I read about these horror stories every day. People’s WordPress sites getting hacked. Their content? GONE FOREVER. Why? They didn’t take the time to try and secure their website. They didn’t have a backup or a disaster recovery plan. They didn’t keep it updated. Or take the time to use a proper login and password. Now they have to try and put the pieces back together. So don’t be that person. Read the tips below to help prevent your WordPress site from getting hacked.
Odds are one day your site will be subject to attack from hackers. From either attempting to deface it, gain access to your back end to inject malicious code, or take it down through a bot net attack (DDoS). Instead of thinking “This won’t happen to me!” You better start thinking: “IT IS GOING TO HAPPEN“. So what can you do to help at the very least slow them down? Well there are quite a few things to help keep the average hacker from hurting your website.
[box] Click to Tweet:#WordPress – Your Site is GOING to be Hacked? – Learn Ways to Prevent it: http://ctt.ec/CoB9G+ via @avgjoegeek [/box]
Why Are Websites Hacked?
The simple answer? Because they can. It isn’t even personal usually. They found a vulnerability on your site and took advantage of it. The other reason? Money. I’ve seen sites that were hacked that had adult advertising plastered on them. The best way to deal with a potential hacker? Do your best to try and make it so they cannot easily get into your website.
Manage Your Passwords Better
I know nobody likes to hear this – Change Your Password. After working in Technical Support for 15 years? It’s the very last thing people want to do. Let me explain why you want to do this though. If you are using the same password for everything online? You are opening the “Keys to Your Kingdom” and saying “Come inside and take EVERYTHING!” All a potential hacker would need is access to one of your accounts and *poof* they now have access to all of them!
Hosting and Domain Passwords
These are typically separate accounts. Are you using different account names and passwords for them? Or are you using the same password for everything. Stop making it so easy for a potential hacker to get in. I know that GoDaddy offers two-part authentication if you wish to activate it. For your Hosting, they provided you with that strange long password you’ll never remember when it first gets activated. Did you change it to one of your common ones? Go back and change it to something more secure.
Host Webmail
Do you have a simple login/password for your email on the server? Maybe it’s time to move off and start using a 3rd party service instead. You can use services provided from Google, Amazon, or even Microsoft for your email needs. Then after that has been completed? Send in a ticket to your host to see if they can turn the web mail service off.
Get a Password Manager
Get a Password Manager
The trick is now that you have 5 million different passwords set everywhere. How do you manage all of them? Put them in an Excel Spreadsheet, then zip them up with yet another password on your computer? Or worse a sticky note under your keyboard? A better solution that I’ve started using is a Password Manager service like LastPass. It’s not perfect but I can tell you that I do feel a bit better knowing that all of my password information is no longer sitting in the browser and is stored within the LastPass program now.
WordPress Login/Admin User Management
Remove ‘Admin’ as Your Login to WordPress
If you’re using the word ‘ADMIN’ as your login for WordPress? You’ve already lost the battle. This is probably the #1 login used by both users and hackers. I highly suggest changing your login to something very obscure. And no… not QWERTY – that seems to be #2. When I mean obscure change it to something more appropriate like: my_5!t3_1S-c00L!*.
Read More: Are Your Passwords Secure Enough?
Need to change your admin user name in an existing WordPress install? To do this you will need to run this query on your database from the PHPMyAdmin screen:
1 | UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin'; |
(Replace ‘newuser’ with the new admin user name. And if you used a different database prefix other than ‘wp_’? You will need to change that to match your database as well.)
Warning: Before making ANY changes to your Database make sure to BACK UP YOUR DATABASE!!
Don’t Use Your Administrator Account as the Main Author
This is where I break out the tinfoil hats and pass them around. What if I suggested that you only use that Admin account for keeping your site updated and doing the basic maintenance. Then use a separate WordPress account for writing and posting articles? WordPress does have different roles setup for people after all. So doesn’t it make sense that you should be posting under a different account that has less rights than Admin does?
Turn Off User Registration
If your a single author blog? Do you really need or want people to register on your website? If you are offering a paid program there are other solutions out there that can manage that. Otherwise you might as well turn it off. To turn it off. Go to your WP Admin screen. then it’s Settings -> General -> Membership. Uncheck the box “Anyone Can Register” and click Save Changes.
Disable the Ability to Modify Files from WP Admin
You can disable the admin from being able to use your WordPress editor to change/edit your theme or plugin’s files. You will need to add this line to your wp-config.php file:
1 | define('DISALLOW_FILE_EDIT', true); |
Warning: This will disable your ability to use the editor from within WordPress!
