One of the most frequently asked questions we get is how to protect a WordPress website from ransomware. It is a two part answer. First keep your site software updated to reduce the possibility of known bugs that hackers will exploit. The second part, and this is very important, keep a backup copy of your website.
What Is WordPress Ransomware?
Let’s start with the definition of ransom:
Ransom: a sum of money or other payment demanded or paid for the release of a prisoner.
In the case of ransomware, the prisoner is your website. Ransomware is a type of malware that scrambles the content of your website. The only way to recover your site is to pay the hackers a fee for them to undo the damage. We are talking real money, perhaps thousands of dollars.
How is Ransomware Installed?
The most common way ransomware is installed on a WordPress site is through a bug in wordpress or a wordpress plugin. Which one you may ask? The real answer is that it’s a moving target.
WordPress updates are released to fix bugs. If you aren’t applying these updates, then you could be leaving a known security hole in your website. It’s very important that you stay current on the security fixes released for WordPress, your plugins, and your theme.
If the number of updates to your website is overwhelming, we recommend subscribing to a WordPress Support Services so that specialists can do the WordPress updates for you on a regular basis.
Buy Now – Stay Secure
Should I Pay the Ransom?
Experts disagree whether paying the ransom is a good idea. When you send money to these unscrupulous criminals, there is no guarantee they will follow through and decrypt your website. The most obvious reason is that they are bad dudes. They have your money so why would they care to do extra work?
The second reason is that when hackers use free email addresses like gmail, yahoo, or hotmail, known as throw away accounts, the abuse teams at the email providers disable malicious accounts to stop the criminals from collecting income. You are caught in the middle of having paid to an anonymous overseas bank account but have no contact with the criminals to get the unlocking code.
Can My Website Be Fixed Without Paying Ransom?
YES, there is a solution! Your website can be restored from a backup. The major caveat to this answer requires you to be performing regular backups before your website gets hacked. There are free backup plugins to help with this. We recommend UpdraftPlus.
Here is the second important point. Your backups should be offsite. This means your backups should not be stored on the same server as your website. If the hackers can mess up your website, they can mess up any file in your account, including your backups. By sending your backups to dropbox, google drive, or amazon S3 storage, you put your backup copy out of reach from the ransomware program.
The folks at WordFence agree of the need for off-site backups in this post:
Ransomware Targeting WordPress – An Emerging Threat
It is important that you don’t store your backups on your web server. If, for example, they’re stored in a ZIP archive on your server, then if your site is taken over by this ransomware, the backups will also be encrypted and will be useless.
Who Can Help Me?
As you have read, there are a lot of considerations that need to be made to keep your website secure. We understand not everyone is a WordPress security expert. OnSiteWP has developed our WordPress maintenance service to provide businesses with the essential security, updates, and backups needed for responsible website ownership. A lot of time and money has went into building your website. Protect that investment with one of our WordPress maintenance service plans. We take care of the technical IT issues so that you can focus on your business.
Get more info on our WordPress Support Services here:
Buy Now – Stay Secure
My name is Kim and I have a blog. I love blogging! EXCEPT, all of the techie stuff that goes along with being a website owner.
As my blogging friends starting talking about a certificate for SSL…what?!? I started to panic because I didn’t have a clue about the topic!
I began asking myself the questions: what is it and do I need an SSL certificate for my website?
Being clueless, I didn’t have the answer.
So I asked my techie-that-speak-plain-English-friends, Mark and Brian at OnSiteWP, to help me figure the whole thing out!
An SSL Certificate And Why My Website Needs One
My superhero techie friends explained that Google is working to make the internet a more secure place by encouraging website owners to add an SSL certificate to their websites.
I learned that a Secure Sockets Layer (SSL) certificate is actually a small data file that creates a secure connection between a website (server) and a user’s computer (browser).
