There may be a lot of content management systems around, but none of them can hold a candle to WordPress. With 51.6+ million sites as of March 2020 (and increasing every day) it gives you an idea just how vastly superior and beloved this system is. WordPress security and actionable tips to prevent WordPress hacking though - the CMS still has a way to go when it comes to security.
However, we want to help you secure your website from the get-go - prevention is better than cure, so make sure you action these tips, in this, one of our many WordPress tutorials - TODAY.
These millions of sites, however, also face serious attacks from script kiddies who have nothing better to do with their time but spread misery far and wide, and others with more nefarious and malicious reasons, the dark actors of the web: Hackers.
It’s quite common to wake up one morning to find your once-beautiful website waxing poetic full of links and text about herbal enlargement pills, or other dodgy pharma or some cause in middle-east.
Screaming incoherently is probably the first course of action you will take when your site is hosting full-page ads, links, and redirects to shadier aspects of ‘pharma’ companies.
If this scenario terrifies you, it's justified to feel that way.
90,000 website are hacked every day
Everybody wants to prevent WordPress hacking. Because restoring and recovering a website can take some serious time and effort.
So harden your website with these WordPress security best practices, the prevent that horrible fate from happening to you! And yes, it will take some time and continuous effort to avoid hacking attacks.
Don't like to get your hands dirty with code? Try iThemes security and let it do the dirty work. Click this link to get 25% OFF until December 2023.
If you don't want to go through a lot of messing of files, enabling of different plugins, and lots of other things you don't really understand - we also have the easy way out for you. iThemes Security is the best WP security plugin to secure and protect your website.
Not interested in WP plugins just yet? Read on!
We’ll work up to some code work, but first, let’s take care of the basics of website security issues. Starting with:
17 WordPress Security Steps
1. Preventing WordPress hacking starts with your workstation
This is the first and most easily overlooked: your computer.
You should always keep your system free of malware and viruses, especially if you’re accessing the internet with it (which you are, of course). Workstation protection is even more essential when you are conducting transactions and have a website because all it takes is a keylogger to knock out the most hardened of websites.
A keylogger will read all your usernames and passwords and send them to hackers - which of course is going to create a whole host of issues and problems for your website.
Stay safe and regularly update your OS, software, and browsers on your computer. Use a good anti-virus service. Keep your eyes out for any vulnerability on your system and remove it before it becomes a massive pain. If your computer starts acting strangely, popping up ads and other dodgy stuff, you might want to check it out before accessing your website
2. Install all WordPress Updates
Every time a new version of WordPress is released, it does so to great fanfare and in the midst of a wave of excitement.
Most of us are excited, because, hey, new features! Hackers are excited because they will instantly go to check the Security and Maintenance Release notes. Unfortunately, each WordPress update brings along with the uncovering of a number of WordPress security vulnerabilities in older versions.
With every new WordPress update, we get additional features and upgrades, along with a page listing the security flaws in the previous version and their fixes.
That page is practically a cheat-sheet for hackers everywhere. Should you fail to update in time, those flaws will be exploited to takeover sites on older versions (and your site could be among these if you don't update).
And if your site gets hacked, unfortunately, it will be too late to find excuses for not updating to the latest version.
So don’t give hackers a chance to wriggle in. Install the latest version of WordPress as soon as it’s released.
If you’re afraid it will mess up your website, ensure that you have a working backup before you update. The updated version will resolve any security issues which existed in the previous version - and goes a very very long way to prevent WordPress hacks.
Want your website to get updated automatically? Check out InMotion VPS for your hosting - they have excellent WordPress specific features so you can update your site automatically as soon as they are out. We're on an InMotion VPS, and we love it!
3. Make sure that your hosting server is secure
Did you know that by 2019, approximately 54% of websites are still using PHP 5.x - a version of PHP that is end of life and thus not receiving any security updates. This means that any sites running on PHP 5.4 are vulnerable to hacks through server software vulnerabilities. (Source Sucuri Hacked Website Report 2019)
Even PHP version 7.1 is end of life as of December 1, 2019. Old versions of software such as these are no longer supported and have vulnerabilities that have not been patched!
These old versions of software are prone to hacks.