Disable the Ability to Edit/Upload Themes or Plugins
This is another entry you can add to your wp-config.php file as well. This one will disable the ability for anyone logged into your WordPress site from the ability to upload/install themes or plugins.
1 | define( 'DISALLOW_FILE_MODS', true ); |
Don’t Use the Default Table Prefix for WordPress
Warning: Make sure to do a backup of your database before doing this. (Which you should be doing anyways) This is not something I suggest those unfamiliar playing around with the database or not knowing how to restore their website to attempt this step.
Another thing that I do is change the default table prefix from ‘wp_’ to something more like ‘abc21343322_’. If you already have a website that is using the default table name? Then there are a few ways to go about changing it.
You can use a plugin like iThemes Security to do the work for you. (Look below on my thoughts about the plugin.) In it has the option for you to change the table name and do all of the work below with a single click.
Database Queries
The other way is to use the database queries below to update your database. To do this you’ll have 3 steps to follow:
- Rename the database tables to reflect the new prefix you created.
- Update the usermeta table
- Update the options table
You will need to run this for EVERY table you have in your database. Make sure when you run the command – double check your spelling and that you have the old name (‘wp_options’) and the new name (‘newprefixhere_options’) match. Otherwise.. well bad things could happen.
1 | RENAME table `wp_options` TO `newprefixhere_options`; |
After you completed the above step. You will need to update the user meta table to reflect the new prefix as well:
1 | UPDATE `newprefixhere_usermeta` SET `meta_key` = REPLACE( `meta_key`, 'wp_', 'newprefixhere_' ) |
And finally you will need to update the Options table as well with the change.
1 | UPDATE `newprefixhere_options` SET `option_name` = 'newprefixhere_user_roles' WHERE `option_name` = 'wp_user_roles' |
Disable xmlrpc.php
Update: WordPress has recently released a security patch that will hopefully help if you’ve been getting hit with this type of DDoS attack. If you haven’t please go and update it now.
(Thanks +MaAnna Stephenson for the heads up!) This function allows you to perform pingbacks and quite a few other things though. This is a popular attack for DDoS Bot nets. So first I would find out if you were getting attacked or being used for an attack. Then go ahead and use a plugin or code to disable it. Just make sure that you didn’t break anything after you implement it! To do this read the two articles below:
- Blog-Aid: Disable xmlrpc in WordPress to Stop DDoS Attacks
- Sucuri: More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack
Keep Your Themes, Plugins, and WordPress Up to Date
This is probably the easiest thing you can do to help ensure your website stays secure. The issue here is that WordPress itself is pretty rock solid. As soon as you add a custom Theme and Plugin? That’s where the potential for vulnerabilities popup. The good news is that themes and plugins push out new updates all the time with bug fixes, security updates, and feature updates. So make sure to keep your website updated!
Tip: I highly suggest subscribing to WordFence’s email list. They seem to be pretty on top of when a plugin has been compromised.
Use Trusted Sources for Themes and Plugins
Another thing to watch out for while we’re on the topic. Make sure to use trusted sources to ensure what your using has been coded correctly. Unless you know how and what to look for? You never can be sure if that nifty new plugin or theme has something malicious hiding inside of it. So be careful!
I use a premium theme Genesis (affiliate link) as I know they take security seriously.
Clean up the “Soup Kitchen”
I never knew what the terminology was until I started researching this article. If you setup a demo website and its been sitting there forgotten? Or if you have plugins or themes that aren’t being utilized? I highly suggest removing them. Keep an attitude of: If you’re not using it – lose it! It will remove potential vulnerabilities found on your web site.
Keep WordPress Up to Date!
They aren’t just introducing new features when a WordPress update rolls out. They are fixing vulnerabilities discovered with the older version. So don’t wait too long to perform the update when you see it available. Or you could turn on the auto update feature and it will install updates as they become available:
Add this line to the wp-config.php file in your WordPress install:
1 | define( 'WP_AUTO_UPDATE_CORE', true ); |
Get a Quality Host!
I know I’ve mentioned this a few times in other articles. It still worth repeating. If your hosting in your friends basement? Probably not the greatest plan in terms of security. Most of the popular hosts out have at least some type of hardware security in place and ‘sandbox’ your site so even if a neighbor’s site on the server was hacked you should be relatively safe.
I’m currently using BigScoots and I can tell you they seem to be on the ball in terms of security and service!
Lock it Down Using .htaccess
Think of the .htaccess file as the ‘gatekeeper’ for your site. It can be a very powerful tool to stopping potential hackers if utilized correctly. I could probably write a book on this section alone! These settings are the basic tweaks that I have setup on my own WordPress install.
