“WordPress is the best thing ever! I love it!” – said no person ever who’s site got hacked.
People tend to blame their hosting providers, plugin, theme and WordPress developers, hackers for not having a better thing to do than hack their site… The reality is simple. This can happen to anyone and it’s your responsibility to prevent it. Or at least make it extremely difficult.
If you are reading this, you probably had a bad experience with malware or you’ve heard stories and don’t want that from happening to you.
It is not completely wrong to start with the question: “Why did my site get hacked?”. It’s a reasonable thing to ask. Hackers may do it for fun or with a purpose, but that shouldn’t concern you.
The more important questions is: “HOW did my site get hacked?” because when you answer that question, you learn what was the weakness that was exploited by the hacker and you can do something to eliminate it.
Luckily, this question has been answered many times before, so we already have a
good idea about what are some of the most exploited weaknesses of WordPress
and what we should do about that.
Here’s a list of 5 things you need to do to protect your WordPress site
- Protect the login page
- Secure your files and database
- Update your themes, plugins and WordPress core files
- Apply restrictions for bots, certain IPs and countries
- Monitor your site
1. Protecting the WordPress login page
By default, the WordPress dashboard login page can be accessed by adding ‘/wp-admin’ (or ‘/wp-login.php’) to the domain name – i.e. domain.com/wp-admin (or domain.com/wp-login.php).
This means that anyone with internet connection and a browser can access your login page with ease. All they have to do is guess your username and password, which is of course, not easy. That’s where Brute Force Attack comes into play.
Brute Force Attack means that hacker will be making an infinite number of attempts to log in by guessing the username and password. This is done by using a computer program, so the hacker might actually try thousands of combinations, depending on the speed of their hardware, until one of them works. After they are logged in as an admin user, there are no limitations.
You may opt for one or more (or all) of the following suggestions:
Limit login attempts
The Limit Login Attempts Reloaded is a good choice if you want a light-weight plugin. It does exactly as the title suggests. The iThemes Security (formerly BetterWP Security) is more versatile and quite popular.
If you limit the number of login attempts to 3, you are making it difficult for the person trying to force their way into the admin dashboard because they will not have an unlimited number of attempts. And what are the chances of a hacker guessing the credentials in 3 attempts? You’d have to be the unluckiest person in the world (or use predictable credentials). Which leads us to…
Adjust your passwords
Adjusting your passwords (and usernames) is also a very important part of the login security. Some people just don’t want to get creative at all and use very predictable usernames (first names: Tom, Jerry, Spike etc.) and passwords ([email protected] and similar).
Important note – don’t use ‘admin’ as a username because this is a predictable username and you are basically eliminating a lot from the equation for someone trying to force their way in. You can use password generators or even password managers (this will save you the trouble of remembering a password).
Change your login URL path
As mentioned before, WordPress admin login can be accessed by adding ‘/wp-admin’ or ‘wp-login.php’ to the domain name. This is how the WordPress is set up by default. There are some plugins that can change this, so instead of domain.com/wp-admin, you would have to type domain.com/login (of course ‘login’ is a bad idea. Predictable.). This adds one more variable for the hackers to figure out, since now they have to guess the login URL besides already having to guess username and password.
The WPS Hide Login provides this functionality.
Log out idle users
This means that after some time of inactivity, the user will be logged out and the plugin Inactive Logout adds this feature to your WordPress site. Imagine someone logging in and leaving the WordPress dashboard open. Anyone passing by can edit your site content. Or maybe you logged in using your friend’s device, and that person is a prankster.
It might sound like an overkill but think of it this way – banks are using it. Means it’s a pretty good method and only you (or person holding your phone) can log in. Basically, the plugin will send a secret code to your phone every time you attempt to login and you will be prompted for that security code on the login page.
2. Secure your files and database
All hosting companies say that their servers are secure because they have to, but that’s an idle boast. It can happen that files with malicious content are uploaded or some existing files on the server can be changed. There are a few things that can be done, however, to make it difficult for someone to access the files on your server.
All of these things can be done by editing configuration files on your server or by using a security plugin like All-in-One WP Security or similar. There are pros and cons to using a plugin.
- Easy to use
- Options are enabled/disabled with a few clicks
- Slower performance
- Possible conflicts with other plugins/themes
Set directory permissions carefully
General rule of thumb is to set the directory permissions to ‘755’ and files to ‘644’ to protect the whole file system – directories, subdirectories, and individual files.