If you are aware that your website is hosting on PHP 5 or possibly PHP up to 7.1, ask your host to check whether your site can be moved to a more recent version of PHP.
Not only that, but the majority of websites/blogs are hosted on shared servers. Basically, if one site on a shared server gets infected, every other site is at risk, regardless of how secure the site/blog is otherwise.
You’ll get hacked through no fault of your own.
Thought exercise: Have you ever been inside a soup kitchen? Can you picture one and imagine what happens in there? If you’re one of those lucky enough to have escaped that travesty, I’ll give you a taster (pun intended). Think of everything that has ever happened since the kitchen came into existence, spills and breaks, leaks and splashes. In a soup kitchen server, those things are never gone. They become a part of the kitchen.
Now imagine the same happening to your site. A hosting server from a company that skips maintenance and does not update to the latest software versions has devolved into a soup kitchen already.
Moreover, if you or your webmaster hosts several websites together, unused files, data, sites, and more pile up until they become a threat to current sites.
So choose a reliable and secure host.
VPS and managed hosting minimizes chances of breaches and is excellent for e-commerce sites. If shared hosting is enough for you, check out their security before subscribing for space on them.
Make sure to check that they keep their servers maintained regularly and also update to the latest versions of software. This is another step which should be on your priority list if you want to prevent WordPress hacking.
4. Use Secure Transmissions to prevent password and data interception
Over an unsecured connection, data can be intercepted and you can be hacked before being able to say “unencrypted”.
This is why you should focus on secure network connections and encryptions: server-side, client-side, and all the sides. Find a host that allows SFTP/SSH encryption to protect your data and information from malicious intercepts.
Your site should also have a secure certificate installed and set up so that when you are logging in, your credentials are transmitted securely.
5. Prevent hacking through complex passwords
Essential tip: create a strong password and NEVER reuse passwords
Our next step on how to protect WordPress from hackers talks about a much-cliched topic: passwords.
A startling number of people think long, complicated passwords are overrated and will prefer something shorter and easier to remember; a fact hackers know and take advantage of.
There is no other way to put this: a good strong password comprised of letters, numbers, and any other valid characters will actually go a long way to protect your blog.
A brute force hack attack can work on a short password using a simple word (for example a dictionary keyword or an easy common password), yes. But the more characters there are in your password, the longer it takes to crack it.
It takes exponentially longer to crack long complex passwords.
What you’re trying to do is break the known patterns to make hacking difficult, if not impossible.
Any personal details, or passwords based on them (such as birthdays or names of people), will be easy to crack. Don’t use single words (regardless of length), letters-only, or numbers-only passwords either.
Create a password which is easy to remember but hard to guess to prevent WordPress hacking - if your blog is about security, make it something like pressmyWORDSand5ecurit!$
6. Keep your Databases Secure and isolated
Your database knows everything that has ever happened on your site. It’s a veritable source of information and that makes it irresistible to hackers.
Automated codes for SQL injections can be run to hack into your website database with relative ease. If you are running multiple sites/blogs from a single server (and database), all your sites are at risk.
As the code resource puts it, it’s best to use individual databases for each blog/site and give them to be managed by separate users. In simple terms, every website you host should have its own database and own database user.
Only that database user should have access to the database.
You can also revoke all database privileges except data read and data write from users who will only work with posting/ uploading data and installing plugins.
It is not recommended, though, due to schema change privileges required in major updates.
You should also rename your database (by changing its prefix) to misdirect the hackers aiming their attacks on it. Although this does not prevent WordPress hacking per se, it makes sure that if any databases are compromised, the hackers can't hop to the next WordPress installation.
7. Hide your website's login and admin name
Next on how to secure WordPress from hackers concerns the WordPress Admin.
Leaving WordPress defaults untouched is practically asking for trouble.
It is laughably simple to find your site’s admin name if you don’t actively hide it.
All a hacker needs, is to add ?author=1 after your URL and the person/member who shows up is most likely the admin. Imagine how easy it would be for the hackers to use brute force once they find the admin’s username.
How can you prevent hacking if you are leaving so much information available, make exploitation easier?