To add/make changes to your .htaccess file. You can either edit this file directly over on your hosts cPanel. Or you can FTP and make the necessary edits that way. Either way though? Make sure you backup the existing version. If you don’t? You could prevent everyone from being able to access your website! If you see an Error 500 Access Denied screen after making a change? You’ll need to go back and remove the last changes you performed or restore the backup.
Just take it slow – double check your syntax and spelling. And you should be OK 🙂
No Index Command
This is a must have for just about any website. This will remove the ability for people to see a list of your websites directories in a browser.
1 2 | # Turns Off Ability to See Your Sites Directories Options -Indexes |
Protect the .htaccess File
1 2 3 4 5 | # Protect .htaccess <Files .htaccess> order allow,deny deny from all </Files> |
Protect the WP-Config.php
This entry will deny from everyone trying to view your wp-config.php file.
1 2 3 4 5 | # Block Everything from wp-config.php <Files wp-config.php> order allow,deny deny from all </Files> |
Blocking Include-Only Files
This blocks your wp-includes folder so people are unable to browse it directly.
1 2 3 4 5 6 7 8 | # Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] |
Protect Your /wp-content/ Folder
This will help lock down your /wp-content/ folder. There is a caveat though. Depending on what type of theme and plugins you are running? This could potentially break your site. Especially if your using the theme that still uses timthumb.php (i.e. old Thesis 1.8x websites) So as always make sure you test after implementing it.
You will need to create a new .htaccess file inside of the /wp-contents/ folder then enter in the following information:
1 2 3 4 5 6 | # Only allow XML/CSS/Images or JavaScript to execute from this Directory # Will break your site if running a theme with timthumb.php! order deny,allow deny from all <files ~ ".(xml|css|jpe?g|png|gif|js)$"> allow from all |
Only Allow wp-admin or wp-login for Your IP Address
I like this solution though it has some issues.
- Most people at home have their IP change on them whenever their ISP decides to change it.
- This doesn’t work if you are using a CDN Service such as CloudFlare.
- And this could potentially cause issues if you are running a Membership site that requires the ability for people to login.
So to use this effectively? You’ll have to check your IP, adjust the .htaccess just about every time you need to login directly to WordPress. Which is a huge pain in the ass.
To find our what your current IP is before setting this up? You can go to www.whatismyip.com
1 2 3 4 5 6 | # Only Allow Your IP to Connect RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^123.123.123.123$ #replace with your IP Address! RewriteRule ^(.*)$ - [R=403,L] |
Check Your File Permissions
You should always make sure your site’s folder and permissions are set correctly. A file set to 777 might be nice for slot machines. Not for file permissions. This is yet another potential open door for hackers to walk through. If you don’t know how to do this or think something is going on? Then I suggest contacting your host and have them take a look.
The basic rules are:
- 755 or 750 for Directories
- 644 or 640 for Files
- 600 for your wp-config.php
There is a guide on the WordPress Codex for Changing File Permissions that goes into a ton of detail on this.
Connect To WordPress Securely
Another way to ensure that you are protected from hackers? Connect to your website securely using sFTP or SSH. By using these methods you will have a secure encrypted connection that hackers will have a difficult time sniffing out. The two free tools for Windows to use to do this? WinSCP and Putty. For instructions on how to setup the connections? You will need to refer to your webhost as they usually have pretty detailed instructions on how to do this.
BACKUP YOUR WEBSITE!
Yes, I did all caps on purpose. You should always, always, ALWAYS back up your website! Whether you use a plugin, service, or do it manually. I don’t care how you do it. As long as you are doing it. I personally backup avgjoegeek.net 3 different ways:
- Host: BigScoots provide a free backup service – unlike some other shared hosts who do the backup and never show you it. This one is a fully featured snapshot backup of the entire website.
- Service: I have been touting my joy of using CodeGuard (affiliate link) to anyone that will listen. It’s a service I setup that uses sFTP and SSH to connect to the website remotely and makes a weekly backup. It is stored in their cloud servers (Amazon S3) and they even provide a Malware scan on what’s been uploaded. I get a daily email notifying me of what files have been changed.
- Manually: I go through and perform a manual backup as well. Overkill? Maybe. I think of it this way though. IF the host lost all of the backups, and IF CodeGuard suddenly went out of business and I lost my data there as well? I have a local backup I can restore.
I’ve talked with a lot of WordPress developers and if you manage more than one website? Then they all suggest purchasing Backup Buddy. It is a pretty big investment, but I’ve heard nothing but good things about how it works. (And no I’m not sponsored or offering an affiliate link)
Install WordPress Security Plugins?
