went cold, and after a few minutes of freaking-out I clicked on the post.
The entire blog entry had been deleted and replaced with a rather sweary political message accompanied by a tacky looking flag gif; the kind you’d find on MySpace in 2004.
“Why would anyone hack my blog for political reasons?!” I questioned my other half, taking it all very personally. But as it turned out, Cosmic Kick was just one of an estimated 1.5 million websites that had been targeted in the attacks according to a report from the BBC.
The second time it happened was less shocking – getting hacked was becoming old news at this point: “Hmm, that’s interesting” I thought to myself, “Why is that post suddenly gaining attention”. It was my first ever blog post from 2009 (and that I’ve since deleted because it was utter pants anyway) that had been getting clicks for the first time in years. I clicked it to find out why the sudden love, but instead of love all I found loads of changed links and randomly placed keywords like “Cheap Shirts”! This time I’d fallen prey to an ad keyword injection.
You can read the technical details of the vulnerabilities over on the Securi Blog.
Keeping Your Data Safe
These hacks really brought home the need for WordPress security. Rather naively, I’d never taken it seriously as I’d never expected to be a target and often left updates for weeks before installing them, but this is proof that if you’re unprotected online then you’re vulnerable.
Thankfully there’s plenty of security advice out there on how to keep your websites, accounts and data safe. Tech blog, Digital Connect Mag recently featured a great piece from label manufacturer, Data Label in which they affirm the old adage ‘prevention is better than cure’.
The biggest take-away from this story is to keep your WordPress up to date, and that includes deleting old abandoned plugins that you may have forgotten about. I now check for updates daily. Even if that does mean visiting my local library until my home internet is installed.
An easy way to stay informed is to join blogger groups on social media. The first thing I did was to ask for advice on Facebook and was given loads of great tips. Other, more experienced bloggers are indispensable when you’re still learning the ropes. Especially if you’re on a strict budget and hiring someone to fix the problem is out of the question.
The best pieces of advice I received last week were:
- Install a security plugin such as Wordfence. Now, I used to have Wordfence running but somewhere along the way it vanished: Spooky! Since re-installing, the amount of attempted logins from hackers on my site has dropped drastically.
- Hide your login page. If they can’t find it, how are they going to login? Use a plugin like WPS Hide Login.
- Enable two-step authentication. I was doing this anyway but it’s definitely worth a mention. There are several options. Learn more about these over at Theme Isle.
Ultimately though, web security is a never ending game of cat and mouse. The way to play along is to keep on learning new ways of protecting your website. Stay on top of security news by reading the WordPress, Wordfence and Securi blogs (to name just a few). That way you’ll be armed and ready for the next attack.
Have you ever been hacked? How did you fix it? Let me know down below!