Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

WordPress

Posted by uworlds
uworlds
1,784 Points

WordPress security issues

Hello,

I have been learning WordPress; however, within the first 3 days of setting up 3 sites ... all 3 got hacked into ... very upsetting! Have never been hacked in 16 years using straight HTML/CSS, so a huge let down to realise that WP does not come out of the box with better security by default given that 20% of all sites are WP-based. I wrongly assumed WP would have come a lot farther with basic security included as opposed to having to go out and get a degree in Web security to secure a simple WP site.

Anyways I have been on a mission for past week to try to ascertain what to do.

I have deleted all content completely, to start afresh.

Before I start again, I am wondering what steps I should take immediately after I re-install WP.

For example, immediately after installing WP should I:

  1. Install WordFence (https://wordpress.org/plugins/wordfence/)
  2. Install Sitelock (http://help.secureserver.net/article/12273?locale=en&prog_id=uworlds)
  3. Install iThemes Security (https://wordpress.org/plugins/better-wp-security/)
  4. Do everything on this page: http://codex.wordpress.org/Hardening_WordPress
  5. Do everything on the list on these pages: http://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/ and http://premium.wpmudev.org/blog/security-101/
  6. Do I need special hosting, dedicated IP, standalone sites or any other special technical requirements to run WP?

Is this a bunch of overkill? I don't have the expertise right now to dissect which elements of which of these links above would be the most relevant for me but I am trying to roll out 40 sites so to have to do all of the above for all of the sites seems positively overwhelming!

There surely must be some plug-in ... ONE plug-in (iThemes Security?) ... that handles all of the above. Surely? Yes? Would anyone be able to help me simplify this log jam in my WP career? :-)

Kind regards, Mike

Chris Jones
Chris Jones
6,063 Points

Helping us understand how your sites where hacked will help in providing you with the proper recommendation(s). I do recommend iThemes Security. Enabling the majority of its features will help prevent many common attacks.

2 Answers

Dustin Leer
Dustin Leer
21,063 Points
Dustin Leer
Dustin Leer
21,063 Points

Hi Mike,

I've been designing and developing WordPress sites for over 3 years. Most likely it's not WordPress itself, they work very hard on security though they did have a rough bought over the past month with so holes. Any ways there could be a lot of issues causing the reason for the hacks.

Just so possibilities, not saying you did any of these.

  1. Could be bad passwords and users names (It happens not blaming anyone here)

  2. Wordpress suggests that you create and Admin account but only to use it for strictly Admin purposes, so don't write your posts from and Admin account. Make an Author account to do all the writing and adding of content.

  3. Could be bad theme development if you are child theming. You could have purchased a bad theme or if you got any free themes from a 3rd party site and not WordPress.org it could have malicious code in it.

I would suggest the Sucuri Plugin they are onto of their stuff over there. Also checkout maintainn.com they help a lot. Also you should use Jetpack which allows you to set up something called "Protect" which does the following...

Protect

Jetpack Protect is a cloud-powered brute force attack prevention tool. We leverage the millions of WordPress sites to identify and block malicious IPs. Jetpack Protect tracks failed login attempts across all installed users of the plugin. If any single IP has too many failed attempts in a short period of time, they are blocked from logging in to any site with this plugin installed. Jetpack Protect is derived from BruteProtect, and will disable BruteProtect on your site if it is currently enabled.

Hope this helps!

Cheers,

-Dustin

uworlds
uworlds
1,784 Points

Hi Dustin,

Thank you very much for this. Some of my reply to Chris below could be used for your answer too :-)

Would you use Sucuri plus iThemes Security plus Wordfence plus Jetpack? I don't really understand the separation between the functions of these, it's very complicated and I don't want to double up function and slow down my site.

Would you buy an SSL for every single site that you owned on shared hosting (if that can even be done)?

Many thanks!

Regards, Mike

Dustin Leer
Dustin Leer
21,063 Points
Dustin Leer
Dustin Leer
21,063 Points

Hey Mike,

I would use the three things I suggested in conjunction. Sucuri will help protect the site overall, Jetpack Protect will guard again malicious login entries/brute force attacks (Chris Coyier was hacked last year and he did a 1hr podcast with the guy) and then maintainn will help you sort you sites if they are ever hacked. I honestly know people at these companies and all three work really hard to keep up to date on internet security. I would also suggest that you have a backup system like VaultPress, there are other but you seem to be looking for a single solution. Honestly I don't think you need more than what I suggested, but that is opinion. The options I listed are solid solutions, but there are always other options to choose.

I know very little about iTheme Security other than the company that makes it is a good WordPress community member that supports the project and keeps their code bases up to date with WordPress standards and I have never heard of Wordfence.

I don't think you need an SSL for every site, you could do that but I don't think it is necessary.

I hope that helps a little more.

Cheers,

-Dustin

uworlds
uworlds
1,784 Points
uworlds
uworlds
1,784 Points

Hello Chris,

Thanks very much. I ended up deleting all content in the site before I realised that it could have been any number of issues which I learned later, and could have checked, for example a redirect placed in a .htaccess ... and I now know there is code you can put in there to prevent hacking.

I did use a free plug in but I thought it was from WordPress.org. I got a paid membership to WPMU so will be using a new theme from there.

What ended up happening was the home page of the site was replaced by a hacker page who said he was from Bangladesh, and even put a link to his facebook page on my home page https://www.facebook.com/H3X.BD to brag about it! I complained to Facebook about this person (which was not easy to report), plus Godaddy (where my hosting is) and to the Australian Cybercrime Authority and the Australian Federal Police. The Facebook page still exists.

Cheers, Mike