If you are reading this post is either your WordPress blog has been hacked, or you are researching for information on how to prevent your WordPress blog from being hacked — either way, you will find the solution here.
I want to share my experience on my got hacked and what I did after that.
Let me start the story!
Waking up from a nap – I decided to check on my blog to see if there is any comment I need to reply.
On login into my WordPress dashboard, I saw 23 trackbacks all from a post. That was massive; I have never seen such.
The post in question looks strange to me; then I decided to take a view on it. The post was dropped 2 hours ago.
I was shocked because I know nothing about it. Neither did I approve any guest post with that title.
Immediately I opened my WordPress security plugin “Wordfence“, click on live traffic; I scrolled 2 to 3 hours back to see past traffic activities.
To my greatest surprise, there was an administrator login, which is not mine.
The admin login details are of one I created weeks back when I was testing a WordPress “role plugin” functionality.
O my God! I didn’t delete that when I was done testing.
So someone logged into my blog as an admin! What did he do? I asked myself.
How could I be so careless not to delete a second administrator which I created with a weak password?
I discovered only a post titled “For what reason the new technologies and-the electronic data rooms can be beneficial for everyday life and our business” was added to my blog. I quickly deleted it and deleted the admin credential too.
I wasn’t much scared because I have an auto backup plugin called Updraft Plus, so I can restore my blog up to 5 previously stated of the weekly interval from my Google Drive, which I did.
But come to think of it how did the unauthorised admin get my password?
Was it a Brute force attack?
Whichever way he got the password does not matter, the fact is that I could have prevented it up to 95% by using a more stronger password, or by using some tricks which I will explain in this post.
Now I won my blog back. I as well changed my password to be stronger.
What surprised me the most was how the unauthorised post got 23 trackbacks (backlinks).
Imagine some of the articles that were linking back were existing 2 to 3 years ago. Can anyone explain this?
Two months later, I stumbled into a backlink checker called ZigStat, that includes those backlinks. There were 11 Dofollow backlinks
I may have been lucky in my case, but this does not mean that preventive measures should not be taken.
The hacker may have deleted my blog posts, how am I even sure he didn’t download an XML file of my contents.
How to Prevent WordPress Blog from Hackers
1. Have a solid Password
Most hackers penetrate WordPress via weak password.
They can develop software which can auto guess up to 1,000 passwords in less than a minute using brute force attack; you can imagine what an hours guess will be like.
A mixture of Alphabet, Numbers and Special Characters is the strongest password one can ever have.
You can as well include both capital and small letters in the alphabet for better result.
2. Backup your WordPress site regularly
Regular backup us of your WordPress site will help in a long way.
No matter the techniques you are using to secure your WordPress, it is still vital you back-it-up most, especially your database.
The backup will be your last alternative if any hack penetrates.
3. Keep WordPress on the Latest Version
Always make sure that your WordPress is the most version. Once a new version is available, you will get the notice on your admin dashboard.
Every new version of WordPress creates patches to seal up loopholes for stranger security.
4. Install a Good WordPress Security Plugin
WordPress has lots of free and premium plugins for security. Most of these security plugins scan your WordPress site and protect it against brute force attack.
I recommend Wordfence, but you can still research to find even a stronger security plugin. The one better than Wordfence if it exists.
5. Enable 2-factor authentication
Using 2-factor authentication (2FA) in your login page will go a long way to protect your WordPress from unauthorised logins.
In this case, the user will provide login details in two various components. The admin will decide what those two will be.
It may be a regular password followed by a secret question, a code, a mathematical answer, set of characters, etc.
On default, WordPress does not have the 2-factor authentication. You can download a plugin such as the Google Authenticator plugin to create such functionality.