WordPress websites had always remained an easy target for hackers. If you don’t cover all the loopholes of your blog, then the chances of being hacked by a professional hacker is always there. I’ve seen this situation happen to very professional bloggers, so don’t think that it can’t happen to you.
Usually, a hacker is looking for vulnerable installations of WordPress using different tools. When it finds a vulnerable blog, they exploit the vulnerability to access the blog and insert links to various sites of ill-repute. This technique is an effort to use your blog to increase those sites’ Google PageRank scores (Nowadays it’s called Domain Authority and Page Authority).
This in-depth WordPress security guide is divided into five main portions.
- Understanding The Types of Security Risks
- Precautionary Measures To Prevent Hacking
- Two Factor Plugins
- WordPress Plugins For Blog Security
- What Steps should be taken, if being hacked?
Table of Contents
- From what types of attacks to defend themselves
- Precautionary Measures To Prevent Hacking
- 1. Limit Login Attempts
- 2. Make Sure to Update As Soon As Possible
- 3. Password Strength
- 4. Use SSL Certificate
- 5. Use Trusted WordPress Themes
- 6. Never keep a Default Username
- 7. Secure wp-config.php file
- 8. WordPress Security Keys and Salts
- 9. Protect the wp-includes directory
- 10. Check files and Folder access Settings/Permission
- 11. Limited Access
- 12. Password on Certain Folders
- 13. Change the prefix of table
- 14. Database Name
- 15. WordPress Backup
- Two Factor Plugins
- Plugins for Protecting WordPress Blog
- What to do if hacked?
From what types of attacks to defend themselves
The attacks from which to defend in a different and WordPress are all of the different nature, but not of the same severity. Let’s see the most common:
- Bruteforce login attempts: BruteForce is a common technique that aims to login on the WordPress platform to take possession of data and administration capabilities. It is not easy to create an attack, but now the possibility to use low-cost resources has increased the possibility that the brute force is the one chosen in order to gain access to our blog.
- SPAM in the comments: One of the most common attacks for blogs that do not use any protection technique, the bots enter thousands of comments in the post at a time without leaving the admin time to remove them and thus creating confusion and failures in the WordPress platform.
- Vulnerability old versions and plugins: to have installed an older version of WordPress can be the best way to be attacked, many of the bugs are now known and have many exploits available for use. Same for the recently updated plugins representing a possible security flaw with the passage of time.
- SQL injection: although reduced compared to the past, this attack method is the most dangerous. The entry form can provide access to sensitive information and may allow the modification of database information.
For these types of attacks, there are specific solutions to be implemented through plugins or settings that allow you to decrease the likelihood that our WordPress is hit. Most often the attacks point to dozens of machines hosted by the same hosting provider and can lead to very automated binding systems.
Also useful to consider the protection techniques applied by their hosting providers, many providers now provide hosting solutions for CMS, thus making the safety easier for the simple fact that the servers are already set for this specific CMS.
Precautionary Measures To Prevent Hacking
Let’s take a look at how can we protect our WordPress site by taking these steps.
1. Limit Login Attempts
Blog security is the most important thing that we bloggers have to always keep in mind. There are always online threats out there, hackers and most of all idiots who are jealous of the success of our blog and try to sabotage it in some sort of way. This is why we must take security very seriously and make sure we have a killer set up. One thing to always do is limit login attempts to help combat these spammers who use automated software to try to register on multiple blogs to submit spam comments or spammy blog posts.
If you have money to invest in security now, I would strongly suggest using the iThemes Security Pro plugin. If not, follow this blog post and blog for many security tips.
For this reason, this is why the default membership role you should select should always be set to Contributor
By making this selection, a contributor can only submit a blog post for review and cannot publish them. This stops unwanted blog posts from going live if you the admin or hired staff must-read blog post before they go live. This is one setting I commonly notice on brand new blog installs with novices bloggers.
Let’s turn back to secure the login form from bad actors. The one plugin I found to be effective and is free is the Limit Login Attempts plugin.
What this plugin basically does is that it limits the login attempts. Let’s say someone is trying to login to your admin account using the “admin” username in which you should never use for your login username and is trying to get into your account. After x amount of bad login attempts, they basically blocked for x amount of months or forever from trying to login again. You set the rules.
You can block IP’s altogether if you come across a list of spammers someone posted on a blog elsewhere. Don’t forget to whitelist your own IP and your staff so they don’t get blocked by accident.
The reporting feature is to look at reports. You should constantly check these to see what’s going on and figure out if you have to block an IP or not.
Give Limit Login Attempts a try to let me know if this has resolved any issues for you.