Solution to deter WordPress hacks: Hide all usernames with this code in functions.php file:
Your login page is also easy to access, and not just for you. If you simply add wp-admin or wp-login.php after your homepage URL, fill the username we learned from ?author=1, all that is left is a bit of brute-forcing or guessing until a password is cracked.
Use the technique of ‘security by obscurity’ and change your login page URL to make the hackers’ job a bit more difficult.
Security plugins like iThemes Security have a Hide Login setting that will remove easy access to the WordPress login.
Once again, doing this simple step will go a very long way in preventing WordPress hacking.
Not sure whether you can deal with all this?
Need some help? Have a look at iThemes Security Pro - one plugin and your website is safe. Guaranteed. Click the links below to visit the site.
8. Prevent hacking through WordPress security plugins and tricks to protect wp-admin
Your wp-admin is the most important part of your WordPress installation - the one with the most "power".
Unfortunately, the login page and admin directory are available to all: including those with malicious intent. To protect it and stop hacking attacks, you’ll need to work just a bit harder.
A strong password, a different administrator account (with a username that’s anything but ‘admin’), and using the iThemes Security plugin to rename your login links will make definitely help to prevent hacking.
You can also strengthen the guard around admin with website security plugins like Malcare.
This 5-star rated service is one we have discovered fairly recently.
Malcare is developed by the team behind Blogvault, which we've already used and found to be amazing.
Their latest offering offers a full-blown security and website management service. It offers such staff as file scanning for core changes (to detect hacks), emergency cleaning, a built-in firewall to stop malicious traffic, update of themes and plugins directly from their dashboard and one-click backups.
The best about this is you can manage ALL your sites from one single dashboard, without having to log in to each and every one of them individually.
Limit Login Attempts Reloaded
With a bit of code coupled with unlimited login attempts, any hacker will eventually break-in.
You can restrict the amount of login attempts any single user is allowed to perform in the admin login page using Limit Login Attempts Reloaded plugin. It will limit the number of login attempts for each IP address, including your own (with auth cookies).
Really Simple SSL
Use the power of Private SSL to secure admin login, area, posts, and more. Using the Really Simple SSL plugin enables encryption on your login sessions, meaning the password is difficult to intercept.
You'll need to get an SSL Certificate and get it installed on your hosting server. InMotion offer SSL certificates for free on their hosting plans - so if you still haven't maybe it's time to switch to InMotion to get your SSL too.
Once you have confirmed with your hosting provider that you have Shared SSL you can activate the plugin.
If you'd rather not use a plugin but want to force SSL on the login only, then add this code to the wp-config.php file:
Acunetix Secure WordPress
This plugin is a superb security solution in general, but some key features make it even better.
First of all, it runs a website security scan. It also pays close attention to preventive measures so you actually stop WordPress hacking from happening in the first place. To protect the admin area, it will remove error information from the login page.
That may not sound like much, but the error message actually helps hackers find out if they had gotten anything right. Removing the message (hint) takes away that advantage.
If you want to avoid hacking, get at least some of these plugins set up.
Top Tip: The rest of the article features Advanced Website Security tips
The rest of the tips requiring tinkering with your WordPress installation, which brings along some risk. If you'd rather not tinker around with your installation, you might want to hire a WordPress developer to help you out.
9. How to secure WP through wp-includes
Let’s get this straight: the wp-includes folder is a core part of WordPress. It should be left alone, even by you. And by no means should it be left accessible to potential hackers.
To prevent any malicious persons/bots from sending unwanted scripts straight to the heart of your website to prevent hacking attacks.
Add this before #BEGIN WordPress in your .htaccess file:
Note that you’ll have to omit the third RewriteRule if you want the code to work on Multisite.
10. Protect your wp-config for improved website security
This is one of the issues that is a bit controversial. Not everybody agrees with doing this.
Whether or not you actually move wp-config.php outside the root folder, there’s no denying that a bit of tweaking the code in this file can help harden your website and make it harder to perform WordPress hacks.
Not sure whether you can handle all of this techy stuff? There's one security plugin to rule them all.
