17 Quick Ways to Prevent WordPress Hacking: the essential WordPress Security Issues checklist

or How to resolve common WordPress Security issues

There may be a lot of content management systems around, but none of them can hold a candle to WordPress. Hey, 16.2 million sites as of November 5, 2015 should give you an idea just how vastly superior and beloved this system is. WordPress security and actionable tips to prevent WordPress hacking though - still has a way to go. However, we want to help you secure your WordPress website from the get go - preventention is better than cure, so make sure you action these tips to prevent WordPress hacking.

How to Prevent WordPress Hacking - Wordpress Security

Those millions of sites, however, also face serious attacks from annoying little sods who apparently, have nothing better to do with their time but spread misery far and wide: Hackers. It’s not uncommon to wake up one morning to find your beautifully assembled website waxing poetic about herbal enlargement pills or some cause in middle-east. Empathy is short lived when it’s your personal space they’re defacing with stupid quotes. Screaming incoherently is the first course of action you will take when your site is hosting full-page ads and redirects to shadier aspects of ‘pharma’ companies.

If you’re terrified, you’re justified. Everybody wants to prevent WordPress hacking. Recovering can take some intense time and effort. So harden your WordPress with these WordPress security best practices, lest that horrible fate befalls you. And yes, it’ll take some time and continuous effort to avoid WordPress hacking.

Don't like to get your hands dirty with code? Try iThemes security and let it do the dirty work.

If you don't want to go through a lot of messing of files, enabling of different plugins, and lots of other things you don't really go - we also have the easy way out for you. iThemes Security is the best WordPress security plugin to secure and protect your WordPress site.

Send me WordPress Security checklist

Not interested in WP plugins just yet? Read on!

Contents[Hide]

We’ll work up to some code work, but first, let’s take care of the basics of WordPress security issues. Starting with:

1. Preventing WordPress hacking starts with your workstation

This is the first and most easily overlooked: your computer. You should always keep your system free of malware and viruses, especially if you’re accessing the internet with it (which you are, of course). Workstation security is even more essential when you are conducting transactions and have a website, because all it takes is a keylogger to knock out the most hardened of WordPress websites. A keylogger will read all your usernames and passwords and send them to hackers - which of course is going to create a whole host of issues and problems for your website.

Stay safe and regularly update your OS, software, and browsers on your computer. Use a good anti-virus service. Keep your eyes peeled for any vulnerability on your system and remove it before it becomes a massive pain.

2. Stay protected from the latest security threats with WordPress Updates

Secure WordPress through it's updates

Every time a software package gets updated, it does so in the midst of a wave of excitement. You are excited because, hey, new features! Hackers are excited because Security and Maintenance Release notes. This is because, unfortunately, each WordPress update brings along with it a number of WordPress security vulnerabilities.

WordPress is no different. With every new update we get additional features and upgrades, along with a page listing the security flaws in the previous version and their fixes. That page is practically a cheat-sheet for hackers everywhere. Should you fail to update in time, those security flaws will be the bane of your existence. And if your site gets hacked, it will be no-one’s fault but your own. 

So don’t give lazier hackers a chance to wriggle in. Install the latest version of WordPress as soon as it’s released. If you’re afraid it will mess up your carefully crafted website (it’s been known to happen), create a backup before you update. This will resolve any WordPress security issues which existed in the previous version - and goes a very very long way to prevent WordPress hacks.

Want your WordPress to get updated automatically? Check out InMotion for your hosting - they have excellent WordPress specific features so you can update WordPress automatically as soon as they are out. We're on InMotion, and we love it!

3. Prevent WordPress hacking: Make sure that your Hosting Server is secure

Did you know that by 2013, an approximate 41% WordPress websites were hacked through server vulnerabilities?

This rather alarming fact is true because a majority of WordPress sites/blogs are hosted on shared servers. Basically, if one site on a shared server gets infected, every other site is at risk, regardless of how secure the site/blog is otherwise. You’ll get hacked through no fault of your own.

