Another hacked site

Written By Allen Shaw

I spoke with someone today whose WordPress site had been hacked.

Nobody likes to talk about it. But I'm talking to you about it.

I see it, now and then. Almost every time, it could have been prevented by a few simple measures.

  • Turn off unused accounts.

  • Configure restricted roles for most of your users, so only one or two people have full administrative rights.

  • Set up two-factor authentication for your CMS.

  • Educate your staff users so they select strong passwords.

  • Guard your email passwords as closely as your CMS passwords (because CMSs allow resetting the password through email).

  • Never delay in applying security updates for your CMS, your CRM, and all plugins and extensions.

While you're at it, think now about what you will do if and when your site security is breached:

  • Make a plan for notifying your constituents about possible data disclosure. What will you tell them? What are the criteria that will determine whether you tell them or not?

  • Ensure you have a solid backup plan, because recovering from a breach often means reverting to a backup.

  • Decide who you will call, whether it's to help you recover from a breach or to answer questions when you think there may have been a breach.

In today's case, we were able to act quickly. We immediately locked down the site and took it offline, determined the date and time of the breach, and reverted to the most recent backup before that happened.

They're back online, and they're taking steps both to prevent it happening again with some of the above measures, and to formulate a plan in case it should ever happen again.

It's not pretty.

You hope it will never happen to you.

But hope is not a strategy.

Take steps now so you can reduce the likelihood of it happening to you, and so you can be prepared to act quickly and decisively in case it does.

If you have questions about any of this, hit reply and let me know. I'll be happy to share more information about ways you can make progress in this area.

Whatever you do, don't gamble with inaction.

It's better to think about it now — when you don't have to — than to be forced to think about it later because you were unprepared.

All the best,
A.

Allen Shaw
Previous

Hacker defense: “strong” passwords
Next

You can't answer seven