- Start with disabling editing PHP files from dashboard, which is where the attacker will concentrate after hacking through an access point. Add this to wp-config.php
- $table_prefix is placed before all your database tables. You can prevent SQL injection based attacks by changing its value from the default wp_. Be careful if you do this, you will need to rename any existing table to the new prefix you set.
- Move wp-content directory from its default position with this
Now if you’re not a developer, you don’t have much use of error logs. You can keep them from being accessible with this:
11. Backup your website (just in case)
This is the safety net. A backup is one of the first things you’ll need to restore your site if you do get hacked.
Backup your site at least as frequently as you run maintenance or update it. There’s no excuse to be lax in this department, not when there are some excellent backup services and plugins that will run automated backups for you. Some suggestions for plugins include:
Recommended Reading: Native vs plugin - WordPress backup using different methods
Create a schedule and let the plugin do the rest.
Some of these plugins come with easy restore options. Check to ensure that the plugin is backing up the entire site, including all databases and directories. Although this does not prevent WordPress hacks, it gives you peace of mind of restoring your site if the unthinkable happens.
12. Use trusted sources only for downloads
If you are running on a tight budget (and even if you aren’t), you might be tempted by the option of getting all the features and functionalities of premium plugins/themes for free: pirated or cracked plugins.
You can't outsmart a hacker if you are downloading premium stuff from ill-reputed or unauthorized sources - they will come back to bite you. They are ill-reputed because they will fill those legit ‘premium’ plugins/themes with malware and let you do the rest.
Cracked plugins or themes will contain hidden backdoors, that allow them to take control of your site at will. Using such a download will be all they need to convert your brand’s online appearance into a giant poster for enlargement pills - or even worse, malware.
Your site will quickly get blacklisted, even from search engines and browsers if it contains malware.
This is a known and very popular tactic of hackers.
Pirated themes and plugins are riddled with backdoors and malware. This is one of the easiest WordPress security issues to resolve really. It's best to go for a trusted theme from a trusted source, such as the one we have reviewed here: Avada theme
Pirated, nulled or cracked stuff? Don’t bother.
You’re good with official Themes and Plugin directories, so try sticking to those. You can also trust sources like ElegantThemes, Theme Forest, Code Canyon, etc.
13. Secure your website by looking like a Pro
A rookie is easier to hack.
At least, that’s what most hackers think (not incorrectly).
Change all defaults: posts, comments, usernames, directory names, etc.
It’s easier when you’re setting up.
If you already have your WordPress up and running, go to Settings > Miscellaneous (in your Admin controls) to change directory names. This will be another step in your drive to stop WordPress security issues and make hacking your site much more difficult.
To hide which version of WordPress you’re on, remember to delete /wp-admin/install.php and wp-admin/upgrade.php. Take it a step further and remove meta generator tag (“”) from wp-content/your_theme_name/header.php. You should also remove version detail from RSS feed.
To do this, open wp-includes/general-template.php. Around line 1860 you’ll find this:
Add a hash before ‘echo’ command and you’re sorted.
14. Good WordPress Security requires Good File permissions
The rule of thumb is 755 for directories and 644 for files.
Although this might vary depending on the server and the type of file in question - in most cases, you should work very well with these permissions.
It would be best to ask your host to check, or if you've got direct access, you can do this yourself.
15. Website Security: Never set file permissions to 777
If you are serious about wanting to stop WordPress hackers - NEVER set file/directory permission to 777 unless you want to give complete control over it to everyone, including hackers.
There is a very dangerous tendency amongst beginners to set file permissions to 777, "because it's easy", or "because we'll fix it later", or "because I'll change it later".
This is extremely dangerous - 777 means anybody on the internet can change the contents of that file.
With those permissions set, your website is an open house. Once they have access to one file, rest assured it is very easy to jump to other files or install backdoors and other nasty stuff to your site.
The WordPress codex has a complete guide to file permissions: how to change them and the recommended permissions for some files.
You need to balance securing your website with functionality, so start low and gradually increase permissions till you get it right. The right file permissions will surely help avoid website hacking. Again, this is one of the easier WordPress security issues to prevent, you just need to be aware of it.
16. Allow access to WP admin and login to your IP only through IP filtering
A very simple, elegant way to restrict access to the login page and admin area is through IP filtering.