It’s sort of like jumbling up information (also known as encryption) so as the data travels, hackers can’t read it and do totally rotten things to innocent people who are visiting cool websites all over the internet!
Years ago, websites that performed ecommerce/banking transactions were the only ones that had SSL certificates … but now it is becoming the norm that every website has one.
Buy Now – SSL Conversion
Because Google’s algorithm is a big secret, not many people really know how much an SSL certificate plays as far as Google’s SEO ranking factors are concerned but they were talking about it as early as 2014!
I Care About What Google Thinks About My Website
Because it is a ginormous search engine, I REALLY care about how Google sees my website.
When I realized that before I had my site secured, when a user lands on my website, they would see a warning indicating my website was not secure. THAT’S FREAKY!!!
I don’t want anyone to get the impression my website is shady and a bad place to hang out!
For the love of all mankind, I have a fun family-friendly website about camping and eating awesome food while out in the wilderness!!!
There is nothing dubious happening and I don’t want my visitors or Google to think otherwise!
Now my URL looks like this:
See that “s” after the http? See the cute little lock in the address bar on the site?
See the word “secure”? Those are signals to the world and Google that my site is secure and safe!
I Heard Rumors Of Websites Disappearing From Google After Adding An SSL Certificate
I have to admit that even though the answer to my question: Do I Need An SSL Certificate For My Website? was a resounding YES … I was still nervous about making the change.
Buy Now – SSL Conversion
The reason was, I have a bunch of blogger friends who were ranking on page 1 of Google and then suddenly were not even found after they converted their sites to SSL.
I get a fair amount of visitors to my website because of organic searches performed by people who want to learn about camping, are looking for awesome Dutch oven recipes, and searching for the perfect gift for someone who loves camping.
I didn’t want them to disappear.
YOU ARE NEVER GOING TO GUESS WHAT HAPPENED TO ME!!!!!
As I sat next to Brian while he did his techie-magic to make my website secure, I just about chewed my fingernails off worried my website would be invisible to Google when it was all over.
Instead of my fears coming true, this is what I found…
My website REMAINED ON PAGE ONE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
That is a really good thing because some really fun family who has no idea how many charcoal briquettes are needed to cook their Dutch oven camping dinner was able to get the answer from my website and they didn’t have to eat gross hot dogs on their first RV camping trip!
My Advice To Your Question:
“Do I Need An SSL Certificate For My Website?”
In the end, I am sooooooooooo glad my website is secure and my Page 1 Google rankings didn’t miss a beat … all because I trusted my superhero techie-that-speak-plain-English-friends, Mark and Brian to secure my website!
If you have not secured your site, call my superheroes Mark and Brian at OnSiteWP to do it for you.
I have no doubt, you’ll be glad you did!
I’m signing off for now because the mountains are calling and I must go!
Happy camping my friends!
Order SSL Conversion Now
Having a good, restorable backup copy of your website is something that OnSiteWP cannot stress enough. It’s why we include WordPress site backups with all of our maintenance packages. One of the frequently asked questions we receive is why do we perform backups when your hosting company is also doing backups? The answer is very simple: redundancy. Even the top names in web hosting have mistakes. It’s best to have the insurance of your own backup copy.
At some point in the lifespan of your website, you’re likely to experience a failure. We regularly see people reaching out for help on the internet when their website goes down. The story I’m about to annotate is typical and yet lucky, because the original poster was keeping a backup.
Our poster contacted the technical support at his web hosting company. First line support tried to help but didn’t give a very satisfactory answer. I don’t blame tech support for this. They are great at performing tasks within their purview such as resetting your cpanel password but they are generally not WordPress experts.
The first commentor (in blue) did a good job at confirming the problem. All of his core WordPress files are gone!
Luckily, the original poster has found a calm and rational person to work through the issue with him. On the Internet you’re likely to get a full smorgasbord of opinions on how to solve your problem.