Wrong directory permissions can be fatal, especially on shared hosting environment. For example, setting a 777 permission to a file means that everyone can read, write and execute the file. This set of permissions is unwise and should never be used.The iThemes Security plugin can show if there are any permissions that need to be changed.
Also, it is wise to consult the Hosting Support of your hosting provider as these permissions might be different depending on your hosting plan.
If you are not sure what these digits represent, I advise taking a look at this article.
Disallow file editing
There are ways to edit theme and plugin files from wp-admin dashboard (Theme Editor for example). Any user with admin access can do this.
To remove this feature, add the following line to your wp-config.php file:
This can prove to be a nuisance if you don’t want to connect over SFTP every time you want to make a small tweak to your theme files for example, but if you are more or less done with hardcoding, it is a good measure of security.
Disable directory listing (preferably through .htaccess)
Let’s say you create a directory called ‘Private’ and put files inside that should not be viewed by anyone but you. If there’s no index.html or index.php file in that directory, anyone can see the content of the directory simply by typing domain.com/private/.
To prevent this you would either have to:
1. Put an empty index.html file inside this directory (or index.php which only contains the opening php tags ‘ 2. Disable directory listing through .htaccess by adding this line:
Options All -Indexes
Choose hosting that comes with SFTP/SSH
Although SFTP and FTP might seem the same to the end user (especially when connecting using a tool like FileZilla) there’s a lot of difference between the two.
While FTP protocol only transfers the FTP commands in their original format, SFTP protocol provides encryption between your computer and the server, making it difficult for someone to breach the connection or spoof your info.
Block all hotlinking
‘Hotlinking’ means sharing files on a site that are not hosted on the same server as the site. For example, someone shares a photo from your site on their site – this increases the server load and if done frequently can cause you website to slow down.
A simple way to prevent hotlinking is by using All In One WP Security And Firewall which has this option built-in. Still, it is preferred to do this through the .htaccess file or by using a CDN.
Use SSL to encrypt data
Just like it’s safer to use SFTP rather then FTP, it’s better to use SSL certificate as it encrypts the data you and your visitors transfer via the site.
Imagine sending confidential information in a letter. If someone intercepts the letter, they can simply read the information. But if the information was converted into a cypher or code, it would take someone like Alan Turing to figure it out.
That’s what SSL encryption does in a nutshell.
Let’s Encrypt offers free SSL certificates. Some hosting providers have automatic installer, while a workaround is required for others.
Securing your WordPress database
All the site’s data and information (your pages, posts, users and their credentials, comments, plugin data and a lot more) is stored in the WordPress database.
Changing the database prefix
When WordPress is installed, the database comes with the default prefix ‘wp_’. Using the default prefix makes your database vulnerable to SQL injection attacks. It is advised to change it to something else like ‘mywp_’. Some hosts that offer managed hosting will automatically do this for you and make the prefix look something like this ‘wp_hjl12lka_’.
Set strong passwords for your database
It’s the same logic as with WordPress usernames and passwords – don’t be predictable. If you are using a hosting package with cPanel it is quite easy to generate a strong password as cPanel provides that option.
Backups, backups, backups!
In case all goes south, you still want to be able to restore your site.
There is a number of backup plugins that have a great reputation: UpdraftPlus, BackUpWordPress, WP Duplicator to name a few.
These plugins can also make backups automatically on schedule so you don’t have to do it manually each time. I personally prefer BackUpWordPress as it lets you specify the exact time when the backup will be created.
Why is this important? Depending on the size of your site and the traffic, running a backup might strain the server resources. It’s not uncommon for sites hosted on shared servers to slow down drastically or even crash in the process. Specifying a time when you know the number of visitors will be low is a good strategy to avoid this issue.
Another method is to purchase automated backups from your hosting provider or another company. This is especially useful for big sites as plugins might take a really long time to create a backup and possibly even fail to complete it.
3. Update your themes, plugins and WordPress core
This might seem trivial but the truth is – outdated software just makes it easy for the hackers to gain access to your site.
Whenever a new version of a plugin, theme or WordPress core is released, a changelog is released with it. This changelog may contain notes on security vulnerabilities that have been fixed. This reveals the weaknesses of previous versions that hackers might exploit.
Checking for available updates
You can check for outdated software in your wp-admin dashboard by going to the ‘Dashboard -> Updates’:
This page will show if there are any available updates for WordPress/themes/plugins.
Watch out for abandoned plugins
Imagine installing this plugin to prevent brute force attacks only to find out that your site got hacked because the same plugin had security bugs. A great example of irony, don’t you think?