All you need to do is add this code to .htaccess. This suggestion comes with thanks to Sucuri, who provide an excellent WordPress security service
Now that works only for static IPs, but you can do the same for dynamic IPs with this:
To restrict access to wp-admin directory, add this to .htaccess:
By domain name:
17. Security Plugins to Block WordPress hacks
Although we don't tend to advocate the use of many plugins, when it comes to WordPress security plugins, there are some which you really might want to install to increase the resilience of your site.
- iThemes Security Pro - Listen, many of the above actions are a bit technical no doubt about that. We get that. If you are not technically inclined, we have the solution for you. iThemes Security is the best WordPress security plugin to secure and protect your website.
Install WP Security Audit Log plugin - this is the most comprehensive WordPress activity log plugin. The plugin keeps a record of everything that happens on your WordPress website in an audit log (aka WordPress activity log) so you keep hackers at bay. This is because you can identify their attack attempts before they actually hack into your WordPress website, thus having the time to thwart their malicious actions.
Google Authenticator and Duo Two-Factor Authentication are great choices for adding an extra layer of protection on your login page. An authorization code will be sent to your email/ mobile, without which the user/hacker will not be able to log in.
Is there anything better than a nice BBQ? This plugin will block URI strings containing eval( base 64 and other suspiciously long request strings.
Check your theme for malware and hidden backdoors with this plugin before someone exploits those weaknesses in an otherwise secure site/blog.
- Antivirus Plugins
This one is a no-brainer. Conduct frequent site scans and eradicate them before they take hold. Plugins/ services like Sucuri, Wordfence, etc. Previously mentioned Acunetix Secure WordPress is another good one. Exploit Scanner will check your site inside out for malicious code too.
If you're interested, we've written a great comparison about Sucuri vs Wordfence which compares these two big boys head-to-head.
The Essential Checklist to full Website Security - YouTube version
Thanks to Webucator, a provider of WordPress training, we've got this checklist created as a video.
Our next part of this article deals with fixing a WordPress security hack, once it's happened.
Website hacked? 7 Steps to fully restore your website
Sucuri releases a website hacked trend report for each quarter. In their latest report, they have revealed that various WordPress releases powered 94% of the sites hacked in 2019
Hacked WordPress sites remain a real problem. Being the most popular platform for creating websites, the possibility of getting hacked is significantly higher for WordPress sites.
That is not surprising since WordPress is by far the largest platform to create new websites. As long as WordPress stays popular, Hackers will keep finding it profitable to look for vulnerabilities in WordPress sites. It's a game of numbers really.
And it doesn’t matter what preventive measures you take; it is impossible to guarantee the perfect security for any website. What you can do is make it harder to hack so that the ones looking for low-hanging fruit will not bother, or will not manage to hack it.
In this tutorial, we are going to introduce you to 7 steps you should take to fix a WordPress hacked site.
Before we begin the procedure, let’s find out what causes the problem in the first place. In general, there are two types of vulnerabilities:
- Common Vulnerabilities and
- Security Vulnerabilities.
Let’s take a closer look at each type. Both types can be exploited by hackers.
Before you begin - restoring a hacked website is not something that can be undertaken by people without sufficient knowledge. It is highly advisable to ask for help from WordPress developers who are highly skilled before attempting to do this if you're not comfortable tinkering around.
Common Vulnerabilities which result in hacked WordPress sites
The common vulnerabilities can come from either your local machine or from the hosting provider. Most of us are probably familiar with these types of problems.
These problems can happen if your PC or local network is compromised. When hackers gain access to your PC or the network, they can easily target a website you own - with the result being a compromised or hacked WordPress site.
You can avoid these situations by using reliable anti-virus and anti-malware scanning tools. You need to apply common sense when using the internet. Comodo and Malwarebytes have some handy tips to keep your PC safe from hackers. Most of these are quite common sense if you think about them, such stuff as keeping software updated for both your working desktop and peripherals such as your internet router.
The second kind of vulnerability can arise from your hosting provider, especially if you are using a shared hosting package. As you might know, a shared hosting package shares the server among numerous users.
