Table of Contents
Securing any website has become a task of daily routine. Nowadays, a website directory contains important data that needs a high level of security to be saved from the hands of malware attackers. This WordPress security guide will help you ensure safety of your website.
This blog will let you know the common causes behind your hacked website and provide some WordPress Security tips that will prevent your WordPress Website from hacking and eventually improve WordPress Website Performance.
Why is Improving WordPress Website Security necessary?
A website is home to many important data and content. We firmly suggest you to always follow WordPress Development Coding standards to secure your website as well as improvise its performance.
With the advancing technology, there comes a need for a WordPress Development Service Provider to cope up with the challenging world. This becomes difficult when a hacker tries to disturb your IT infrastructure while breaking security barriers.
Any website holds visitors’ personal information like IP address or Google account credentials. This raises a necessity to save them from being hacked and leaked publicly. Hacking directly affects WordPress website performance.
Changes you will see if your site is hacked
- Your files can auspiciously be submitted to PHP backdoors.
- You will get a warning from your web host stating that your website contains malware.
- You will get to see unknown pop-ups not created by your developers.
- Your live files can be changed or modified.
- Malware codes can be added to your coding database.
- Your website can lead to many other defective websites.
- Other restricted users can access your admin directory.
- Your website can become a box of spamming pictures or posts.
- Google may restrict your visitors from using your site with a warning of an unprotected website.
Securing your data is not a secondary task. Move on to the various causes and fix them before any threat to prevent your WordPress website from hacking.
18 Causes and Fixes behind your hacked WordPress Website
1. Unsecure Web Hosting
It highly matters on your web hosting. Hackers have an easy way to attack through your unsecured web hosting platforms. Sometimes, the hosting provider assigns a single host to multiple websites, which increases the risk of ransomware attacks. So, Considering right hosting for WordPress site can help you stay safe from malicious attacks.
A secured web hosting will provide security protection to make sure your website holds a protected content.
To secure your web hosting and increase your WordPress website performance, apply measures such as install firewall protection or use FTP to protect your server and handle any security breach.
Your webhost can even provide you with the cloudflare CDN which is more recommended than the hosts who do not have CDN facilities. This can cause you a minimal charge in exchange for their services.
However, fact-check that the best hosting provider will always be a little costly. For us, WPEngine has been best hosting provider. The assumption that your site doesn’t need security as it is not fully developed or is for a small-scale business, you are significantly missing an important part. Thus, other than WPengine and WordPress VIP can act as your powerful web host.
2. Weak Password Strength
Passwords are the roots behind a great cause. Weak passwords work just as a simple task for a dedicated hacker. Any hacker can easily break passwords that are monotonous, using familiar characters, or are not case sensitive.
The example of common weak passwords can be WordPress, admin, house, etc. Your admin directory will need a password and a username. Every time you try to login into your directory, a ‘guessed login’ appears, using which a hacker can easily crack the code.
The most strong password contains 12 characters: a mixture of various letters, symbols, and special characters forming a non-dictionary word. For example, Weak passwords can be modified as W@rdpress123 or @dm!n2343 such that it contains capital fonts, numerical, and at least one special character.
In fact, passwords are also necessary to secure your emails, cPanel, FTP accounts, MYSQL accounts, and others connected to your admin dashboard to secure your WordPress website.
Check your password strength using various tools present online. You should have the practice of changing your admin password regularly at least every week.
3. Unsecured WP Directory
WordPress admin is the most vulnerable section. In a hacking attempt attacker generally try to access paths to the WP admin directory. If they succeed, they can modify your files or even add malicious code to your database.
If your admin dashboard has multiple users, you can assign a strong password and add a layer of authentication to access. This can also be done by applying end-to-end encryption.
By adding two layers, you are enabling your backend user to pass through two steps:
- Adding username and password
- Adding passcode to verify the user
To enable two factor authentication, use Google Authenticator. Two factor authentication can help you prevent unauthorised access.
You can create a security layer with the help of .htaccess. Follow the steps for successful creation:
1. First create a .htpasswds file. You can do so easily by using the Htpasswd generator. Upload this file outside your /public_html/ directory. A good path would be: home/user/.htpasswds/public_html/wp-admin/passwd/
2. Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:
- AuthName “Admins Only”
- AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
- AuthGroupFile /dev/null
- AuthType basic
- require user putyourusernamehere
You must update your username there. Also don’t forget to update the AuthUserFile location path.
3. This is also dependent on the server configuration like after adding this security if you are getting 404 too many redirects error, to fix this issue, open your main WordPress .htaccess file and add the following code there before the WordPress rules start.
ErrorDocument 401 default
4. If you have any feature on the frontend with Ajax load feature and it breaks after adding this security, Open the .htaccess file located in your /wp-admin/ folder (This is NOT the main .htaccess file that we edited above).
In the wp-admin .htaccess file, paste the following code:
- <Files admin-ajax.php>
- Order allow,deny
- Allow from all
- Satisfy any
4. Invalid File Permissions
There will be multiple files and folders seeking some set of file permissions. WordPress File permissions will let any user read, write or execute the file. Incorrect file permissions will lead to the loss or leakage of significant data.
There are specifically recommended file permissions to set up to secure your WordPress Website.