Thought exercise: Have you ever been inside a soup kitchen? Can you picture one and imagine what happens in there? If you’re one of those lucky enough to have escaped that travesty, I’ll give you a taster (pun intended). Think of everything that has ever happened since the kitchen came into existence, spills and breaks, leaks and splashes. In a soup kitchen server, those things are never gone. They become a part of the kitchen.

Now imagine the same happening to your site. A server which scoffs at maintenance has devolved into a soup kitchen already. Unused files, data, sites, and more pile up until they become a security threat to current sites.

So choose a reliable and secure host. VPS and managed hosting minimizes chances of breaches and are excellent for e-commerce sites. If shared hosting is enough for you, check out their security before subscribing for space on them. Make sure to check their maintenance schedule. This is another step which should be on your priority list if you want to prevent WordPress hacking.

4. Use Network Security to prevent password and data interception

Over an unsecured connection, data can be intercepted and you can be hacked before being able to say “unencrypted”.

This is why you should focus on secure network connections and encryptions: server side, client side, and all the sides. Find a host that allows SFTP/SSH encryption to protect your data and information from malicious intercepts.

5. Prevent WordPress hacking through complex passwords

Complex Passwords for improved security

Essential WordPress security tip: create a secure password and don't reuse passwords

Our next step on how to protect WordPress from hackers talks about a much-cliched topic - passwords.

A startling number of people think long, complicated passwords are overrated and will prefer something shorter and easier to remember; a fact hackers know and take advantage of.

There is no other way to put this: a good strong password comprised of letters, numbers, and any other valid characters will actually go a long way to protect your WordPress blog. Brute force algorithm works endlessly, yes. But the more characters there are in your password, the longer it takes to crack it. And I mean exponentially longer.

Recommended Reading: 10 WordPress security tips for your website

Any personal details, or a password based on them, will be easy to crack. Don’t use single words (regardless of length), letters-only, or numbers-only passwords either. What you’re trying to do is break the known patterns to make hacking difficult, if not impossible.

Create a password which is easy to remember but hard to guess to prevent WordPress hacking - if your blog is about WordPress security, make it something like pressmyWORDSand5ecurit!$

 

Send me WordPress Security checklist

  

6. WordPress Security through isolation: Keep your WordPress Databases Secure and isolated

Your database knows everything that has ever happened on your site. It’s a veritable well of information and that makes it damn near irresistible to hackers.

Automated codes for SQL injections can be run to hack into WordPress databases with relative ease. If you are running multiple sites/blogs from a single server (and database), all your sites are at risk.

As the code resource puts it, it’s best to use individual databases for each blog/site and give them to be managed by separate users. You can also revoke all database privileges except data read and data write from users who will only work with posting/ uploading data and installing plugins. It is not recommended, though, due to schema change privileges required in major updates.

You should also rename your database (by changing its prefix) to misdirect the hackers aiming their attacks on it. Although this does not prevent WordPress hacking per se, it makes sure that if any databases are compromised, the hackers can't hope to the next WordPress installation.

7. Hide WordPress login and admin name

Next on how to secure WordPress from hackers concerns the WP Administration.

Leaving WordPress defaults untouched is practically asking for trouble.

It is laughably simple to find your site’s admin name if you don’t actively hide it. All a hacker needs, is to add ?author=1 after your URL and the person/member who shows up is most likely the admin. Imagine how easy it would be for the hackers to use brute force once they find the admin’s username. How can you prevent WordPress hacking if you are leaving so much information available, make exploitation easier?

Solution to prevent WordPress hacking: Hide all usernames with this code in functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);

function bwp_template_redirect()

{

  if (is_author())

  {

    wp_redirect( home_url() ); exit;

  }

}

Your WordPress login page is also easy to access, and not just for you. I can simply add wp-admin or wp-login.php after your homepage URL, fill the username I learned from ?author=1 and sip mint juleps while the algorithm cracks your password.

Use the age old technique of ‘smoke-and-mirrors’ and change your login page URL to make the hackers’ job that much difficult. WordPress security plugins like Stealth Login will even do it for you - and once again, doing this simple step will go a very long way in preventing WordPress hacking.

Not sure whether you can deal with all this?

Need some help? Have a look at iThemes Security Pro - one plugin and your WordPress is safe. Guaranteed.

