Contents
I was working on this website that night when I was logged out. I tried logging back in and WordPress told me my IP address had been locked out due to several login attempts. I was confused at first and then realized Jetpack has the feature enabled. Several log in attempts? When? By who? My own IP? What’s going on? I kept asking those questions and launched my VPN software to use a different IP address to login.
I logged in successfully but realized my display name had changed and my author bio had been replaced with Russian and included a link to a website dealing with medical supplies. I reverted everything, changed my password and went to bed. I thought I had won but the battle just begun.
Also read: 5 Tips to Secure your WordPress Blog from Hackers
I woke up the next morning to a even worse situation. The last post I wrote had been wiped clean and replaced with spammy links, I couldn’t log in because my password had been changed. I tried recovering the password through email but WordPress said my email doesn’t exist. The email was changed too and that was when I knew I had to take this more serious.
Recovering Access
Praying to still have access to my cPanel, I keyed in my login details and went straight to PhpMyAdmin. I accessed the users table, located my username and saw my display name, email and url had changed. I reverted everything, tried logging in to the site and still I couldn’t access it.
Also read: 7 Simple Tips For Securing Your WordPress Account
I went back to PhpMyAdmin and saw it had changed again. It was almost reverted the moment I changed. That was when I suspected a certain script on the server was doing this.
I disabled every plugin from the cPanel file manager by renaming the plugin folder. I then went ahead to the database to edit my details again. I tried logging in and at this point, I was logged in. I reverted to the default WordPress theme too and started troubleshooting.
First Things Come First: Security Plugins
The first thing I knew I had to do was to do a malware scan. I installed Anti-Malware & Brute-Force Security by ELI and did a complete scan.
I was sure my .htaccess files were secure since I had iThemes Security plugin before disabling it a couple of weeks ago while troubleshooting a different issue. Anyway, I went ahead and installed Wordfence.
Also read: WordPress Safety: Enhance Your Protection With Simple WordPress Tips
This plugin also did a scan and found some issues which I fixed immediately. Issues found were mostly with sites I linked being being flagged as dangerous and harboring malwares. Some comments too were flagged as containing URLs to malicious websites. Some users too were having very weak passwords which I fixed.
Blocking Suspicious Activities
I knew those things I did were not the real issue. I studied Wordfence live traffic feed and found out several IP addresses were trying to gain access to the site’s dashboard. I suspect these are bots used in hacking WP websites and immediately took action. I started blocking these IP addresses:
I also reviewed Wordfence settings to block unusual login attempts as this helps against Brute Force attacks.
However, I doubt if the hack was actually through Brute Force attack, I suspected it was due to a vulnerability in one of my plugins, theme or something else.
Unused Sites on Your Account Might Put You at Risk
I have about three demo sites on my account installed on sub-domains and I haven’t checked some of these sites in two years or more. These sites run outdated versions of WordPress and have outdated plugins. This is a big risk to, not just the sites in question, but every site on the hosting account.
I deleted these sites completely without leaving a trace from cPanel file manager.
I have a few other active sites as addon domains which I updated immediately. I logged in to the active sites and updated outdated plugins as well. I was trying not to leave any stone unturned. I also deleted unused and unnecessary plugins from these sites.
Enabling Disabled Plugins
Remember I mentioned disabling all plugins from cPanel file manager at the beginning of the article, right? I renamed the folder back to what it should be and went to WP dashboard to start enabling the plugins one after the other. I started with those I fully trust. After each plugin is activated, I would wait like 30 minutes to see if everything was still normal and then go to the next one.
Also read: WordPress Hack — Reasons and Measures to Take (Infographic)
There are plugins I could do away with which I uninstalled and deleted. There are also plugins with questionable sources which I removed. I’ve activated almost all the plugins now save one and everything seems to be back to normal.
Taking Precautions
It would’ve been disastrous if I hadn’t taken proper precautions. I can’t imagine losing the site and the content I’ve worked for years to come up with. If you’re using on WP platform, I think you shouldn’t take security lightly. Here are a few things to do:
- Harden your security by securing your .htaccess files and all directories. For this, I recommend iThemes security plugin
- Monitor users and block suspicious IP addresses. I’m using Wordfence for that.
- Always perform a scan for malwares and that’s where Anti-Malware Scan plugin comes in.
- Delete unused WordPress installations on your hosting account.
- Always be sure you’re running the latest version of WordPress on other sites on your account even if the sites are not getting any visits
- Plugins can cause serious damages. Be sure you’re using plugins from trusted authors and sources.
- Always keep your plugins updated.
- Be sure to always backup. You may want to try out this plugin that automates your backup and sends it straight to dropbox.
Even when you think you’ve done all these, you’re still not 100% secure. You can never be. On the Internet, no system is completely secure; there will always be a loophole. You can only do your best to block the ones that are obvious.