My WordPress site has been hacked by the Pharma Hack.
It’s sad yes, I know, I should have properly secured my site years ago. I assume one of the reasons my site was hacked was due to a large portion of my print design portfolio containing Pharmaceutical Ad Campaigns. The hack was spotted by a good friend @mozami who noticed my google listing had loads of Pharma keywords which had nothing to do with my site.
This hack has cost me dearly with regard to my site’s SEO health which dropped dramatically as soon as it hit. I haven’t been taking care of this site much for some time though so I only noticed it way later which is even worse for the SEO ranking points I’ve lost over an extended period of time.
I reported the incident to Google via their webmaster tools but it took quite some time after they acknowledged my report until the Pharma keyword listings were finally removed. The Pharma hack is one of those which are particularly nasty in many cases is hidden files many times undetectable at a glance are added which means your entire WordPress installation needs to be cleaned out and restored with a fresh copy. This includes your theme’s files, plugins, the works.
Security Plugins are Dime a Dozen
I’ve since tested and implemented quite a range of plugins, some extremely simple but hardly effective at all and other’s extremely complicated and sensitive to the extent that I even managed to block myself from access my dashboard.
Secure WordPress with Website Defender
One of the plugins which seems to work really well currently is Secure WordPress, which applies a few initial fixes and then linked to a Website Defender account tracks additional vulnerabilities and hack attempts and reports them via a highly intuitive dashboard. The system even tracks when your site goes down and reports it to you as soon as it detects downtime.
In the dashboard you’ll see possible vulnerabilities listed according to their urgency level, and clicking on each one gives much mroe detail of what the problem could be, how it may affect your site and how to resolve this issue. Of course not all the files and problems detected are “real” threats, so you have the option of setting the issue as resolved or to ignore. This allows you to keep a realistic view of what remains to be fixed and what the threat level of your site currently is.
The plugin also provides the solution, with additional links to external sites which discuss the particular security threat posed by the issue being viewed.
After applying some of the fixes and marking them as completed the Website defender Dashboard reflects the current updated threat level so I always have a good idea of the security health of my site. When new issues are detected I get emails notifying me of these new possible threats and my security level changes accordingly.
These fixes are by no means exhaustive and there are many ways of hardening the security level of your WordPress site.
A few simple security tips include:
- Use a non-standard database table prefix when setting up your site in the beginning. wp_ is the standard one
- Don’t use “admin” as your default admin username, choose something unique
- Keep your WordPress updated to the latest version. This should include plugins as well. Hackers can exploit vulnerabilities in older versions of WordPress to get into your site.
John Hoff at securemyblog.com has some excellent advice, video tutorials as well as an E-Book covering the topic of website security.
be sure to have your site signed up with Google Webmaster Tools. So if you get that malware warning, they send you a notification email and once you clean up, they remove it within a few hours.
Yep good advice, I was signed up with webmastertools, never received a warning and after reporting the hack it was not removed within a few hours, Google’s response time varies drastically from case to case. In my case it took at least 2 weeks before the spammy search results were removed.
Thanks for the tip man, am securing my wordpress sites as I write this.
Would sitelock help with stuff like this as well or not really?
Jazak Allah Khier,
taji
Hey Mahmoud, I would highly advise WordPress Firewall 2 as a security measure. It tracks and blocks malicious attempts to inject code and generally protects against some of the nastier hacks. I’ll try to put together a list of tools and tricks to properly secure your WordPress install, but even if you do everything, someone who really wants to get in and is skilled enough will probably be able to.
Best protection is to always have regular clean backups, keep things updated and keep watch.
There’s a great service called website defender, which has a plugins called secure WordPress which notifies you of any suspicious activity on your site and even tells you when your site is down.