8. Prevent WordPress hacking through security plugins and tricks to protect wp-admin

Your wp-admin is a seat of authority. The login page and admin directory are available to all: including those with malicious intent. To protect it and prevent WordPress hacking, you’ll need to work just a bit harder.

A strong password, a different administrator account (with a username that’s anything but ‘admin’), and using Stealth Login plugin to rename your WordPress login links will make definitely help to prevent hacking.

You can also strengthen the guard around admin with WordPress security plugins like:

With a bit of code coupled with unlimited login attempts, any hacker will eventually break in. You can restrict the amount of liberty anyone is allowed to take with admin login page using Limit Login Attempts. It will limit the number of login attempts for each IP address, including your own (with auth cookies).

  • SSL - this encrypts your communications

Use the power of Private SSL to secure admin login, area, posts, and more. This enables encryption on your login sessions, meaning the password is difficult to intercept. You'll need to get an SSL Certificate and get it installed on your hosting server. InMotion offer SSL certificates for free on their hosting plans - so if you still haven't maybe it's time to switch to InMotion to get your SSL too.

Once you have confirmed with your hosting provider that you have Shared SSL and then paste this code in wp-config.php:

define(’FORCE_SSL_ADMIN’, true);

This plugin is a superb security solution in general, but some key features make it even better. First of all, it runs a WordPress security scan. It also pays close attention to preventive measures so you actually stop WordPress hacking from happening in the first place. To protect admin area, it will remove error information from the login page.

That may not sound like much, but the error message actually helps hackers find out if they had gotten anything right. Removing the message (hint) takes away that advantage. If you want to avoid WordPress hacking, get at least some of these plugins set up.

Top Tip: Advanced WordPress Security

The rest of the tips requiring tinkering with your WordPress installations, which brings along some risk. If you'd rather not tinker around with your installation, you might want to hire a WordPress developer to help you out.

9. Prevent WordPress hacking through wp-includes security

Let’s get this straight: wp-includes is the core. It should be left alone, even by you. And by no means should it be left accessible to potential hackers.

So prevent any malicious persons/ bots from sending unwanted scripts straight to the heart of your WordPress to prevent hacking attacks. Add this before #BEGIN WordPress in your .htaccess file:

# Block the include-only files.

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

</IfModule>

# BEGIN WordPress

 

Note that you’ll have to omit the third RewriteRule if you want the code to work on Multisite.

10. Protect your wp-config for improved WordPress security

This is one of the WordPress security issues that is a bit controversial. Not everybody agrees with doing this.

Whether or not you actually move wp-config.php outside the root folder, there’s no denying that a bit of tweaking the code in this file can help harden security and prevent WordPress hacking.

Not sure whether you can handle all of this security stuff? There's one WordPress security plugin to rule them all

  • Start with disabling editing PHP files from dashboard, which is where the attacker will concentrate after hacking through an access point. Add this to wp-config.php

define('DISALLOW_FILE_EDIT', true);

  • $table_prefix is placed before all your database tables. You can prevent SQL injection based attacks by changing its value from the default wp_.

$table_prefix = 'r235_';

  • Move wp-content directory from its default position with this

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );

define( 'WP_CONTENT_URL', 'http://example/blog/wp-content');

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins');

define( 'WP_PLUGIN_URL', 'http://example/blog/wp-content/plugins');

Now if you’re not a developer, you don’t have much use of error logs. You can keep them from being accessible with this:

error_reporting = 4339

display_errors = Off

display_startup_errors = Off

log_errors = On

error_log = /home/example.com/logs/php_error.log

log_errors_max_len = 1024

ignore_repeated_errors = On

ignore_repeated_source = Off

html_errors = Off

You can find more details on configuring error logging (and how to hide logs from public), but you don’t really need to delve that deep.

 

11. Backup your WordPress site (just in case)

Wordpress Backup

This is the safety net. A backup is one of the first things you’ll need to restore your site if you do get hacked.

Backup your site at least as frequently as you run maintenance or update it. There’s no excuse to be lax in this department, not when there are some quite thorough services and plugins that will run automated backups for you. There is VaultPress, UpdraftPlus, WP-DB-Backup, BackupBuddy, etc.

