Website hacking has been out of control in the past year, with WordPress being the biggest target for brute force attacks, malicious code injections, and numerous other compromises. Your site may have already been hacked without your knowledge. If they haven’t already, what will you do to prevent a hacker from invading?
The first thing to understand is the why of WordPress hacking.
Why Hack You?
Why would anyone want to break into your innocent little brochure site that contains no sensitive data worth stealing?
The reasons hackers are attracted to your little WordPress site are mostly:
- WordPress is so popular, it presents a wide field of sites to exploit.
- With WordPress being so accessible, hackers know that most users are not savvy to security.
- Once broken into, hackers install spam robots and redirects and malicious code in your site.
Don’t let a hack happen to you!
Secure WordPress sites you operate by following these suggestions according to your knowledge and skill level. You don’t have to get every point, but you can use this as a checklist.
Basic WordPress Security Tips
__ Update WordPress
Every time WordPress releases a new version, update your site. Every time. They’re not releasing new versions just for the fun of it.
__ Update Plugins
Only use plugins with good reputations, and every time a plugin developer releases a new version, update that plugin on your site. Plugin security vulnerabilities are a common way to get hacked.
Read More: Update Your Site or Die Trying
__ Delete Old/Unused Plugins
If you’re not using a plugin, delete it. An old and moldy plugin is as insecure as a non-updated plugin.
__ Use Spam Killer Plugins
Comment spam is a perennial security issue. Use a plugin like Akismet to kill spam dead. (Also, update your Akismet to version 3.1.5, as a security vulnerability was found last week.)
__ Use a Secure Hosting Company
Make sure your web host has basic security certificates and uses the latest version of cpanel, MySQL, etc.
__ Use a Security Service on Your Host Server
Web hosts offer security services like Sitelock to protect your site at the server end. Employ one.
__ Use Secure Themes
Install themes created by reputable developers and be wary of free themes not distributed through WordPress. Same for premium themes which tend to be slightly more secure.
Read More: 8 Things to Look for in a New WordPress Theme
__ Use Obscure Usernames
Never use “admin” or any word vaguely associated with your site’s content.
__ Use Strong Passwords and Change Frequently
Create long, complicated password sentences or use a password generator offered in WordPress V. 4.3.1 Frequently change passwords in WordPress, hosting panel and for FTP.
Read More: Use Mantras as Passwords for Web Nirvana
__ Use Security Plugins
Install one or more of: Wordfence, WP Security Firewall, iThemes Security (formerly Better WP Security), Sucuri Security, Bulletproof Security, Acunetix WP SecurityScan, All-In-One WP Security & Firewall (my fave), 6Scan Security, BruteProtect.
Read More: 7 WordPress Security Tips to Lock Down your Site
__ Backup Database
- Use backup plugins to save data on your server
- Email or download files of you database to your computer’s hard drive
- Download database files to Dropbox or cloud server
- All of the above
__ Use Anti-Virus Software on Your Computer
Prevent hackers from getting to your site through your computer’s hard drive by using Anti-virus software.
__ Beware Email Links and Attachments
Use common sense by not clicking on suspicious links or attachments sent to you via email. They could infect your computer and by extension, your WordPress site.
Read More: New Year’s Internet Resolutions You Can Make Too
Advanced WordPress Security Tips
__ Use 2-Step Password Authentication
Google Authenticator and MiniOrange 2-Factor require additional logins.
__ Use a Firewall
A firewall acts as a barrier to keep hackers out of your site or server. Firewall security can be purchased as a service or bundled in premium plugins. (Free with All In One WP Security & Firewall)
__ Block Evil IPs
After monitoring brute force attacks through security plugins, paste evil IP addresses into relevant plugin modules or in your .htaccss file.
__ Change /wp-admin URL
Some security plugins like All-in One allow you to change your login URL from “/wp-admin” to something like “/keepouthackers.”
__ Change User Nicename in MyphpAdmin Database
Prevent your username from leaking out by changing the user_nicename in your database. When “/author/“ shows up, viewer will see a name different from your actually username.
__ Change Admin User ID
Make it harder for hackers to find your username when guessing you are “author=1” by changing your User ID to something like, “5643”
__ Change SALTs in wp-config
It’s a good idea to change the SALTs encrypted passwords that relate to your site, either manually or by using the iThemes security plugin.
__ Rename Database Prefix
In phpMyAdmin on your server, change the wp_ prefix of table names so hackers won’t know where your database is.
__ Protect wp-uploads files
Prevent php injections into your uploads file.
__ Check File Permissions
All directories should be 755 or 750. All files should be 644 or 640, except wp-config.php, which should be 440 or 400.
Post-Hack Recovery Tips
__ Refer to the WordPress Codex
The WordPress Codex offers a step-by-step method of recovering from a hack.
__ Change Passwords and SALTS
Immediately change passwords for WordPress, your host Cpanel, hosting ftp, as well as your Salts.
__ Request Help from Your Host
But don’t expect much, especially if you are on a shared server. However, you might be able to coax them into using their resources to do or tell you something useful.
__ Reinstall WordPress Core
Replacing the current WordPress version should wipe out hacked files not placed in your wp_content folder.
__ Restore the Backup Database
Use the clean backup of wp_content saved to your hard drive or Cloud and restore that to a clean new installation of WordPress. Check thoroughly before repointing domain.
__ Track Server Logs
To figure out how a vulnerability was exploited, comb the server logs provided by security plugins for clues about what happened.
__ Use 3rd Party Auditing Tool
Like a service like Trustwave to scan for sql injections and viruses.
__ Hire a Professional
If you feel overwhelmed, hire a professional developer to clean up your site.
__ Get off the Google Blacklist
Google will have alerted you to malicious code injections and will put you on a black list. Once your site is clean, notify Google immediately.
Blog Long and Prosper
Hopefully, you’ll never need to utilize the third part of this list, but if you do, remember that it’s not the end of the world. Your site will recover. The key is being ever vigilant against email come-ons and brute force attacks that could eventually harm your site.
What do you do to protect your website? Is there anything I missed on this list of tips? Please add your tips to the comments below.