Having a WordPress site is loads of fun. Being able to create content, make your own edits and upload images and documents without having to contact your web designer is an absolute delight. However, dealing with hackers and spammers is not that great. Granted hackers and spammers do attack non-WordPress sites, but they seem to be targeting these more frequently. There are of course ways to protect yourself.
How do you know if your site has been hacked? If you notice weird spammy words in your website content, in your Google search result or if you’re site redirects to a strange url, then you’ve been hacked. If you’re not 100% sure, try Sucuri SiteCheck. It will scan your site for malware, blacklisting and out-of-date software for free.
How did this happen? Hackers either managed to figure out your FTP password or they used a vulnerability in either the WordPress core files or a plugin.
Here are a few things you can do to prevent this from happening:
- When creating FTP passwords use a generated word that cannot be pronounced, uses a few symbols and a mixture of upper and lowercase letters. Of course these passwords will be more difficult to remember, but using a tool like 1Password or LastPassword can help.
- Make sure to upgrade your WordPress site every time a new version comes out. These updates usually include fixes to vulnerabilities and are very important.
- Make sure you upgrade your plugins as well for the same reason. If you have lots of plugins and aren’t using them all, don’t just deactivate them, delete them.
If you’re site has been hacked, then you’ll need to clean up the files. I normally delete the WordPress core files (everything but the wp-config.php and wp-content folder) and re-install everything. I also do a manual scan of the theme files to make sure that hackers haven’t messed anything up. If this feels a bit intimidating, you might want to contact Sucurri Security. For a small fee they can clean up infected sites and you can also hire them to scan your site and keep an eye on it annually.
If you’ve been blacklisted by Google or spammy words appear in Google search results, you’ll need to log into your Google webmaster tool and submit your site for reconsideration once it’s clean.
Although spammers are less harmful, they are equally as annoying. If you’re site is new and you haven’t publicized your email address, you might want to install the email address encoder plugin. This plugin will simply scramble your email address making it harder for harvesters to grab it. If on the other hand your email is already out there, then I’m afraid that once it’s on a spam list, there’s not much you can do.
Spam comments can also be detrimental with more and more evidence pointing to the fact that these are not simply generated by robots but actual people. The first thing to do is to install Akismet which will do it’s best to trap spam comments. But Akismet alone is insufficient.
Be warned against comments that seem harmless. They might praise your work or congratulate you on your blog and let you know that they are bookmarking it right now. These types of comments are simply tests to see if you will accept them or not. Once you’ve approved them, then they’ll attack your blog much more fiercely.
Finally, one of the most effective ways to reduce spam is simply to close comments after a few weeks. Most readers leave comments on newer posts. Closing off comments automatically after a few weeks is very simple. Log into your WordPress admin, go to settings > Discussion and check the box that says “Automatically close comments on articles older than __ days” and enter the number of days you want to use.
I just did this myself recently and the influx of spam comments has been reduced dramatically.