Recommended Reading: Native vs plugin - WordPress backup using different methods

Create a schedule and let the plugin do the rest. Some of these plugins come with easy restore options. Check to ensure that the plugin is backing up the entire site, including all databases and directories. All though this does not prevent WordPress hacking, it gives you peace of mind of restoring your site if the unthinkable happens.

Send me WordPress Security checklist

12. Use trusted sources only for downloads

If you are running on a tight budget (and even if you aren’t), you might be tempted by the option of getting all the features and functionalities of premium plugins/themes for free. In short: pirated goods.

You can't prevent WordPress hacking if you are downloading premium stuff from ill-reputed or unauthorized sources - they will come back to punch you in the heart. They are ill-reputed because they will fill those legit ‘premium’ plugins/themes with malware and let the stupid folks do the rest. A hidden backdoor will be all they need to convert your brand’s online appearance into a giant poster for enlargement pills - or even worse, malware. Your site will quickly get blacklisted, even from search engines and browsers if it contains malware. You'll need much more than WordPress security to fix these problems.

This is a known and very popular tactic of hackers. Pirated themes and plugins are riddled with backdoors and malware. This is one of the easiest WordPress security issues to resolve really away from.

Remember: Pirated stuff? Don’t bother.

You’re good with WordPress Themes and Plugins directories, so try sticking to those. You can also trust sources like Envato Market (Theme Forest, Code Canyon), Elegant Themes, etc.

13. Secure your WordPress by looking like a Pro

A rookie is easier to hack. At least, that’s what most hackers think (not incorrectly). Even the Bible says: Abstain from all appearances of being an amateur; even, and especially if you are one.

Change all defaults: posts, comments, usernames, directory names, etc. It’s easier when you’re setting up. If you already have WordPress up and running, go to Settings > Miscellaneous (in your Admin controls) to change directory names. This will be another step in your drive to prevent WordPress hacking and make hacking your site much more difficult.

To hide which version of WordPress you’re on, remember to delete /wp-admin/install.php and wp-admin/upgrade.php. Take it a step further and remove meta generator tag (“”) from wp-content/your_theme_name/header.php. You should also remove version detail from RSS feed.

To do this, open wp-includes/general-template.php. Around line 1860 you’ll find this:

function the_generator ( $args) {

echo apply_filters('the_generator', get_ the_generator($args), $ args). "\n";

}

Add a hash before ‘echo’ command and you’re golden.

function the_generator ( $args ) {

#echo apply_filters('the_generator', get_ the_generator ($args), $type). "\n";

}

14. Strong WordPress Security requires correct File permissions

The rule of thumb is 755 for directories and 644 for files. Although, this varies depending upon server and the type of file in question - in most cases, you should work very well with these permissions. It would be best to ask your host to check, or if you've got direct access, you can do this yourself.

For directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

15. WordPress Security sins: Never ever set file permissions to 777 (not even temporarily)

If you are serious about wanting to prevent WordPress hacking - NEVER set file/directory permission to 777 unless you want to give complete control over it to everyone, including hackers. There is a very dangerous tendency amongst beginners to set file permissions to 777, "because it's easy", or "because we'll fix it later", or "because I'll change it later". This is extremely dangerous - 777 means anybody who wants can change the contents of that file. With those permissions set, your website is an open house. Once they have access to one file, rest assured it is very easy to jump to other files or install backdoors and other nasty stuff to your site.

WordPress codex gives you a complete guide to file permissions: how to change them and the recommended permissions for some files. You need to balance security with functionality, so start low and gradually increase permissions till you get it right. The right file permissions will surely help avoid WordPress hacking. Again, this is one of easier WordPress security issues to prevent, you just need to be aware of it.