I’ve seen examples where site owners refused to replace the plugin because it basically meant that they would have to rebuild the site to a certain extent. Some don’t have the time, some don’t have the knowledge and don’t want to spend money but trust me, if your site gets hacked, you will have to spend both your time and money eventually.
Build your site using themes that are regularly updated
Popular themes, especially premium ones, are a safe bet. Themes like Avada, Divi, Storefront, X Theme, etc. will be updated regularly for the foreseeable future. That means that whenever a security issue is revealed, a simple update will fix it. It also means that the theme will be compatible with the always evolving WordPress core.
Custom themes, plugins and developers who don’t write back
It is not a rare practice to have a custom theme built for a site. Some site owners desire a specific layout or functionality and use a custom built theme. It is also not a rare practice (unfortunately) that a developer who built it for you is not available or simply not responding to your emails anymore.
As WordPress core changes, that custom built theme or plugin might stop being compatible and surely becomes a vulnerability for your site’s security.
Whether or not this is the case with your site, we will explore additional layers of security that might help keep your site protected.
4. Apply restrictions for bots, certain IPs and countries
Apply restrictions for bots
Bots in general can be quite u nuisance. Even legit ones. If you have a lot of posts and pages on your site and a search engine bot starts indexing them every day, you will see a notable decrease in your site performance.
There’s a bunch of reasons to block out certain bots. Remember that question “Why did my site get hacked”? It’s not because someone simply stumbled upon your site, poked around, found some weak spots and decided to give it a go. Hackers don’t do this manually by browsing the web. They use bots that can actually collect info about outdated software, WordPress version and more to compile a list of sites that can be hacked.
There are also spambots that create accounts, post comments on pages and can even publish posts if you have a forum plugin.
Some believe that blocking a bot in the robot.txt file works on all bots. While you can block out a legit bot that’s been visiting your site more often than you want to, bad bots will simply ignore robots.txt. It is like hoping that a thief won’t break into your house simply because you wrote “Thieves, don’t come in!” on your door.
This requires a different approach and luckily there are some solutions.
While some security plugins provide an option to block bad bots, I prefer a dedicated plugin in this case. It has a database of known bad bots and suspicious IPs that is regularly updated and has an option to notify you of any bot activity on your site.
The plugin All In One WP Security has an option to block fake Googlebots, but StopBadBots covers a lot more ground.
Block IPs from a certain country
If you are a small catering service operating in one city in U.S. you don’t have much use of having site visitors from Russia or Brazil. So unless you are planning an aggressive expansion, you can block out all countries except the one where you conduct your business.
5. Monitor your site
Monitoring changes and activity on your site can be crucial in preventing security breaches. Any file changes, failed login attempts and changes to the site should be tracked to avoid something happening behind your back.
Monitor audit logs
Nothing gets by unnoticed when you use the WP Security Audit Logs. Whether someone changed the widget, edited a page or simply changed the date of the published post, there will be a trace and you will know it. You will get a list of activities, along with the email notifications and reports.
Maybe one of your contributors is having trouble remembering his password or maybe it’s the brute force attack attempted with his username.
Monitor your files
There are 1700+ files in the WordPress installation. If your site has been compromised by changing or adding file to the WordPress core, it might be hard to notice that, don’t you think? Same goes for modern themes and plugins.
That’s why it is good to have a tool that can spot file changes on the server, compare them with original files in WordPress repository and even overwrite the changed files with a pristine, original version.
It is also a good strategy to have a premium plan with a security company, especially if you already had an issue with malware. Sometimes, backdoors can be left behind by plugins and that leads to reinfection.
Scan your site
The fact that you implemented these changes does not mean that you should forget all about security for the time being. You should still scan your site regularly. If it turns out that the site got infected with malware after all, you will be able to resolve it quickly with Security & Malware scan by CleanTalk.
If the malware keeps coming back, you might need assistance from a professional service. Please review our monthly plans that include:
- Spam Removal
- Page Speed Optimization and more.
Tip: In the case that you’re looking for a clean-coded and feature-packed WordPress theme so you can get your website up and running fast, then, you may look to the Visualmodo WordPress themes portfolio that has themes for every need, with current updates and best development pratices to keep all secure like your site should be.
The main conclusion that should be drawn out of this is to be proactive. Obviously, there’s a lot to go over and it might seem overwhelming, but it’s absolutely worth it. You have invested a lot of time and money into your WordPress site and you should protect your investment. What’s an extra few hours or days of work compared to the hell of having to clean up the mess and possible put everything together again? You got it. Nothing.