Washington City Paper

Indie Wire post

Check out the Funk TV website

The reaction was purely visceral. My stomach dropped. My heart skipped a beat.

I couldn’t have been more stunned if someone had walked up and punched me in the gut.

I had logged on to Genlack.com to begin work on a new post but instead of my familiar cube, up popped a skull and cross bones and the words FACK YOU, STEVE!

Fack me? But I’m such a nice guy. I had been hacked. Fack me!

But the whole experience was worth its weight in education. The hacker helped me to pinpoint holes in both my website security and backup procedures.

Many of my clients are migrating their former static websites to WordPress, Drupal or some form of content management system (CMS). These new technologies allow them to take advantage of the easy updating and customer outreach capabilities of these systems, as well as the improved search engine optimization that these type of sites allow. With this migration to the latest technology also comes the necessity for a more vigilant backup and website security system.

Most hackers gain access to your site through vulnerabilities in the way your CMS interacts with the necessary back-end database. Once they have compromised your database, they have control of what displays when someone visits your site, or even worse, they may have access to any data contained at your website, such as customer email addresses. It can take hours to clean your database and get your site back online and secure. For a small business, this downtime can be devastating. If you have already been hacked and you haven’t implemented the procedures recommended in this article you can either follow the the steps outlined at http://ocaoimh.ie/did-your-wordpress-site-get-hacked/, or get the folks at SecureLive to de-hack your site for a fee of $697. As I’ve recently confirmed, “An once of prevention…”

Backup, backup, backup

As any of my web development clients will tell you, my mantra is “backup, backup, backup.” The attack on Genlack caused me a bit of inconvenience but no loss of data or work-time. Actually the hacker helped me to improve my backup system. Before this attack I had software in place to back up my site files once a week and my database once a day. After losing a full day of updates to genlack.com, I increased the database backup frequency to every 12 hours. The best way to make sure your site is backed up is to use automated backup software. For WordPress there are a several plug-ins that automatically backup your database and email you a backup file. You can then store the backups in a safe off-site location to be restored if disaster strikes. For general backup, if you have shell access to your server, I recommend BackupPC, for PC, Mac and Linux. For WordPress installations, I haven’t found one single solution to back up my entire site. For quick, one-at-a-time backups after I make any big changes to the site, I use EZ Backup WordPress. For a more automated approach to backing up theme, plug-in and image directories, I use WordPress Backup. It is also essential to back up the database associated with your WordPress site, and for that I recommend the excellent plug-in, WP-DBmanager, which automates many aspects of maintaining your database, including backup.

How to secure your site

I thought that I had my site secured but it turns out there were vulnerabilities in my WordPress installation. I run several sites using both Drupal and WordPress, as well as traditional static HTML websites. In this article I will focus on WordPress installations; however, many of the same techniques apply to other systems.

The first lesson I learned was to immediately apply any updates to the core system and any plug-ins you are using on your site. Hackers are always one step ahead of us good guys when it comes to finding vulnerabilities to exploit and patches are always released as soon as a hole is found. Always update your systems as soon as updates become available.

The first thing you should do after installing a WordPress site is to change the name of the administrator account. WordPress installs a default administrator user name of “admin.” The hackers are well aware of this and begin their exploits by searching for the admin account to begin their attack. The best way to avoid this is to change the username on your administrator account. WordPress doesn’t give you an easy way to do this. You’ll have to go into your database, using phpMyadmin, or a similar program provided by your webhost.

Here’s how:

After changing your admin account name, the next step is to make sure that your directories are secure. The only files that the public should be able to see are files named index.php or index.html; these files point to everything else that is viewable in your WordPress installation. To do this, add the following one line to your .htaccess file, using any text editor:
Options All -Indexes

If you’re interested in learning more about all the things you can do to control your site using the .htaccess file, you can find everything you need to know at: http://www.askapache.com/htaccess/htaccess.html

The last step to take is to remove the WordPress version information from your header. To do this you’ll need to add the following line to your functions.php file using any text editor:

<?php remove_action('wp_head', 'wp_generator'); ?>

If your theme doesn’t have a functions.php file, you can easily create one in your text editor and upload it to your theme’s directory.

Once you’ve taken these steps, your site will be more secure. However, there is still more you can and should do and it’s as easy as installing a plug-in or two to your site.

Security plug-ins

While there are many issues and items that need to be addressed when securing your site, most of us, even those in the website business, don’t have the time or background to become network security experts. Fortunately, there are many free plug-ins and commercial packages available to help secure your site.

A search for “WordPress Security Plug-Ins” provides a long list of free programs to help block the hackers. However, none of them is without drawbacks. The one free plug-in I do recommend is WP Security Scan, which will look through your site and give you a checklist of items you need to address to secure your WordPress installation. Most of the rest of the security plug-ins for WordPress somehow interfere with normal daily operation of your site. That’s why I decided to invest in a commercial product to secure my sites.

The best solution I’ve found for securing my WordPress installations, and the one that I recommend to my clients, is SecurePress from SecureLive. They also have a version for Joomla and a stand-alone product that secures other non-CMS websites. Although a bit pricey by the standards of “free-plug-ins,” their services are well worth the price and have in fact saved me many hours of work.

If security is not the way you’d like to spend your time, we at Genlack would be happy to look over your site, recommend products or solutions and implement them for you. For a free site evaluation contact us and we’ll help you sort it all out.

Do you have any favorite WordPress security plug-ins? Leave a comment and let us know about them.