I’m one of those who do not like WordPress security plugins. For me it’s like those medicine ads that promise to cure something then spend the rest of the two minute commercial listing the possible side effects. I’ve looked into two popular ones iThemes Security and WordFence and I ended up not liking either one for different reasons.
Note: These are my personal opinions about the security plugins below. Like I always say: Do your own testing and research.
iThemes Security – Formally Better WP Security is a plugin that will potentially fubar your website if you aren’t careful. They even state to run a full backup before trying to implement it. They do things like try and obfuscate folders, folder paths, and then write to the .htaccess file to implement its security measures. I ran this plugin on a test site and it wasn’t pretty. I would only suggest attempting to install the plugin on a new WordPress install or hire them to install it for you. Then keep a close eye on things to make sure nothing breaks.
WordFence – Now WordFence is a bit less extreme than iThemes Security. But when I loaded it up and turned on everything. I then looked at the server logs to see what it was doing. All I noticed were pages of WordFence requests in the logs. That and it slowed down the website enough for me to quickly decide to remove it. I love the idea of it. But having an active plugin that attempts to scan WordPress live just seems counter intuitive.
The security suite plugins just seem to get over complicated and bloated. They have grown so much that they themselves have become a problem and not a solution.
Oh, so what do I use? Since I use a mix of .htaccess and 3rd Party services? I currently use the following plugin:
Limit Login Attempts – This simple plugin will lock out login attempts by IP Address. I have it setup to where after 4 attempts the IP gets logged and blocked for 48 hours. The bad news is if you accidentally get locked out? You’ll have to manually disable the plugin then go back in and reactivate it.
Update: I removed the IQ Block Country plugin. Way too aggressive and blocking ‘good’ traffic. Went back to CloudFlare again 🙂
Use a 3rd Party Service
There are a few services out there that will add another layer of security for your website. They involve changing your DNS settings to run through their service though. So if they have an issue? You have an issue. Just remember that when shopping around for one.
CloudFlare – this is my personal favorite. Why? Well… it is free for the most part. If you want to get their advanced security features? You’ll have to pay for it. You can read my full review here to learn more about what CF does and how it can protect you.
Incapsula – My friend Justin over at dragonblogger runs this service for his blog. I haven’t checked it out yet. It’s a hybrid CDN/Web Firewall service (depending on the level of service) to help speed up your website and protect it online. Starting at $20.00/mo. this can get expensive for the blogger on a budget. And they don’t offer their DDoS protection until you get up to their Business + plan!
Sucuri – These guys will scan your site online for free to see if your site is not only free of malware. They will also let you know if anything else is out of date. You can sign up for their Webproxy Service for as low as $9.99 a month. With it you will get an online Web Firewall, DDoS protection, Malware protection, and protection from bots as well. I will have to check these guys out to see how it all works.
They also have a plugin you can install that will scan your website as well!
Have a Disaster Recovery Plan
Now if something were to go wrong today? How would you handle it? Don’t have an answer? Well I suggest coming up with a game plan to deal with it today. Have your contact numbers handy for your host, your admin, and your mommy if need be 🙂 Also know where your backups are located and available (not on your web host!) so you can restore your site quickly.
If you don’t know HOW your website was hacked? You will need to hire someone who knows what they are doing. You can contact me – and I will suggest someone who knows what they are doing. Or you can go online to Sucuri and hire them as well.
Keep Your Computer Safe
Another way for hackers to inadvertently access your website? Through your own computer. So make sure that you have a good antivirus and malware protection software on them. Make sure to stay on top of updates your computer asks you to perform. And follow safe practices when surfing on the web or checking your email.
Read More: How to Clean Your Computer from Spyware, Viruses and More!
Finally – Use Common Sense
This is the basic stuff you should already be aware of if have been on the internet for any sort of time.
- Never login on any type of public wifi or hotspot. – EVER
- Do not give your login credentials to anyone. This includes your website, host, and FTP accounts. If you hire someone to perform work on your website? Create a temporary account and make sure they can be trusted. Then after the work is completed? Remove it.
- If you allow people to register? Use the correct user roles and enforce strong passwords. Use a plugin like this one from WP White Security to help enforce it!
- If people wish to guest post? Have them submit the article and images to you directly and you post it for them. I use a “Guest” login and have them put their BIO down on the bottom of the article.
Conclusion
I know this seems like a lot of overkill just to protect your website. Unfortunately all it takes is one “crack in the armor” and you’re done. Although I mentioned quite a few things you can do. I’ve only just given you the basics. If you want to learn more on how to keep your WordPress secure? Check out the resources below to learn what you are up against and how to stop it.
Resources:
What do you do to make sure your website is secure? Leave a comment below with your own security tips.