16. Allow access to WP admin and login to your IP only through IP filtering

A very simple, elegant way to restrict access to the login page and admin area is through IP filtering. All you need to do is add this code to .htaccess. This suggestion comes with thanks to Sucuri, who provide an excellent WordPress security service

<Files wp-login.php>
Order Deny, Allow
Deny from All
Allow from [Add your IP address (es) here]
</Files>

Now that works only for static IPs, but you can do the same for dynamic IPs with this:

<Files wp-login.php>
Order Deny, Allow
Deny from All
Allow from [Add your domain name here]
</Files>

To restrict access to wp-admin directory, add this to .htaccess:

<FilesMatch ".*">
Order Deny, Allow
Deny from All
Allow from [Add your IP address (es) here]
</FilesMatch>

By domain name:

<FilesMatch ".*">
Order Deny, Allow
Deny from All
Allow from [Add your domain name here]
</FilesMatch>

Source: blog.Sucuri.net

17. WordPress Security Plugins to Prevent WordPress hacking

Although we don't tend to advocate the use of many plugins, when it comes to WordPress security plugins, there are some which you really might want to install to increase the security of your site.

Wordress Security Plugins

  • iThemes Security Pro - Listen, many of the above actions are a bit technical no doubt about that. We get that. If you are not technically inclined, we have the solution for you. iThemes Security is the best WordPress security plugin to secure and protect your WordPress site.

Google Authenticator and Duo Two-Factor Authentication are great choices for adding an extra layer of protection on your login page. An authorization code will be sent to your email/ mobile, without which the user/hacker will not be able to log in.

Is there anything better than a nice BBQ? This plugin will block URI strings containing eval( base 64 and other suspiciously long request strings.

Check your theme for malware and hidden backdoors with this plugin before someone exploits those weaknesses in an otherwise secure site/blog.

  • Antivirus Plugins

This one is a no-brainer. Conduct frequent site scans and eradicate them before they take hold. Plugins/ services like SucuriWordfence, etc. Previously mentioned Acunetix Secure WordPress is another good one. Exploit Scanner will check your site inside out for malicious code too.

Send me WordPress Security checklist

The Essential Checklist to full WordPress Security - YouTube version

Thanks to Webucator, a provider of WordPress training, we've got this checklist created as a video.

 

 

WordPress hacked? - 7 essential steps to fully restore your website

 

Sucuri releases a website hacked trend report for each quarter. In their latest report, they have revealed that WordPress powered 78% of the sites hacked in the second quarter of 2016. WordPress hacked sites remain a real problem. (Read More: the Sucuri Website hacked report here)

That is not surprising since WordPress is by far the largest platform to create new websites. This leads to the fact that hackers always find it more profitable to look for vulnerabilities in WordPress sites. It doesn’t matter what security measures you take; it is impossible to guarantee the perfect security for any website. Being the most popular platform for creating websites, the risk is significantly higher for WordPress sites.

Because of the increased risk and fewer guidelines about WordPress security, we have decided to take things in our hand. The result is this in-depth tutorial. In this tutorial, we are going to introduce you to 7 essential steps you should take to fix your WordPress hacked site.

 

WordPress hacked?

Before we begin the procedure, let’s find out what causes the problem in the first place. In general, there are two types of vulnerabilities –

  1. Common Vulnerabilities and
  2. Security Vulnerabilities.

Let’s take a closer look at each type. Both types can be exploited by security hackers.

Before you begin - restoring a WordPress hacked website is not something which can be undertaken by people without sufficient knowledge. It is highly advisable to ask for help from WordPress developers who are highly skilled before attempting to do this if you're not comfortable tinkering around.

Common Vulnerabilities which result in hacked WordPress sites

The common vulnerabilities can come from either your local machine or from the hosting provider. Most of us are probably familiar with this type of problems. These problems can happen if your PC or local network is compromised. When hackers gain access to your PC or the network, they can easily target a website you own - with the result being a compromised or hacked WordPress site.

You can avoid these situations by using reliable anti-virus and anti-malware scanning tools. You need to apply common sense when using the internet. Comodo and Malwarebytes have provided some handy tips to keep your PC safe from hackers. If you are using a router, it is also important to keep the device updated with the latest firmware.

use anti virus

Secondly, the problem can arise from your hosting provider, especially if you are using a shared hosting package. As you probably know, a shared hosting package shares the server among numerous users. If any of these users doesn’t follow the best practices, the whole server is under serious threat.

