There are multitudes of bots out there, and they're not all as friendly as this guy.
Evil Robots Want In On Your Web Party
"Wait. What's a bot?" you might ask. A bot is a piece of automated software with a set of predetermined functions. On the web, robots are also referred to as crawlers, spiders, harvesters, and scrapers. These terms describe what most of them do, which generally involves gathering information that's then used in everything from building indices and directories, to analytics and marketing, to spamming and identity theft.
While many bots are benign, others are more malignant -- also called hackbots -- and can inject malware into a site's file system or database. These pieces of malevolent code can start a download when the site is visited (usually some sort of trojan), insert spammy content into the site itself, send visitors elsewhere, and even infect other sites.
So how does malware get on a website in the first place? Some malware on the internet is spread directly by executables (compiled software) running on a server operated by a live person (often referred to as "bot farm"), but much of it is spread by sites that are already infected. The latter is the fastest delivery method. More often than not, it's a bot or some pre-made script that's on the front lines of the attack. Fortunately, these are relatively easy to avoid since they're all automated and -- for the most part -- predictable.
So what can we do to protect our websites from these nasty robots?
Your Best Bouncer Is Your Host
Your website needs a good home. So, the hosting environment should be formidable. Otherwise, some mean automaton punks might break in, eat all your nuts and bolts, wreck the place, and leave a big mess for you to clean.
It's best to subscribe to a Virtual Private Server. At the very least, avoid shared hosting services, where hundreds (oftimes thousands) of websites are hosted in the same server, increasing each one's risk of exposure to malware and enabling its spread thereafter. We won't get into the inner workings of server security or how to pick the best hosting here, but in the meantime, you can check out PC Mag's "The Best Small Business Web Hosting Services for 2014".
Mr. and Mrs. Hackbot Want To Speak With the Manager
Ah, Content Management Systems. The debate regarding the "best" CMS rages on, and it will probably go on for many years. However, at the end of the day, a CMS only manages content (for the most part). None are invulnerable, and every one has its own list of security holes. If a hacker really wants to poke in and cause trouble, it's probably going to happen anyway.
Nonetheless, it's nice to have a solid platform on which to build and manage your website, and there are many ways to toughen them up against intruders. Since WordPress is one of the most popular and user-friendly, runs on many host providers' servers, and has an astounding amount of community contributions, let's take a look at how to secure a site running on it.
For the tech geeks out there, there's also an official article on "Hardening WordPress".
Welcome To The Party! What's The Password?
Batman and Robin can't protect you -- well, at least when it comes to passwords. All nouns and any other dictionary words are always a bad idea. Common usernames and weak passwords are easy pickings for malware robots, which always try dictionary hacking first. Even strings like "qwertyuiop" or "zxcvbnm123" are most likely on some hackbot's list somewhere. There are tens of thousands of websites and servers with intrusive scripts poking at administrative logins at this very moment. Most won't get through, but some will, especially if the username and password involve superheroes or celebrities.
Strong passwords are good passwords. Use them for your FTP, client portal, hosting control panel, CMS admin area... everywhere! What makes a password "strong"? As much randomization and as many special characters as possible. Here's an awesome and very handy "Strong Password Generator".
While we're on the subject, it's also a good idea to NOT use "admin", "administrator", or "user" as your administrative username.
Sorry, That Ticket's For Last Week's Show
Keep your core installation, themes, and plugins up to date -- I can't stress that enough. So here, let me say it once more. Keep your core installation, themes, and plugins up to date! Getting the latest developer releases ensures a more reliable and stable working environment for your website's CMS by patching bugs and vulnerabilities. This applies especially to plugins, which are designed to tack on functionality not inherently available in the CMS. Sometimes, those extras also create new security holes that can be exploited.
Your installation's on the bleeding edge of updates, and you've chosen tougher passwords that would take an entire army of bad robots to crack. Now what?
There are two core files prone to the most attacks on any website running on Apache and PHP, regardless of the CMS: the database connection and htaccess files. Limiting access to these two files is a top priority in malware prevention.
.htaccess - The
wp-config.php - Every CMS needs some connection to the database. That involves keeping a username and password in some sort of configuration file. The wp-config.php not only sets some parameters for your WordPress installation. It is also the handshake between the CMS core and all your content. That means a bot could potentially get access to anything and everything stored in that database, which might sometimes contain sensitive or personal information normally accessible from the admin area only.
Well, what to do, what to do...?
Security Guards At the Front (and Back) Door
Thankfully, there are two fantastic plugins that can serve some extra guard duty, and their easy-to-use interfaces do much of the heavy lifting for us.
iThemes Security (formerly known as Better WP Security) has several tools to make an evil robot's digital life miserable while making things easier for site administrators. Here are just a few things you can do with this plugin:
- Restrict access to .htaccess and wp-config.php
- Enforce strong passwords for admins, authors, and subscribers
- Block common malicious bots and user agents
- Ban users by IP
- Protect your admin area from brute-force logins
- Back up your database on a schedule
Grab iThemes Security here
WordFence acts as a flagging system, displaying warnings on your WordPress dashboard or sending alerts by email. WordFence can check for new versions of WordPress and your installed plugins, detect changes in your files by checking them against a repository, and warn you when something suspicious has been found amongst the files themselves. It also has a top-notch caching option to reduce load times and increase page performance.
Download WordFence from here
Much Security. Very Plugins. So WordPress. Wow.
TLDR? Find a good web host. Update your installation. Use strong passwords. Install security plugins. Protect your htaccess and config files.
No website is impregnable, but a few security measures is all it takes to keep most of those evil robots out.
"Everything You Need To Know About The iThemes Security Plugin"
"Secure Your WordPress Website with Wordfence"
"Protect WordPress sites with .htaccess"
3 thoughts on “How To Protect Your Website From Malware”
Excellent read John! May you never have to clean another hacked site again!!
I recently had one of my clients websites hacked.
Every time a visitor logged on to the website it would redirect to an online watch website from russia (.ru)
I tried everything to fix it and eventually i ended up having to delete everything from the server and rebuild the website.
3 days later, it go hacked again. The site was built in WordPress. So i deleted everything……AGAIN. Then i built the website in a bit of software i still had on my laptop called Net Objects fusion.
The site has not been hacked in a few months since so i think most issues are probably wordpress related when it comes to hacking so there for a Plugin is going to be the answer. The question tho is which one?
Thanks for sharing John!
A lot of web developer tend to overlook on the importance of website security but it’s a major issue especially if you’re running a generic wordpress theme.
Plugins are one of the easiest target for hackers as well.
So I would strongly advice to stay away from plugins that you don’t need.
Comments are closed.