2. Make Sure to Update As Soon As Possible
With the development of WordPress the security issues also increasing, so, first of all, make sure that you’re running the most up-to-date and secure version, upgrade to the latest release as soon as you can. The outdated version can support malicious attacks and can increase the vulnerability to hacker attempts. Most WordPress security failures occur when a user is running an outdated version of WordPress on his website.
The latest updates come out often with the efforts of the core developers. All you have to do is grab the opportunity. You can only avail of these facilities if you keep your site updated to its latest version. This way your site will be automatically protected from the external viruses.
Security updates apply automatically but some major releases need to be updated manually by going to their respective pages. So if you don’t take out time for these updates, you might leave your site prone to attack from hackers.
3. Password Strength
This is of utmost importance that you keep a secure password for your website, this way you are giving the hacker a tough time in intruding your site.
If you keep simple passwords like “your name” or “12345” then it will be easy for the hackers to guess it and log in to your site. Hackers are very good at understanding the human psyche so even if you think some simple words like “password” could not be guessed, DON’T take the risk. Once hacked, you might lose your account. As the hacker may immediately change the password and start adding malware to your site.
So this is a rule of thumb; always choose some complicated yet related password which you are sure that no one other than you can easily break down. It’s recommended your password contains uppercase letters, lower case letters as well as random numbers so that your hacker is given some tough time.
You don’t necessarily need a long password, just a unique one that only YOU can easily relate to.
Secure Socket Layer certificate is used by many websites like Google, Facebook, and Twitter. Instead of HTTP in the link, you may see https which is indicating the SSL certification. This ensures that the connection is encrypted and safe to use.
So if your site involves entering usernames or passwords, then it’s necessary that you use an SSL certificate for securing everyone’s personal information.
Easy HTTPS Redirection and Verve SSL are two good SSL plugins currently available.
5. Use Trusted WordPress Themes
There are many directories that are full of various themes and plugins which you can use for your WordPress site, however, not all of them can be trusted. The entire themes list is created independently. There are some top-notch banks that contain themes, all well approved by volunteers but you never know if one of them contains any malicious code which might cause major WordPress malfunction.
So much so these faulty plugins might contain some security loopholes. Hence hackers can easily intrude on your site through these plugins.
The best you can do is always check reviews from people before downloading a theme for your site. Make sure the site which is offering you that theme directory is known for its excellence like WPMU DEV. Search for reviews from volunteers and then choose the best.
- ThemeForest – Themeforest is probably currently the most popular premium WordPress theme marketplace. Created by the great team over at Envato, they have over 6,000 WordPress themes that cover a wide variety of styles and features.
- Mojo Themes – Mojo Themes puts a little more emphasis on quality than Theme Forest – the average theme at Mojo Themes tends to be better than the average theme at Theme Forest. While Mojo Themes only has about 600 marketplace items.
- WPZOOM – WPZoom offers a nicely priced club membership as well as individual pricing for their 57 WordPress themes. They even offer thorough documentation and support for all of their themes
- Elegant Themes – Join 282,273 Happy Customers And Get Access To Elegant Themes’ Entire Collection Of 87 Beautiful Themes For The Price Of One.
Choosing a Free WordPress theme can be a tough job. Especially if you’re a beginner. When searching the Web for free themes outside the WordPress directory, be aware that the popularity, open code, and ease of use in making WordPress themes are attractive to others who can make your web server could become part of a zombie army of machines participating in a Distributed Denial of Service (DDoS) attack on some other website, but some may contain malicious code in there. Especially if you download from random websites and not from WordPress.org, or It can be used in a phishing scheme to mine passwords and other personal information from your visitors—unbeknown to them.
So always select themes that are available through the WordPress Free Themes Directory. at least they follow the community’s rules. Although themes are collections of programming code and, thus, can have bugs.
Don’t be afraid to ask the developer questions before installing a theme that comes from outside the traditional channels.
Visit the developer’s site, and check the WordPress.org forums to know the developer’s reputation.
Once you’ve got your theme installed, use the WordPress Exploit Scanner plug-in that
searches through your website’s files and database tables and notifies you of any suspicious code.
This plugin searches the files on your website and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.
This plugin is another very useful plug-in and it scans your theme directory. It specifically detects WordPress permalink back door which is a very malicious malware for WordPress and used in to access the database. This plug-in shows green color if your file is out of danger and red if your file may be in danger.
6. Never keep a Default Username
Once your site is created, the username is already set to “admin”. In this case, it’s easier for hackers to attack your site as you have already provided the username. Now they only have to guess the password. So give them some tough luck and set a related username. Hacker is now one extra step behind you once you have manually changed the username.
Change the username “admin” in Mysql, run this query in your MySQL admin
update wp-users set user_login=’newuser’ where user_login=’admin’;
or create a new /unique account with administrator privileges.
