Basic website security is one of the most important things you can do to stop or slow down hackers and spammers in their tracks. Here are some quick steps to deter malicious site visitors.
Have a strong password. I understand it’s tough remembering your password. If you have a basic password like 123456 or johnsmith1 or baseball if you haven’t been hacked yet you’ve been lucky. Hackers use programs that can try thousands of combinations per second until it gets the right one. Have an easy one that is just numbers or just letters can be cracked fairly easily. Try to have numbers, letters, upper and lower case letters and symbols.
Use different passwords on every site. If you have the same password on every site and email addresses, all a hacker has to do is crack your password once and they have access to everything you do online. If you have trouble remembering your passwords get a password manager like RoboForm for example. A password manager will let you manage passwords on all of your devices and they are secured by you guessed it, another password. At least with a password manager you just have to remember one password and you can have different passwords everywhere.
Scan your computer for Viruses and Malware. A simple virus and malware check could stop hackers from stealing your personal information. I use a combination of several free products to keep my computers clean. I use Avast AntiVirus, MalwareBytes Anti-Malware, SuperAntiSpyware, SpyBot Search and Destroy, Advance SystemCare and CCleaner. You don’t need all of them but it’s good to have them installed in case you need them. You should scan your computers every once in a while.
Use a Firewall. On your computer and on your website server. For years I was using third party software firewalls on my computers. Recently I switched to using the Windows built in firewall and haven’t had any issues. For your websites your server should have some type of firewall whether it be ConfigServer or another program that will block IP addresses of multiple failed login attempts and something to scan your server for malicious files.
For your Website. This section itself is the reason I wrote this article. I was having a spammer issue, like I’ve never had before. Every couple of days one of my servers would get shut down. I talk to the server administrator and see if he can fix it. He scans it finds some funny files and deletes them. A couple of days pass, the same thing happens again. This goes on and on for a few weeks. I change passwords several times, scan my computers, delete unneeded files from the site, etc… A lot of times just changing the passwords will fix the issue. It didn’t work.
I kept complaining to the server admin and he kept saying, it’s clean. Then of course the spamming starts again. These are 10’s of thousands of spam emails being attempted per day. I decided I’ll try to run a couple of WordPress security plugins since the affected site is based on WordPress.
I install WordFence. Run a scan. It finds theme files that were changed and a couple of malicious files. I reverted back the theme files and got rid of the malicious files. Remember I made a backup before doing this. Don’t forget to keep backups when you start messing with your files. The spamming stopped.
Two days pass. More spam. Ok the server admin can’t figure it out, so I’ll try something else. I install Sucuri scanning program. You can run a scan yourself without WordPress directly at their site. It turns out I have hidden Javascript on one of my pages and I guess that was giving them access. I fixed the page by deleting the javascript manually. Then I took it another step further and installed iThemes Security. It found a couple of shady files that the other programs didn’t find. It also recommended some configuration changes which I made.
I hate recommending so many plugins for a site since they conflict with some plugins and make it a little harder to login and stay logged in until you get the hang of them. I actually started this post a couple of days ago but stopped writing it because I kept getting login errors. I ended up fixing it by whitelisting my IP for 24 hours with iThemes Security.
Knock on wood. It’s been a couple of weeks and no more spammers. Hopefully this will save you time on troubleshooting your site when your server admin can’t figure out what’s going on.