If any of these users don't follow the best practices, the whole server is under serious threat. Of course, in a shared hosting scenario, it is highly unlikely that all users will be using good security practices, so shared hosting packages, are by definition, risky.
In some cases, one site in a shared hosting package gets compromised, and it allows the hacker to move laterally or hop to other sites on the same server. In this case, you need to consult with your hosting provider, and they will take the necessary steps.
This means, even if your site is fully updated and protected, you may still end up with a WordPress hacked site.
Incidentally, if you’re looking for a very secure hosting provider, you should seriously consider reading our InMotion hosting review - we feel very well protected on this service.
Now that we have identified the common vulnerabilities, let’s take a look at the security aspects.
Hacked through Vulnerabilities
There are several types of security vulnerabilities for WordPress. We will talk about the ones which are the most common:
Weak username/password combinations
We shouldn't have to tell you about the importance of using a secure password. Since version 3.0, WordPress itself has put more focus on forcing users to use a strong password, for example, there is a built-in password strength detection feature in the admin dashboard.
The rule of thumb is that you should never use any predictable username (such as admin), and always use strong passwords. These will make it more difficult for hackers to access your site.
Theme/plugin bugs and vulnerabilities
While it is a best practice to use familiar themes and plugins, sometimes popular products can have a hidden security flaw too. If that happens, you will probably hear about this on popular IT news blogs and other sources of WordPress security information.
However, you will probably be safer if you make sure that you are using only trusted themes or plugins - because you'll be able to quickly update to a patched version. Check out the reviews, rating, number of downloads, etc. to analyze the reliability.
And never ever use pirated or nulled themes or plugins. It is a known fact that most of these contain harmful code, which create a backdoor in your site. This is literally a way to have full remote command of your site.
In reality, if you are using a cracked, pirated or nulled theme or plugin, your website is ALREADY hacked. You’ll be using a site that will suddenly start doing strange things such as displaying dodgy links, distributing malware or even be part of DDoS attacks.
What you think is free will cost you much more than you expect.
Not updating WP core, themes, or plugins
Using an outdated version of the WordPress core, themes, or plugins is another major reason for breaches that will result in hacked websites. Most updates include code that fixes the security and performance of your website. Therefore, it is necessary that you update your website, themes, and plugins as soon as they are available. Make sure to perform a full site backup before updating.
What to Do When Your WordPress is Hacked?
Even if you might have taken steps to mitigate the risks, you still might have fallen victim to WordPress hacking.
Don’t panic and follow the steps described below.
1. Identify the Type of Hack
The solution to getting your site back depends on the type of WordPress hack. That means the first step is to define the type.
Here are the questions you should ask to do that :
- Can you access the admin section?
- Is your site being redirected to another site?
- Are there any unknown link(s) on your site?
- Is Google warning the visitors about your site?
- Has your hosting provider informed you that your site is looking suspicious?
- Is your site showing unknown adverts in the header, footer, or other sections?
- Are there any unwanted popups displayed?
- Is there an unexpected spike in bandwidth usage?
Go through the questions one by one and try to find out the answers for each of them. This will help you find the best course of options to regain control of your hacked WordPress site.
2. Try Restoring from Backup
If you follow the best practices, you should have daily, weekly, or monthly backups of your site. The backup frequency depends on how frequently you post or make changes to your website.
When you are taking regular backups, regaining your hacked WordPress site is as easy as restoring the latest backup. If you have set up an automatic backup schedule, find out the last backup before your site was hacked and restore that version.
You then need to make sure that you update any plugins, themes or anything which had not been updated.
What if you didn’t take backups of your site? Does that mean you have lost your site forever?
There are other options too. Most reputed hosting services keep regular backups of their client sites. Ask your hosting provider if they keep a backup. If they have, you can ask them to restore your site from the last stable backup.
If there is no backup, you’ll have to go through a procedure of cleaning your hacked WordPress site which we show below.
3. Seek Help from Your Hosting Provider
More than 40% of hacked websites had some security vulnerability on the hosting platform. Therefore, when you get your WordPress hacked, asking your hosting provider to help you get back your site could be a good idea.
Any reliable web hosting company should be willing to help you in these cases. They employ professionals who deal with these situations every day. They are very familiar with the hosting environment and have access to advanced website scanning tools.
