Shout out to my host company InMotion Hosting for being so kind to inform me that my site was hacked and that they quarantined the infected files.
I rushed to check for backups in my files and immediately a rock sunk in my stomach so hard I felt it in my feet. I installed the plugin, did a couple of backups during setup, but forgot to turn on the automatic backups on my site and lost over 4 months of work (including some major design and setup).
Needless to say I felt pretty stupid…
Some people, myself included, have thought why would anyone hack my site or any small nonprofit’s website? I don’t have anything valuable there, and it’s not particularly popular in the grand scheme of things.
People Might Hack Your Nonprofit Website Because
- Some sites capture user/emails and passwords and they want this info
- Some sites capture credit cards (yours, and most shoudn’t store the info though)
- They may want to hold the site ransom until a price is paid to get it back.
- They may have be doing it to plaster it with other images/branding to promote their own shady website.
- Or maybe they were doing it just because they could and it was something fun to do.
Whatever the reason, it’s frustrating beyond belief.
The evening of my site’s hack I was completely busy and I didn’t have a chance to look at it until the following day, which was when I got another email notification. More files were infected and they also took down my other personal site which was on the same server. You can imagine the anger boiling up. If my computer was any older I may have split it in two. However, after a quick visit to my host’s website I saw they keep automatic backups every 24 hours for their customers.
Perfect! I called them up and said, “please restore my site with your latest uninfected version please”.
They replied with a simple statement. “We only keep one version of the backup. After 24 hours, a new one is created and the previous is deleted”.
So yes. That means they copied over the good backup with a backup of the corrupt files because I waited a day to take care of it. I was even more livid than before. But after explaining the situation to my wife I realized that I shouldn’t be mad at them because I didn’t even think they were backing it up at all anyways. But still aggravating.
After I had exhausted that resource I had a choice, to restore from my latest version and redo a bunch of work, or start over and make an even better website than before. So I did the latter and couldn’t be happier with the result. But I learned a lot in the process that followed about website security that I want to help you with so you don’t have to deal with the same thing I did.
Here is everything I learned from that experience.
7 Steps to Keep Your Nonprofit Website Safe from Hackers
1. Keep Backups
Sometimes, despite all efforts of security, your site may be hacked anyways. Prepare your emergency plan by having backups. There are many different backup plugins, some free and others paid. The best free one I can recommend is UpdraftPlus. They offer automatic backups to a Google Drive account so that it’s not saved on your server or on your computer, however restoring from these files can be a little bit trickier than the paid version or other paid plugins.
If you have a little bit of money, and think you will be setting up a development site, moving domains, or moving hosts in the next while, the Duplicator Pro Plugin is cheaper than the paid UpdraftPlus. It costs $39 for the first year and less for recurring years, but you can setup many different backup locations and scheduled backup options. Most importantly though, it includes its own installer files so transferring/restoring your site only takes minutes and very little technical knowledge. The more active you or your users are on your website the more frequently you’ll want to keep backups. The free version allows everything but automatic backups and saving to Google Drive.
2. Update Your Plugins and Themes Regularly
WordPress and plugin developers don’t want hackers to find ways through their programs because if they do then people won’t buy them. They try to stay on top of the latest tactics and vulnerabilities and issue updates when they discover weaknesses. It’s crucial to update these plugins and themes as soon as possible (be sure to back up your information before updating as occasionally an update can have compatibility errors). This is key though. Old plugins and WordPress versions are one of the easiest ways for hackers to get in to hack your nonprofit website.
3. Create a Unique Admin Name
By looking at plugins that check for false logins it’s easy to see that hackers try to login to WordPress websites with admin as a username and use programs to try random words and character passwords. Unfortunately, if you’re not watching and you don’t have a limit on failed attempts this can work. To avoid it make sure when you setup your WordPress site you choose a username that is NOT admin, your domain, your nonprofit’s name, or your name. This will limit the chances of a successful brute force attack on your nonprofit’s WordPress site.
However, if you’re already using an “Admin” or similar username and password you can’t change your username. Here are the simple steps to fix this.
- Create a New User with Your New Username and Administrative Privileges
- Logout and Login as the New Administrator Account
- Click Delete on the Old Admin Account, be sure to Attribute any Content to The New Admin and NOT delete it.
4. Install a Security Plugin
This seems basic, but it is important, and if you don’t end up doing anything else at least do this. There are several WordPress Security Plugins out there but Wordfence does a fantastic job with even just their free version. These plugins allow you to block bad IPs from your site based on typical known attackers. They allow you to set a firewall, disable active script from executing in file directories and other technical stuff that I don’t understand or care to explain. They also allow you to limit login failed attempts and block IPs that try to login to an “admin” user (that you hopefully don’t have as a username anymore).
5. Disable the File Editor
There is a default program inside of WordPress that allows admins to modify theme and plugin files without having access to the server’s backend. If a hacker got access to your admin account they could use that to create holes in your site that would then allow them to do whatever they want. Turning this feature off (as you probably won’t need it anyways) will keep this from happening. It will also keep you from accidentally editing files and crashing your site. Simply open your wp-config.php file and add the following line of code recommended by WPBeginner.com
6. Disable Directory Browsing
If you have access to the files on your server, likely through CPanel, you can edit your .htaccess file and add the following line of code to keep people, and programs from being able to see the structure of your website. If this browsing is openly available then hackers could potentially scan for holes or vulnerabilities in your site. Open up your .htaccess file and add the following line
7. Update WordPress Security Keys
This one was new to me, but there is a way to add “security keys” to encrypt your passwords in WordPress. This will dramatically increase the difficulty in hacking your password. The good news, it’s as simple as going to this site to generate random keys to copy a new set of keys and then go to your wp-config.php file and edit the 8 following lines to include your new keys:
define(‘SECURE_AUTH_KEY’, ‘Insert Your New Key’);
define(‘LOGGED_IN_KEY’, ‘Insert Your New Key’);
define(‘NONCE_KEY’, ‘Insert Your New Key’);
define(‘AUTH_SALT’, ‘Insert Your New Key’);
define(‘SECURE_AUTH_SALT’, ‘Insert Your New Key’);
define(‘LOGGED_IN_SALT’, ‘Insert Your New Key’);
define(‘NONCE_SALT’, ‘Insert Your New Key’);
It was an ugly journey, but after my site was hacked I rebuilt from scratch and made it better than ever. So sometimes there’s a blessing in the storm, but it was still frustrating and used up a lot of my time. My wife was not exactly thrilled about the new work load. 😛
That’s exactly why I wrote this article, so that maybe I can help a couple of you to save yourself from this kind of headache.
Have any of you experienced a website being hacked? Share in the comments below to help inspire others to take preventative action immediately.