- Create a new account with a unique username
- Assign as an administrator role
- Log out and log back in with New account
- Delete admin account
Be careful while confirming the Deleting of admin account because it will ask you to delete all posts and links related to that account as follow:
7. Secure wp-config.php file
Like other Content management systems on the web, WordPress is keeping updating files to make it more secure. The WP-Config.php file is one of the most important files in the WordPress file system that contains very sensitive information about your WordPress installation, including your database details, table prefix, and Secret Keys. It is essential that it be protected from vulnerabilities. WordPress team is trying hard to improve the system security at their own end but you should try to keep up to date with the latest version of WordPress and keep hiding your WordPress version from crackers and you should take additional security steps to make it more secure.
So wp-config.php file should be secure from hackers because they can find the valuable information stored in the wp-config.php file. If someone gets to access this file, he can get website database username and password, he could log in and undo everything that you’ve built! Therefore, take whatever steps you can to secure that file so that no one can access it.To do so, follow these steps:
The wp-config.php file contains Database credentials, so make them secure as more as you can, keep in mind following tips for a secure and strong password:
- Must be at least 15 characters.
- Must be a combination of upper and lower case letters, must include number and symbols if your hosting company does allow to do that for MySQL database.
- Must be unique and not included names or dictionary passwords.
- You can use the Strong Password Generator: Use this strong password generator to generate secure, random passwords. It’s free. But I recommend creating your own password.
- Must be the same as your FTP, cPanel, wp-admin, database, email or similar to any other social media account like Facebook and Twitter.
- Try to change your password frequently.
- For security purposes never save or write your password on a piece of paper, make it secure as much as you can.
If you move the wp-config file to an unpredictable location and change the code, it would create a problem every time you upgrade WordPress. So there is a better solution, create a separate PHP file in a non-WWW location and add the location of the WP-Config file in it.
So you can change the location of your wp-config.php file from
Protect it the .htaccess Way
Here’s the code to protect the wp-config.php file:
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
After updating your wp-config.php, Change file permission (chmod) on wp-config.php to 640.
8. WordPress Security Keys and Salts
It is very important to add the unique keys and salts for security reasons. There is an online secret-key service for automatic key-generation. Visit this link and refresh the page and copy the keys and paste them into your wp-config.php file.
9. Protect the wp-includes directory
To prevent someone from viewing the indexes, you have to protect the wp-includes directory, for this, you need to edit the .htaccess file.
Note: make sure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags. If you don’t know how to edit the .htaccess file, contact us, we can do it for you free of charge.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
Important Note: this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] if you updating your multisite, It would prevent the ms-files.php file (multi-site) from generating images. You can remove this line but its security risk.
10. Check files and Folder access Settings/Permission
If your site is on Linux you have the access to your file and folder permissions through which you can choose as to who your audience will be for that particular data. You can share data with the selected audience, just make sure all your settings are not too permissive that almost anyone can access your important folders.
11. Limited Access
It is necessary that the important pages of your site are not accessed by everyone. Limiting access means that these few pages which link you up to your entire site are only accessed by you and your potential users. This way your overall site will be safe.
Secure FTP (SFTP) is a safe way of adding files to your site. The passwords in this are encrypted so attackers cannot easily hack it.
Simple FTP is a way to add up more data to your existing site quickly, but it’s not secure. Your FTP connection can easily be interjected by hackers.
So it’s better to use secure SFTP or SSH. Secure Shell access (SSH) can also be sued to transfer or add files to your site safely.
If you are not using any FTP connection for sharing more files, then it’s better you delete your FTP account. Don’t leave any room empty for the hackers to try and intrude on your privacy.
12. Password on Certain Folders
You know which folders contain valuable data that might attract hacker’s attention, so it’s better that you put all such
folders on strict privacy. Keep a password on important folders so they are not accessed by everyone.
In the control panel go to Security, then Password protect directories to see the list of all the folders. Now choose the
folders you want to keep safe and hidden from external users.
Once you have set the username and password, go to security settings title and check the box that says “Password
Protect this directory”. Finally, click save and you are ready to go.
You can also find software designed for this purpose on the internet. Download them and secure your important folders.
13. Change the prefix of table
In WordPress’s database, by default name of every table begins with wp_ just like some other default features. If you don’t change it, this means you are giving the hacker a chance to penetrate your database tables easily and hence make changes to your site.
So if you modify the tables’ name to some customized words related to yourself, it will be less accessible to the hacker.
14. Database Name
Similarly, the name of your database is also by default ending with a particularly common name. Assigning it some new name or adding a unique sequence of alphabets to it will make it stand out. This way hacker will find difficult to decode it. You can take help from certain software to automatically change the name of the database to some unique username.