In some cases, one site in a shared hosting package gets compromised, and it allows the hacker to infiltrate other sites on the same server. On that case, you need to consult with your hosting provider, and they will take the necessary steps. This means, even if your site is fully updated and protected, you may still end up with a WordPress hacked site.

Incidentally, if you’re looking for a very secure hosting provider, you should seriously consider InMotion hosting - we feel very well protected on this service.

Now that we have identified the common vulnerabilities, let’s take a look at the security aspects.

WordPress hacked through Security Vulnerabilities

There are several types of security vulnerabilities for WordPress. We will talk about the ones which are most common –

  • Weak username/password combinations: We don’t think we have to tell you the importance of using a secure password. Since the 3.8 version, WordPress itself has started to put more focus on forcing the users to use a strong password. There is a built-in password strength detection feature in the admin dashboard. The rule of thumb is never to use any predictable username (such as admin), and always use strong passwords. These will make it more difficult for the hackers to access your WordPress site.
  • Theme/plugin bugs: While it is a best practice to use familiar themes and plugins, sometimes the most popular ones can have a hidden security flaw too. If that happens, you will find the news in the WordPress blogs. However, you will probably be safe if you make sure that you are using only trusted themes or plugins. Check out the reviews, rating, number of downloads, etc. to analyze the reliability. And never ever use pirated themes or plugins. It is a known fact that most of these contain harmful code, which can lead to a backdoor in your site. You’ll surely end up with a hacked WordPress site in no time if you use pirated versions of themes and plugin. What you think is free will cost you much more than you expect if fixing your hacked website.
  • Not updating WordPress, themes, or plugins: Using an outdated version of WordPress, themes, or plugins is another major reason of security breaches resulting in WordPress hacked. Most updates include something to improve the security and performance of your website. Therefore, it is necessary that you update WordPress, themes, and plugins as soon as they are available. Make sure to perform a full site backup before updating.

What to Do When Your WordPress is Hacked?

It doesn’t matter whatever security measures you take; some evil jerk will always find newer ways to access your site. If you have fallen victim to WordPress hacking, don’t panic and follow the steps described below.

1. Identify the Type of WordPress Hack

The solution to getting your site back depends on the type of WordPress hack. That means the first step is to define the type.

detect hacking type

Here are the questions you should ask to do that :

  • Can you access the admin section?
  • Is your site being redirected to another site?
  • Are there any unknown link(s) on your site?
  • Is Google warning the visitors about your site?
  • Has your hosting provider informed you that your site is looking suspicious?
  • Is your site showing unknown adverts in the header, footer, or other sections?
  • Are there any unwanted popups displayed?
  • Is there an unexpected spike in the bandwidth usage?

Go through the questions one by one and try to find out the answers for each of them. This will help you find the best course of options to regain control of your hacked WordPress site.

2. Try Restoring from Backup

If you follow the best practices, you should have daily, weekly, or monthly backups of your WordPress site. The backup frequency depends on how frequently you post or make changes to your website.

When you are taking regular backups, regaining your hacked WordPress site is as easy as restoring the latest backup. If you have set up an automatic backup schedule, find out the last backup before your site was hacked and restore that version.

restore from backups

You then need to make sure that you update any plugins, themes or anything which had not been updated.

What if you didn’t take backups of your site? Does that mean you have lost your site forever?

No actually.

There are other options too. Most reputed hosting services keep regular backups of their client sites. Ask your hosting provider if they keep a backup. If they have, you can ask them to restore your site from the last stable backup.

If there is no backup, you’ll have to go through a procedure of cleaning your hacked WordPress site which we show below.

3. Seek Help from Your Hosting Provider

More than 40% of the hacked websites had some security vulnerability in the hosting platform. Therefore, when you get your WordPress hacked, asking your hosting provider to help you get back your site could be a good idea.

seek help from host

Any reliable web hosting company should be willing to help you in these cases. They employ professionals who deal with these situations every day. They are very familiar with the hosting environment and have access to advanced website scanning tools.

Therefore, they will be able to help you fight back most of the common WordPress hacking attacks. If the hack originated from the server, your hosting company would be able to help you get back the site.

