I was very confident about my website security until my website got hacked by an awesome hacker asking for profit via bitcoin.
Many of you may be noticed that past few days our website contents were not available. Because Techbiriyani.com was hacked. Yes..!! it’s one of the more painful admissions that can be made on the internet. We want you to know that when we say that we “give a SHIT” we mean it. We had backup.!!!
See how we secured or wordpress website hacked by anonymous.
Our team alerted us that unauthorised individuals had accessed our database and altered all our database tables, deleted contents & also they added a warning message on our database.
The hacker even put a rate to our contents to get it back (around 1 Bitcoin), which he mentioned via a new database table 😛
An ounce of prevention is worth a pound of cure.
Having your site hacked is a BIG mess to fix it. It can take even your full day to recover and fix it. Fortunately we had taken backup of our content on a daily basis. If you didn’t fix your website soon it will affect your site SEO and can take a big hit if Google decides to blacklist your site.
We are taking this incredibly seriously and are doing everything possible to continue to improve the security of our website. We appreciate the support across the web for our contents. Stay safe.
Be Serious With Your Website Security
This thing can happen to anyone of us. The immense popularity of WordPress gives hackers an easy way to find which are less secure, so they can exploit it easier. Some hackers have different intentions like distributing malware, using a site to attack other websites or spamming the internet. So let’s look at some important steps we took forwards to protect our website from some of the serious hackers.
#1 Disable PhpMyAdmin
When it comes to PHP and WordPress, PhpMyAdmin is an unavoidable factor for managing the database and its tables. But, we should stop unauthorized access to our database as it is the heart of any WordPress site.
Enable / Disable PhpMyAdmin
I recommend you to disable PhpMyAdmin when you are not using it and enable whenever you want to manage your database.
You can disable phpMyAdmin by disabling the module configuration
sudo a2disconf phpmyadmin.conf
Enable it with
sudo a2enconf phpmyadmin.conf
#2 Enable two-factor Authentication
Secure your WordPress login with this Two Factor Authentication plugin.
This plugin will secure your WordPress website with (TFA / 2FA) authentication and will require a one-time code in order to log in to the Admin dashboard. It supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
I used Google Authenticator for generating code.
Google Authenticator > Scan QR code
You will be asked if you’d like to scan a site manually or scan the bar code. Select the scan bar code option and then point your phone’s camera on the QRcode shown on the plugin’s Settings page.
That’s all, your authentication app will now save it. Next time you log in to your website, you will be asked for the two-factor auth code after you enter your password. You can access it by opening the app anytime you need it.
#3 Limit Login Attempts
By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.
This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.
However, if you don’t have the firewall setup, then proceed with the steps below.
First, you need to install and activate the Limit Login Attempts Reloaded plugin by WpChef.
Upon activation, visit Settings » Limit Login Attempts page to setup the plugin.
#4 Change WordPress Database Prefix
You might have noticed, WordPress uses wp_ as the prefix for all tables in its database. If you set up your WordPress website with its default configuration it will use its default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend you to change it.
To change your database prefix follow our step by step guide on how to change WordPress database prefix for improved security.
#5 Move Your WordPress Site to SSL/HTTPS
Secure your website using SSL certificates to encrypt data transfer between your website and a users browser. SSL (Secure Sockets Layer) is a protocol that acts as a security layer between your website and your visitors.
On activating SSL, your website will be served in HTTPS instead of HTTP and also a padlock sign will appear next to your website address in the browser.
Top SSL providers are:
- Network Solutions
- Entrust Datacard
Due to the heavy cost of the SSL certificates, most website owners opted to keep using the insecure protocol.
To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.
Fix a WordPress Website Hacked
Many WordPress users including me (seriously) didn’t realize the importance of backups and website security until their website is hacked.
Cleaning up a WordPress website hacked can be very difficult and time-consuming. Our first advice would be to let a professional take care of it.
Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.
Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.
For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.