The global brute force attack is real. And it’s compromising sites left and right. I’ve been contacted by eight non-training clients to repair their site in the past 48 hours. All hosting companies have been hit. There is no such thing as a bullet proof site. There are several good precautions you can take, but only one real way to protect your site. Do you have to lose your site or your online authority and reputation before you get serious about site security? You’re an online business owner. Wake up and smell the attack bots. If you owned a brick and mortar would you leave the front door to your store wide open? Here are real-world examples of what’s happening right now and what you can do to protect all of your hard work.
Losing it All
In this week’s Tips Tuesday I mentioned that Dreamhost was getting slammed by the brute force attack. I have been contacted by someone whose site was hit and now she may lose years of hard work. She had taken no precautions, had no backup, and no idea what to do to fix the problem. Worse, she had no idea how to keep it from happening again.
Spam Injection Reputation Ruiner
I was contacted by someone on another host who just discovered Viagra is being promoted in search results under his site name. You better believe a Google penalty is on the way if he doesn’t get this fixed fast. Ask the folks who got hit in the last Penguin update just how hard it is to get your online reputation back after Google pops you for being spammy.
This is what the botnet does. It puts spam injection code into your site and uses your good name as a spam portal.
He had no idea that his site had been doing this for weeks until he happened to search for one of his own posts in Google. He had no idea what the problem was either, or how to fix it, or how to keep it from happening again.
I worked with a new client to help her change themes recently. Went into her hosting account to grab a backup of her site. There was zero protection on the site. Zero. I told her that I found nine ways to hack her site in less than a minute. She is on BlueHost and I found these issues at the height of the brute force attack on that host. To my knowledge she still has done nothing to protect her online business. You know, the one she just spent a lot of money and time on to change over to a premium theme.
I just migrated another site to BlueHost for a training client. He asked that I have a look at another site he has hosted there; one that he paid someone a lot more money for than what he got with me.
Again, zero protection on the core files, the database, or the site files. No backup in place. But, there was one plugin that had overwritten the .htaccess file with so much bogus code I’m surprised that the site even displayed. I shored it up because any site on your hosting is a potential security hole. You can’t protect just one, you have to protect them all.
About to Break
A few months ago I did this same inspection for a well-established visibility coach. We found that she was pushing the limits on her hosting capacity and that her site was not being backed up properly. Nor did it have any security on the core files. And there was no lock on the front door. She had paid someone to professionally set up her site and maintain it. She was shocked and amazed at all that was going on behind the scenes in her hosting and on her site and couldn’t believe that no one had known this or brought it to her attention.
It hurts my heart to see good folks lose their entire site. And there’s nothing I can do to help them at that point. When it’s gone, it’s gone and has to be rebuilt from scratch. Some hacks are recoverable. Far too many aren’t. (Read How to Avoid the Heartache of Losing Your Site)
What You Can Do
1. Take the appropriate responsibility of being a site owner and protect your most valuable investment.
2. Put locks on the front door in the form of a brute force attack prevention plugin. My favorite is Login Lockdown. I’m also testing BruteProtect. (Read Put a Lock on the Front Door of Your Site)
3. Secure the core files on your host like the .htaccess file. Different hosts allow different things. You may find generic tutorials, but they may or may not work with your host. (Read Install WordPress to see the five levels of security on core files.)
4. Delete any plugins and themes you are not using. Each one is a potential security hole.
5. Keep WordPress, plugins, and theme up to date. Most updates are to patch security holes.
6. Be vigilant. Read Tips Tuesday and other posts from folks you trust to stay current on what’s happening with site security. (You can subscribe to Tips Tuesday too, or to all blog posts.)
7. Set up a solid backup and recovery strategy. This is not the place to cut corners. A backup that allows you to easily restore everything, including core files on your host, content, images, plugins, and theme is the only real protection you have. I prefer BackupBuddy. Be sure to configure it to match your posting frequency. (Read How to Backup Your WordPress Site)
8. Store your backups off site. If your hosting is attacked, you could lose both your site and your backups.
You can pay a company $30/mo to take over your site maintenance. But, they can’t protect you from yourself. I’m going to be straight up with you. Stop playing house online. Learn what you need to know to operate your site safely.
I offer a full 20 point Site Evaluation and Review. You see what I see live via screen sharing. We go over your core files, WordPress installation, plugins, and more. You’ll get an evaluation checklist immediately afterward. You don’t give me any passwords or access to anything. It’s the cheapest peace of mind you can get for your site.