15. WordPress Backup
Always keep in mind to have your website backed up.
If ever your site gets hacked or you do some changes in the software that are irreversible, the best thing you’d want is an entire copy of your original website.
Yes, that will be a sigh of relief as you know you have all the databases and files necessary to regenerate your site. This way in case someone breaks or hacks your site; you can start fresh, recover all the data and report/delete the previous site.
But for all this, you need to have a backup and make sure the copy is regularly updated with all the productive changes you make on your WordPress site.
You should save the copy of your entire site at two different places other than your email (which might get hacked too).
The best option is to keep a backup in the cloud or your OS. This will ensure that even if anything goes wrong, you have an extra copy in hand. Here is a list of best WordPress Backup plugins.
Two Factor Plugins
With WordPress plugins, you can add a second level of protection to your blog and can give additional protection to your WordPress sites with the latest version. You can use these plugins while login from your mobile devices and via email or SMS.
I found these plugins for securing your WordPress site, check out the following plugins:
This plugin prevents logged-in users from doing anything on your wordpress.org blog until they have verified their second factor of authentication. The process goes like this:
- A user logs into your blog.
- Behind the scenes, a bunch of cryptographic stuff happens and a key is generated and attached to that user. The key is overwritten with a new one every single time they log in. This key is emailed to that user (via the email address the user is registered under.)
- The user gets the email with the code.
- The user then enters the code at the page which is now presented to them when they are trying to access your blog
- Behind the scenes, the token is checked for validity, and a cookie is added to the user’s session. They are now allowed access to your blog. If the key changes (the user logs out, or is required to log in again) the cookie that they may have been using will no longer be valid and they will be asked to enter the new one that they get via email.
SimpleAuth is a simple and secure multi-user PHP login system. No database required. No PHP knowledge needed to implement this login system. You can secure all kinds of pages: customer area, administration interface, member page or any private page.
The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.
This plugin enables Duo Security’s two-factor authentication for WordPress logins.
Duo provides simple two-factor authentication as a service via:
- Phone callback
- SMS-delivered one-time passcodes
- Duo Mobile app to generate one-time passcodes
- Duo mobile app for smartphone push authentication
- Duo hardware token to generate one-time passcodes
This plugin allows a WordPress administrator to quickly add strong two-factor authentication to any WordPress instance without setting up user accounts, directory synchronization, servers, or hardware.
I expect plugins like this to rise in popularity soon or even become a part of the core. We are soon adding similar support to our ManageWP.com users as well.
Sabre (Simple Anti Bot Registration Engine)
SABRE is an acronym for Simple Anti Bot Registration Engine. It’s a set of countermeasures against spam registration on your blog. Your visitors are granted permission to register freely on your blog and now you are plagued by fake users automatically created by spammers? Sabre is the solution to stop definitely these robotized visitors!
Do not show password, during login, on an insecure channel (without SSL).
6. Bad Behavior
Deny automated spambots access to your PHP-based Web site. Before downloading Bad Behavior, check the installation instructions for your platform, as some platforms require a separate download or have special installation procedures.
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently, the plugin defaults to a 1-hour lockout of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
Plugins for Protecting WordPress Blog
- iThemes Security – Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
- Semisecure Login Reimagined – Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret key encryption to encrypt the password on the client-side when a user logs in.
- Login LockDown – Login LockDown records the IP address and timestamp of every failed login attempt.
- WordPress File Monitor – Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.
- Stealth Login – This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog.
- Limit Login Attempts: a useful plugin that allows you to limit the number of tests that you can log in to the system WordPress. This is a plugin that allows you to ban the use of IP through cookies or user and prevents it attempts to brute force by a single subject.
- Askimet: perhaps one of the most popular WordPress plugin, allows to better manage the comments that have spam, classifying them and preventing them Rinser of new bots.
- YES Antispam Captcha: always to protect the login page, this plugin puts a captcha on the page, to be sure that access is groped always a human and not a botnet.
- Antivirus: Another plugin that is responsible to check the files in our installer looking for any malicious code.
What to do if hacked?
In case, your website being compromised, stay calm. First of all, try to reset your admin password, and then scan your website for malicious content, try to contact your host for help on putting everything back to normal. We also provide the Professional WordPress Security Services to remove malware and fix the hacked site.
In conclusion, we can say that we now have an added layer of security to protect important to WordPress, but much of what is done must be on hosting providers, especially in the configuration of your server, so make sure that the provider’s servers are tested to host WordPress and there are the necessary measures for security at the system level.
So these are some of the very basic yet a little extra effort requiring methods you can use to secure your website. However more methods that require more efforts also exist and they can go pretty far up as well when it comes to securing your websites, but it is of importance that most of the measures mentioned above can be performed.