Therefore, they will be able to help you recover the most common website hacking attacks. If the hack originated from the server, your hosting company would be able to help you get back the site.
4. Scan for Malware
In many cases, hackers gain access to your website by using backdoors. Backdoors create unauthorized entry points to your website. When using backdoors, hackers can access your website without requiring any login information and remain virtually undetected.
Here are some common locations of the backdoors which you need to check if your website was hacked –
- Themes: Most hackers prefer to put the backdoor in one of your inactive themes. By doing this, they will still have access to your website even if you keep it regularly updated. This is why it is crucial to delete all of your inactive themes.
- Plugins: The plugins folder is another potential place for hiding the malicious code. There are several reasons for that. First of all, most people never think about checking the plugin files. They also prefer not to update the plugins as long as they are working. What’s more, there are some poorly coded plugins that could be exploited to gain unauthorized access to any WP site.
- Uploads Folder: In most scenarios, you never need to bother about checking the uploads folder since that folder only contains the files you uploaded. However, some hackers prefer this folder because they can easily hide the malicious file among hundreds or thousands of files spread in different folders. As the folder is writeable, it also serves their purpose.
- Includes Folder: This is another folder often ignored by most users. As a result, hackers put the backdoor in this folder and get complete access to your site.
- wp-config.php File: It is very common to find malicious code hiding in this file. However, as the file is very well-known, sophisticated hackers avoid using this file.
Don't like to get your hands dirty with malicious scripts? Try iThemes security and let it do the dirty work.
The only way to get rid of the backdoor is to remove the malicious code from the website. There are several plugins which allow you to scan your website for malicious code.
The following are also good options, but be aware that both of them have not been updated for more than 3 years as of the updating of this article. This means that they might not be as reliable as they used to be: Exploit Scanner, and Theme Authenticity Checker.
You can use these free plugins to detect any unwanted change in the themes, plugins, and core files of your website. However, if you are serious about fixing your site, we would highly recommend opting for one of the premium products.
They will be more up to date and more reliable in general than any of the free products.
If the plugins find any suspicious file, take a full backup and delete the file or see what course of action the plugin suggests. Also, if you take a backup, make sure that you note that you are taking a backup of a hacked site.
And if a theme or plugin is compromised, remove that from your site. Download the latest copy and upload it to your website.
In case the change is detected in any of the core files, you should download a fresh install of WordPress and perform a manual update (i.e. overwrite all the files with the new ones).
Alternatively, download a fresh copy of the WordPress version you are currently and replace only the compromised files.
5. Check WordPress Users
It is likely that you have several users on your website. As you already know, they have different capabilities based on their user role.
Sometimes, WordPress hackers create a new user with the necessary permissions so that they can log into your site even if they lose the backdoor.
Or they may actually use a username that has a weak password to hack your website.
To prevent this from happening, go to Settings > Users from the dashboard. Review all the users and their roles. Also, reset ALL the passwords of ALL the users.
Most importantly, make sure that no unauthorized account has the admin role assigned. In the case of doubtful accounts, delete them instantly. If they are valid users, you can always recreate the accounts later.
Here are some more best practices to follow:
- Never use the ‘admin’ username on your site. If you already have that username, change this as soon as possible. Also, avoid using any common username that hackers can guess.
- Use two-factor authentication to prevent unauthorized access to your website.
- Integrate CAPTCHA or reCaptcha on your login formsIntegrate CAPTCHA or reCaptcha on your login forms. This is an effective way to prevent bots or automated scripts from accessing your website.
6. Change the Secret Keys
Secret Keys are a handy security feature of WordPress.
These keys contain randomly generated text which help in encrypting the information saved in cookies. You should use the procedure below to check whether you have them on your site. If you don't have them, you can create them.
Even if you have them already, if your site has been hacked, it is now a good time to change them.
First of all, generate a set of secret keys using this link. The random code generator will create a new set of unique codes every time you refresh the page.
Now, go to your website and open the wp-config.php file. Head towards line 49 and you will see something like the following. The line number may vary on your file, but you need to find out the following section:
Copy and paste the value from the ones you have just generated in the link above. Save the file. This will reset any cookies and any logged-in users, so if you were logged in to the admin, you will be asked to log in again.
