A few days ago I woke up and found one of my websites down. Not being very technical I tried everything I knew; does the site responds to ping? Yes. Do other websites in the same server work? No. Reset the server, did it work? No…
So I contacted my hosting company to see if they could help me figure out what was going on and they sure did, they told me by website was sending around 10K e-mails per hour, which was considered spam (no kidding) and therefore my website had been added to several black lists that prevented it to load on most browsers.
Shit! 10K e-mails per hour? What happened here?
So I contacted my tech guy (girl actually) and asked her to take a look at it. She got back to me almost immediately and said our server was indeed sending out tons of e-mail but it wasn’t our website (weird when you are talking about a dedicated server that is supposed to host only one website), it was a WordPress installation that I did a couple of week earlier as a side project, I told her that and she asked; did you make a secure WordPress Installation?
What? I just installed it, isn’t that supposed to be secure? Well apparently not as much as it should be since that installation was hacked and was being used to send tons of spam.
So my obvious question once the issue was solved (it took a few weeks to go 100% back to normal) was; nest time, how do I set up a secure WordPress Installation?
According to my tech team it’s not that hard at all, you just have to follow a few more step after the installation, some obvious (but worth being reminded of), others not so much. So here is a list of the 5 steps you should follow to set up a secure WordPress installation:
- This is obvious, but choose strong passwords and never set up a user called admin since most robots will try that when trying to hack your site.
- Use a random database prefix instead of the standard i39fw1_
- Insert this line of code at the end of your wp-config.php file: define(‘DISALLOW_FILE_EDIT’, true);
This will disable file editing from your admin panel, which means that even if someone does hack your admin password and access your dashboard they won’t be able to insert malicious code into your files. - Install a theme called Login Lockdown and take a minute to set it up properly. This will block anyone attempting to log in to your website a suspicious number of times in a relatively short time (what robots usually do to hack you password) and will block them for a certain period of time.
- Last but not least, keep your WordPress and plugin versions updated. Even if it’s tempting not to once everything is working you should always update. I’ll take the rist to contradict myself though and say you should not update the first day a new WP release comes out, give it a week or two to make sure all the plugins you are using also come out with an update that’s compatible with the new WP version.
And that’s it! I hope this helps many websites prevent the numerous hacker attacks that happen every day.