A Spider Web of Security for Spring Break

So in case you thought I went on vacation…

Well, my site sure did.

18+ years of not being hacked and finally it was my turn to get hit. Even though I supposedly was on a secure server and had lots of protection going on, I got hit with a hack attack.

Wasn’t even my fault. It wasn’t anything I did. Turned out it was some other site I had no control over that was flawed, and as a result, every single WordPress PHP file got infected with a batch of bad malware code on line 1. Yes, hackers think I’m number one. With a definite bullet.

It was part of a two week period where FIVE client sites went down. Mostly due to malware and in a couple of cases, an entire server went down due to network issues. Great. Nice way to have a Spring Break.

I wrote about this in a lengthier article for Vegas2LA a couple of months back and lot of great information is up there. But let me hit on a few points for you webheads out there. Because it’s no longer an option to do this, it’s pretty much a requirement.

Get Security Protection

Your web host just isn’t enough. Especially if you’re on a shared hosting account, you’re going to get hacked and it may be as the result of another site on your server. That’s what happened to me. Some hosts provide their own security packages, usually for about ten bucks a month. Most rely on you to select a qualified security protection company, and many people are happy simply using plugins like BruteProtect, WordFence or Drupal’s Security Kit. Others go even farther with the Sucuri service- a service that has become so popular and so invaluable that Sucuri is taking advantage by increasing their base rate first from $89 to $99, and now to $199 bucks. Ouch. Still, these services, while not perfect by any stretch, are the key to preventing sleepless nights for you.

Update everything

This is one thing a lot of web developers tell you not to do. Don’t update when a new version of your CMS comes out. Same with plugins…especially on major updates, since it could screw up various portions of your current install. However, in many cases, one of the reasons you need to update is because there may be malicious code on the current version you’re running and it needs that update to keep working! So I update my plugins whenever I can. It’s especially easy in WordPress where I can just update on my phone while on the road. Great time saver.

Make that password really hard to remember

This is one I know draws a lot of frowns from people. It’s hard to enough to remember adam123, but something with capital letters and exclamation points? Yes, I’m saying you’re going to have to start coming up with “stronger” passwords that are difficult to remember…but I’m not going to go as far as to say to use completely different passwords for each of your accounts. Even with services like LastPass, you should come up with a strong password and make some variations of it. That way, if you do have an issue typing in a password and it’s wrong, it might be as simple as just changing one letter.

And make it something that relates to you! For example, here’s a play on my own name. And before you get any ideas, I do not use this as any of my passwords:


See what I did here? Played off on my own name inserting a couple of numbers, used an exclamation point as kind of a pipe separator and then used “67” which is my year of birth. Great. I can remember that.

Except now I’ll never use it.

And these are just a couple of ideas to make your site more secure and less susceptible to a hack attack. And while some cost money, it’s probably better to go with something like that than paying me my hourly rate to fix these messes. It’s like the old Fram Auto Parts commercials from the 70s and 80s. Applied to cars then and applies to computers now.