We see the original poster go through the phases of grief by asking “how can files suddenly disappear?” Unfortunately there are many ways. It could have been user error, an accidental bug in the software, or a malicious script taking advantage of vulnerable plugins. While not likely the culprit in this case, corrupt filesystems and hardware errors are also ways to lose files in a catastrophic way.
VaultPress is a backup plugin and subscription service for WordPress. Our original poster saved his tail and thousands of dollars of web developer time by restoring his website instead of needing to start from scratch.
This is the time to ask yourself: Do you keep good up to date copies of your website?
At OnSiteWP we use a different backup plugin than VaultPress but the concept is the same. We perform regular backup copies of your website and save it to a safe storage area outside of your web hosting account. This way even if your entire WordPress site was to be deleted, we have a copy of it that can be restored.
We understand that business owners don’t want to be IT people. Contact OnSiteWP today to inquire how we can manage your website while you run your business.
WordPress Security Alert:
One of the new features of the recent WordPress 4.7 update is the REST API which is being hailed as the NEXT BIG THING for the WordPress platform.
Of course that remains to be seen.
So what exactly is this REST (JSON)
API and what does it do?
In short, it is a connector between WordPress and other software applications which is characterized by universality and high compatibility.
Universality and high Compatibility. That is the takeaway.
The WordPress REST API is revolutionary because it enables WP to communicate with other web properties no matter what programming language they’re written in. This is a Big Deal.
That’s the Good News.
Here’s the bad news.
Parts of this new API on your site are potentially available to anyone on the internet.
This means that the new WordPress REST API allows anonymous access to some features of your WordPress website.
One of the functions that it provides is that anyone can list the users on a WordPress website without registering or having an account.
This is not a good thing.
It allows anyone to list all users that have published a post and view the Userid, Username, Gravatar Hash and Website URL.
Really Not Good!
The awesome folks from the WordFence Security plugin were the first to bring this to our attention.
You can read the post here:
So why is this a security alert and why is having your username publicly visible not a good thing?
Your username is 50% of your login info.
If a hacker or bot has your username, they only need to run password cracking scripts to try to guess the password.
Knowing your username gets them 50% of the way to breaking into your website.
That is the reason for this security alert.
Security Tip: Never display your username publicly.
Another way your username can be viewed publicly is simply due to lack of user knowledge.
Every WordPress user has a username and a nickname.
Users must have a username, but don’t necessarily need a nickname. Your nickname is what is displayed on every blog post and author bio.
If no nickname is chosen, WordPress defaults to the username and inserts that into the nickname field.
If you haven’t changed your nickname, your username is automatically inserted and therefore displayed.
Again, not good.
We always recommend using a different name for your nickname (the publicly displayed name) than your username.
If you want to see if your usernames are publicly available using the REST API,
just enter your site url in the field below.
If your usernames are not displayed, then congratulate yourself or your web developer.
You have good security practices/features in place.
If you can see your usernames, then as quickly as you can, install the WordFence Security plugin.
Then go to your admin user area and add a different nickname to your user.
Another option is a recent update to iThemes Security which now has the ability to turn off the REST API functionality in WordPress.
You can read about it here: Restrict WordPress REST API with iThemes Security.
We always recommend updating WordPress, Themes, and Plugins.
Many updates are plugs for security holes.
In the case of WordPress 4.7 we still recommend updating
but make a few changes and you will be covered.
Staying on top of security news and potential threats is what we do.
That is our job.
We also keep your website up to date so you don’t need to be concerned with this stuff.
You can focus on growing your business instead.
For plans and pricing go here:
Website Maintenance Pricing
What is HTTPS and do you even need it?
Many people are looking to convert their site from plain HTTP to the secure version (HTTPS). Sometimes this is called adding an SSL certificate to your website. An SSL certificate is what makes the secure HTTPS transport possible. The “S” in HTTPS stands for secure. The SSL certificate provides the encryption key that makes the encrypted HTTPS protocol possible. (more…)