7. Change ALL Your Passwords
This is a common but critical step in restoring a hacked WordPress website – reset all of your passwords. The common passwords include WP admin, cPanel, MySQL, FTP, etc.
Reset all these passwords along with the passwords of any 3rd-party service you use on the website.
Here’s how to change the passwords:
- For changing the password, go to Users > Your Profile from the dashboard. You will find the new password field in the ‘Account Management’ section.
- For changing the cPanel, MySQL, FTP passwords, log into the control panel of your hosting account and follow the available options. If you are confused, contact the hosting support to get help.
When resetting or changing the passwords, make sure that you are now using a strong password. You should also force your existing users to perform a password reset for their accounts as well.
You can use the plugin Emergency Password Reset to force a password reset for all users.
Future Steps to Avoid Getting Hacked
While the steps mentioned above will help you restore your website, you should consider this as a warning sign. Here are some important steps you should take to make sure your site remains protected in the future from any other WordPress hack attempts:
Create A Backup Schedule
As you realize now, having regular backups of your website is crucial. Backups can save you if your site was hacked. Multiple backups are even better, because they would allow you to go back in time to a snapshot of the site before the hack happened.
Fortunately, you don’t have to do this manually. There are lots of free and premium plugins to help you keep regular backups of your site. UpdraftPlus is a popular backup plugin, while BackupBuddy and Jetpack are some highly recommended premium backup solutions.
We guess we don’t have to stress the importance of keeping your site updated. You should update the WordPress core, active themes, plugins and anything else there is the possibility to update. At the same time, make sure you delete the unused themes and plugins too.
Set up a Security Plugin
If you want to enhance the security of your website, you should use a hardening plugin like iThemes Security, Wordfence Security or Defender. These plugins help you to create a firewall so that you can prevent malicious traffic, block attackers and deal with other threats. You might also consider installing a full Web Application firewall such as Sucuri firewall.
Consider a Managed Hosting
When you choose a managed hosting, they will handle the security, maintenance, performance, and other issues for your website. That means you won’t have to worry about all these steps. Some reliable managed hosting providers include InMotion, WPEngine, and Kinsta.
Limit Login Attempts
By default, WordPress allows anyone to try unlimited passwords for any account. This leads to brute force attacks and possible site vulnerabilities. Fortunately, there are some free plugins like Login LockDown and Loginizer Security to help you limit the login attempts.
Disable PHP Execution
In most cases, hackers create backdoors by creating PHP files which look like core files. You can prevent these threats by disabling PHP execution in the relevant directories, like the uploads and includes folder. Here’s a step-by-step tutorial to do that.
Add Extra Password for Admin
Another handy trick to keep your site safe is to use an additional password for accessing the admin section. This is very easy to do in cPanel. Follow this tutorial to add the password in your WP admin.
Prefer video? Watch this video from Sucuri
If you have some time to go through the following video which can help to identify WordPress hacked sites and how to fix them. We’ve mentioned Sucuri a few times in this article, this video from Sucuri is quite a complete view of hacked sites.
Final Words: how to fix your hacked website
Being a victim of WordPress hacked site is a horrible experience, especially if this is the first time. However, now that you have read this article, you should have a clear idea about the necessary steps to get your hacked website back.
Feel free to bookmark and share this article so that others can know about the steps too.
If you’re confused, just go for a managed hosting solution and let someone else handle it for you.
This is just the beginning. As the web continues to evolve, so will the hackers and their attempts to infiltrate your site and chuck you out. Stay one step ahead by learning more about your friendly CMS and keeping up with updates and your stay on top of WordPress security - this will for sure ensure you prevent website hacking.
Need help getting your website cleaned? Try these top-rated affordable gigs on Fiverr!
Click here to find experts on WordPress security.
Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let's reap the benefits together. Thank you for sharing and being nice!
Disclosure: This page may contain links to external sites for products which we love and wholeheartedly recommend. If you buy products we suggest, we may earn a referral fee. Such fees do not influence our recommendations and we do not accept payments for positive reviews.