WordPress is a great medium for running your site as it makes everything from content creation, publishing it, and making simple and major changes to your site incredibly easy. You can see why I love WordPress in more detail but WordPress (like many other platforms) has its security holes here and there which can leave your site vulnerable. In this case I’m referring specifically to phishing attacks, or in other words where someone gains access to your site and uploads their own phishing content and files which turns your site into a phishing trap for those people. Here is how to protect your site from phishing attacks.
How to Protect Your Site From Phishing
If you’re lucky you hear about it from your hosting provider so that you can address the situation, go into your FTP and remove those files manually. In this post I’m going to identify how you can best protect your site from becoming a victim of a phishing scam. Note that again if you do find files on your site which you didn’t put on there or are informed of their presence by someone else, you should go in your FTP and delete them one by one, then follow these tips to keep yourself from falling victim again.
Passwords – First thing’s first, change the password for your FTP, WordPress login, and your database for your site. Never use the same password for multiple sites as if one becomes compromised then you could see them all get attacked. I did a full post the other week on password creating tips so refer to that on how to come up with a crack safe password.
Update Them – It’s a good habit to get into to update your password once a month or so for all of your sites to keep ahead of the hackers out there.
Scan Your Own PC – Next, scan the computer you use to interact with your sites using virus and malware scanning and removing tools. If your computer is infected then that can spill over into your sites and create problems you don’t want.
Plugins – I like to use Anti-Malware which is free and routinely scans your site for suspicious files you didn’t upload and changes you didn’t enact. You can set a few security settings in terms of how tight you want your site to be locked down and this plugin will remove threats as soon as they are detected. Better WP Security is another plugin which helps to protect your site against known exploits. You can also use http://sitecheck.sucuri.net/scanner/ to externally scan your site for malware.
When you’re finally sure that your site is safe and fully in your control once more, you can go ahead and change your logins/passwords one more time for good measure and continue to keep an eye on both your sites and your computer for potential malware or phishing files. Many FTPs order files and folders by date, so you can find the last change you made and make sure that there aren’t any files or folders which have a later creation date or just that there aren’t any files or folders which you don’t recognize in name.