4. Scan for Malware

In many cases, hackers gain access to your website by using backdoors. Backdoors create unauthorized entry points to your website. When using backdoors, hackers can access your website without requiring any login information and remain virtually undetected.

malware danger

Here are some common locations of the backdoors which you need to check if your WordPress was hacked –

  • Themes: Most hackers prefer to put the backdoor in one of your inactive themes. By doing this, they will still have access to your website even if you keep WordPress regularly updated. This is why it is crucial to delete all of your inactive themes.
  • Plugins: The plugins folder is another potential place for hiding the malicious code. There are several reasons for that. First of all, most people never think about checking the plugin files. They also prefer not to update the plugins as long as they are working. What’s more, there are some poorly coded plugins which could be exploited to gain unauthorized access to any WordPress site.
  • The Uploads Folder: In a standard scenario, you will never think about checking the uploads folder. There is no reason to do that. That folder only contains the files you uploaded, right? Well, not that simple. Some hackers prefer this folder because they can easily hide the malicious file among hundreds or thousands of files spread in different folders. As the folder is writeable, it also serves their purpose.
  • The Includes Folder: This is another folder often ignored by most users. As a result, hackers put the backdoor in this folder and get complete access to your site.
  • The wp-config.php File: This is a very common place for finding the malicious code. However, as the file is very well-known, sophisticated hackers avoid using this file. But it is still a good place to get started.

Don't like to get your hands dirty with malicious scripts? Try iThemes security and let it do the dirty work.

The only way to get rid of the backdoor is to remove the malicious code from the website. There are several plugins which allow you to scan your website for malicious code. Among them,  iThemes SecurityWPMUDev DefenderSucuri Security, Exploit Scanner, Theme Authenticity Checker, etc. are the most common names. You can use these free plugins to detect any unwanted change in the themes, plugins, and core files of your WordPress site.

sucur security plugin

If the plugins find any suspicious file, take a full backup and delete the file. And if a theme or plugin is compromised, remove that from your site. Download the latest copy and upload it to your website.

In case the change is detected in any of the core WordPress files, you can replace the affected file(s) with original files from another reliable WordPress installation. Alternatively, you can download WordPress manually and use the necessary files.

5. Check User Permissions

It is likely that you have several users on your WordPress site. As you already know, they have different capabilities based on their user role. Sometimes, WordPress hackers create a new user with the necessary permission so that they can log into your site even if they lose the backdoor. Or they may actually use a username which has a weak password to hack WordPress.

To prevent this from happening, go to Settings > Users from the dashboard. Review all the users and their roles. Most importantly, make sure that no unauthorized account has the admin role assigned. In the case of doubtful accounts, delete them instantly. If they are valid users, you can always recreate the accounts later.

  • Here are some more best practices to follow –
  • Never use the ‘admin’ username on your site. If you already have that username, change this as soon as possible. Also, avoid using any common username that hackers can guess.
  • Use two-factor authentication to prevent unauthorized access to your website. Here’s how to do this by using Google Authenticator.
  • Integrate CAPTCHA in your login forms. This is an effective way to prevent bots or automated scripts from accessing your website.

6. Change the Secret Keys

Secret Keys is a handy security feature of WordPress. These keys contain randomly generated text which help in encrypting the information saved in cookies. If you don’t have the numbers added already, you should do it now. And if you have them, this is high time you have changed them.

First of all, generate your security keys from this link. The random code generator will create a new set of unique codes every time you refresh the page.

Now, get back to your website and open the wp-config.php file. Head towards line 49 and you will see something like the following. The line number may vary on your file, but you need to find out the following section –

wordpress security keys

Replace the values with the ones you generated a while ago. Save the file. If you were logged in to the admin, you would be asked to log in again.

7. Change ALL Your Passwords to prevent WordPress getting hacked again

This is a common but critical step in restoring a hacked WordPress website – reset all of your passwords. The common passwords include WordPress, cPanel, MySQL, FTP, etc. Reset all these passwords along with any other service you use on the website.

