Last weekend, Bluehost closed down my site. After spending significant time on the phone with support, I came to the conclusion that I needed to nuke the entire site down to the ground. The WordPress install was simply too corrupt to continue or repair.
Since my secure shell access was revoked at the time, I used their control panel to entirely remove my
public_html folder. They ran a scan on my account, found no further malware, and allowed me back in.
To recover, I re-installed a fresh copy of WordPress using Bluehost’s control panel tools. I then used CyberDuck (for sftp) and secure shell to upload my wordpress database and image uploads. That’s the site you’re reading today.
I reverted my theme back a few years to a version I knew was safe. I use a customized version of the open source Frank theme. Rather than pull down a new copy, I wanted to keep my tweaks that supported the ads on the right side of the screen. They don’t produce much money but they help offset the hosting costs involved in running this blog..
I also installed the following plug-ins, some old, some new:
- ActivityLog: “Get aware of any activities that are taking place on your dashboard! Imagine it like a black-box for your WordPress site. e.g. post was deleted, plugin was activated, user logged in or logged out – it’s all these for you to see.“
- Really Simple SSL: “Lightweight plugin without any setup to make your site SSL proof“
- WP fail2ban: “Write all login attempts to syslog“
And on a less security note:
- oEmbed Gist: “Embed source from gist.github.“
- WP to Twitter: “Posts a Tweet when you update your WordPress blog or post a link, using your URL shortener.“
Most importantly, I use Updraft Plus: “Backup and restore: take backups locally, or backup to Amazon S3, Dropbox, Google Drive, Rackspace, (S)FTP, WebDAV & email, on automatic schedules.”
My daily database backups and my weekly upload backups (only for the current year, I already have backups for previous years) ensured I could get my site back up and running within hours of the most recent hack.
I still hate WordPress. I still wish I could run a static site and get comments and other great stuff in one convenient package. However, WordPress does the job I need it to do. It’s simple to write posts and interact with you.
My website is all about this connection. I don’t do any e-commerce. It’s basically a passion project rather than anything I do for business related reasons. I like having somewhere I can get thoughts out of my head and share them with other people. Beyond that, I don’t really have any important agendas and I don’t have the time in my life to perfect my security or delivery tools.
I want to thank everyone who sent me feedback of encouragement and support during my latest hack. I appreciate the comments and the suggestions. I now have a great list of static solutions (including github.io and DNS redirect) to fall back to if I must. Yes, I’m sticking with the crappiest solution right now. I’m doing so because it’s the path of least resistance and not because I don’t prefer your suggestions.
For those with more time and more investment, the popular consensus seems to be using Jekyll/github.io with disqus comments. Other suggestions included Hugo (gohugo.io), GetGrav (getgrav.org, “No Ruby, supports comments, fun to play with”), Ghost (ghost.org), and AWS Lightsail.
I don’t know why anyone would want to hack my nothingburger of a site but I’m glad I have friends out there who helped when they did.
Glad to see you back 🙂
I think WP Fail2ban is not useful if you dont have fail2ban installed on your hosting. If can have fail2ban installed, it’s a great tool.
And have a look at the Wordfence plugin: the free version can block a lot of attacks and scan your website for trojan, etc…
Also: change the admin username: change it to whatever you want, and tell Wordfence to ban anyone trying to use ‘admin’.
Source: I manage 60 WP sites for a living (I also do iOS dev, that’s why I read you)
Feel free to ask if you need advices, I’ll be glad to help you.
You’re in luck about the oEmbed Gist plugin: WordPress has built-in support for embedding gists, so you can remove it. Try it out: paste the full URL to your Gist in a WordPress post or page, and even before you press return it turns into code. Magic!
I have been exploring Vapor and although it would be a little more work, you might be able to build something more secure with it.