It has been a while since I have posted. I have been extremely busy doing other job related tasks, one of which is protecting our church websites that have been compromised. Some hackers have a political/social agenda, some just hack for the self satisfaction of knowing they can. Unfortunately the collateral damage done by these people can take up ridiculous amounts of time cleaning up after their tantrums. I have learned a lot in the last few months about SQL injection attacks, Trojan Horses, Denial of Service Attacks, etc., much more than I had originally intended. Finally, after playing Whack-A-Mole with these guys for months, I went back to square one. Along with my good friend Chase, we rebuilt from the ground up some 25 church websites that had suffered some type of infiltration. It was amazing what we learned and found. In one instance, there had been a Trojan Horse embedded in a file on the site for over a year. In another, we found that by simply incorrectly typing the cpanel directory name (the place where all of the development and administrative tools are kept) incorrectly, we kicked off a program that hijacked the website and captured keystrokes, unbeknownst to the user or the web host. It was these kinds of issues that forced us to re-do everything. It was a mess.
We did find a terrific tool that I highly recommend to anyone who has a WordPress.org website. It is called WordPress Security Checklist from Ayoro SAS. It is a step-by-step guide to securing and hardening your WordPress site. It was very straightforward and easy to understand. The document and plugins are free, although after you use this I would certainly encourage a “thank you” (you decide what that means 😉 to Anders Vinther and his team at Ayoro. Since I have implemented this on our WordPress sites, I have received daily notices of different types of attacks on our sites that have been repelled by the series of tools and plugins. Previous to this I would not of known until after the attack had occurred and I would be forced to repair/restore the site once again.
It was a lot of work (I won’t kid you!) but to date it has been well worth it. If you have a WordPress.org site (I am not sure if this works with a wordpress.com site), I strongly urge you to harden and secure your site even if you have not experienced a problem before.