When doing that, make sure you are using a strong password. If possible, you should force your existing users to perform a password reset for their accounts as well.

wordpress password strength checker

Here’s how to change the passwords –

  • For changing the WordPress password, go to Users > Your Profile from the dashboard. You will find the new password field at the ‘Account Management’ section.
  • For changing the cPanel, MySQL, FTP passwords, log into the control panel of your hosting account and follow the available options. If you are confused, contact the hosting support to get help.

Future Steps to Avoid Getting WordPress Hacked

While the steps mentioned above will help you get your WordPress site back, you should consider this as a warning sign. Here are some important steps you should take to make sure your site remains protected in the future from any other WordPress hack attempts –

  • Create A Backup Schedule: As you realize now, having regular backups of your WordPress site is critical. Fortunately, you don’t have to do this manually. There are lots of free and premium plugins to help you keep regular backups of your WordPress site. UpdraftPlus is a popular free backup plugin, while VaultPress and BackupBuddy are some highly recommended premium backup solutions.
  • Update Everything: We guess we don’t have to stress the importance of keeping your site updated. You should update the WordPress core, active themes, plugins. At the same time, make sure you delete the unused themes and plugins too.
  • Set up a Security Plugin: If you want to enhance the security of your WordPress site, you should use a security plugin like Wordfence Security or Defender. This plugin helps you to create a firewall so that you can prevent malicious traffic, block attackers and deal with other security threats. You might also consider installing a full Web Application firewall.
  • Consider a Managed Hosting: When you choose a managed hosting, they will handle the security, maintenance, performance, and other issues for your WordPress site. That means you won’t have to worry about all these steps. Some reliable managed hosting providers include InMotionWPEngine, Kinsta and Pagely.
  • Limit Login Attempts: By default, WordPress allows anyone to try unlimited passwords for any account. This leads to brute force attacks and possible site vulnerabilities. Fortunately, there are some free plugins like Login LockDown and Loginizer Security to help you limit the login attempts.
  • Disable PHP Execution: In most cases, hackers create backdoors by creating PHP files which look like core files. You can prevent these threats by disabling PHP execution in the relevant directories, like the uploads and includes folder. Here’s a step-by-step tutorial to do that.
  • Add Extra Password for Admin: Another handy trick to keep your WordPress site safe is to use an additional password for accessing the admin section. This is very easy to do in cPanel. Follow this tutorial to add the password in your WordPress admin.
  • Install a local antivirus: it is actually quite common to have websites hacked or compromised via virus or worms which have infected your home or work machine. Make sure you've got an antivirus installed on all the machines from which you access your website

Like video? Watch this WordPress hacked video from Sucuri

If you have some time to go through the following video which can help to identify WordPress hacked sites and how to fix them. We’ve mentioned Sucuri a few times in this article, this video from Sucuri is quite a complete view about WordPress hacked sites.

Final Words: how to fix your WordPress hacked website

Being a victim of WordPress hacked site is a horrible experience, especially if this is the first time. However, now that you have read this article, you should have a clear idea about the necessary steps to get your hacked WordPress site back.

Feel free to bookmark and share this article so that others can know about the steps too.

Have you ever had any of your WordPress sites hacked? If yes, please share your experience and let us know how you got the site back in the comments below.

Bottom Line

If you’re confused, just go for a managed hosting solution and let someone else handle it for you.

This is just the beginning. As WordPress continues to evolve, so will the hackers and their attempts to infiltrate your site and chuck you out. Stay one step ahead by learning more about your friendly CMS and keeping up with updates and your stay on top of WordPress security - this will for sure ensure you prevent WordPress hacking.

Stay secure.

 

tracey jonesAuthor Bio: Tracey Jones is a renowned front end WordPress developer with hobbies of innovative and technical writing. Presently, she is working for HireWPGeeks Ltd., one of the top most custom WordPress development company across the globe, where you can hire WordPress developers in order to customize your WordPress site at a very reasonable price.

 

 

One more thing...

Do you have friends or a Facebook group who you think would find this useful? Share this with them and then let me know what they think.

Want to supercharge your website?

 
Our website loads FAST ... just 1.29 seconds. We're hosted on FAST InMotion VPS servers We want YOUR website to be fast too, so we've gotten you an exclusive deal - 47% OFF for CollectiveRay visitors + FREE domain! Check it out NOW!