There’s a number for all possible levels of file permissions, as follows:
- 0 – No access at all
- 1 – Execute
- 2 – Write
- 3 – Write, and execute
- 4 – Read
- 5 – Read, and execute
- 6 – Read, and write
- 7 – Read, write and execute
The ideal value for your WordPress files should be 644, and for WordPress, folders should be 755. Check out this article to know more about changing file permissions.
5. Un-Updated WordPress
By not updating your WordPress website will invite many hackers as they can access your website’s bugs and flaws. Static WordPress files often lead to threats.
It may happen that due to un-updated features, your WordPress website performance lowers. Its functionality limits by syncing no new data on your site.
Anything in WordPress will function perfectly if you timely update your sites, files, and folders. By updating, the bugs will get fixed, and the site will tend to be more secure.
If you live in fear that you will eventually break your site performance by updating, you can back up your data and then move into updating.
Standard and easy solution is to prepare one staging environment of the production website that will be an exact clone of the production website. You will always have one chance to try the updates on staging first and if all working fine then update on the production server.
Update your site not once or twice instead keep checking on updates and Update WordPress regularly.
6. Inactive Plugins and Themes
Just one defective plugin or theme can make your entire site vulnerable. Plugins are extended features and are applied to your website externally to improve your website’s functionality. However, if any plugin fails to cooperate with the rest of the features of your WordPress website, you will eventually fall into compromising the website’s performance. Hence they are the most susceptible when it comes to WordPress Website Security.
When choosing plugins, it becomes vital to check if they are accurately updated and compatible with other features of WordPress and ensure it doesn’t create any path for hackers to enter.
Themes and plugins are generally easier to fix bugs. However, updating them regularly will null out many unwanted issues regarding plugins and themes.
Also you can use the staging website – clone of production website to presume the working of your website.
7. Plain FTP Protection
To upload files to your website, you will need an FTP client to transfer files. Using a plain FTP will allow unauthorized users to read and decode the information as the password is sent unencrypted.
It is advisable to use SFTP or SSH as your FTP client. While connecting, change your protocol to SFTP or SSH instead of plain FTP.
FileZilla is the most popular FTP client. You can change all these settings directly from the WordPress Admin panel.
8. Weak Default WP Username and Admin URL
Admin is the most common username for any WP administrator. If you are using your admin username with this name, it is highly recommended to change it immediately.
To prevent your WordPress Website from hacking through admin paths, change your admin username.
We believe our WP admin username can’t be changed. This is a myth around many WordPress admin users. You can go with simple tricky way to change admin user name like create new admin user and delete the older one.
Also hiding your crucial login URL is important. The first and major security is to change the WordPress admin login URL, because every user knows the default login URL to your dashboard. So with the WPS Hide Login you can easily change your WordPress login URL with a unique URL which you only know.
The default admin URL generally ends as /wp-admin or /wp-login.php. It is advisable to change it and make your admin login URL customized.
Securing other default WordPress folders also becomes necessary, when fixing the overall WordPress website’s security. To change wp-content folder, follow the points below:
1. Open the “wp-config.php” file in the root folder. Add the below code snippet above the line
require_once (ABSPATH . 'wp-settings.php');
Don’t forget to replace “Folder_Name” /codewith the actual folder name.
- //Rename wp-content folder
- define (‘WP_CONTENT_FOLDERNAME’, ‘Folder_Name’);
2. After that we need to define the new directory path and URL. To do that, add the below code above the line
require_once (ABSPATH . 'wp-settings.php');
- //Define new directory path
- define (‘WP_CONTENT_DIR’, ABSPATH . WP_CONTENT_FOLDERNAME);
- //Define new directory URL
- define(‘WP_SITEURL’, ‘http://’ . $_SERVER[‘HTTP_HOST’] . ‘/’);
- define(‘WP_CONTENT_URL’, WP_SITEURL . WP_CONTENT_FOLDERNAME);
9. Nulled Themes and Plugins
WordPress directory contains more than 60000 plugins. Yet, many unlikely sources assure free customized plugins and themes for your websites. Beware of these nulled themes and plugins. Choose secured WordPress Plugin Development services providers who are trusted sellers on online platforms like CodeCanyon, Zapier, Celigo, etc.
Do not download the free plugins and themes from an unknown source. Always hop onto the official website of WordPress to install your plugins.
While downloading from a malicious server, you may invite many hackers to create fuzz in your website, steal your personal information, and misuse it.
If you do not find it right to go for paid sources, then you can certainly shift to it’s free versions available in WordPress. This might not be as powerful as a paid one, but will manage to make your WordPress website secure.
10. Unsecured WordPress Configuration File
Your website’s login identities are stored in WordPress configuration files wp-config.php. If this file is not maintained correctly, you may involve a significant threat to your website.
Protect your configuration file while adding a layer of protection through .htaccess. Just add codes to your directory.
This will allow limited access to your wp_files and thus will prevent its access to the intended hackers.
- <files wp-config.php>
- Order allow,deny
- deny from all
11. Unchanged WordPress Table Prefix
When installing WordPress, you get your WordPress table prefix as wp_ by default. As this common prefix is easy to hack, this needs to be changed. You have an option to change the prefix and make it more unique.
WordPress table prefix can be done at the time of installation only. Read for this tutorial to change the prefix.
In total, there are 11 default WordPress table prefixes. You need to change all of them in order to lower the chance of WordPress websites from hacking.
12. Too Many Inactive Users
During operating the back-end, there are several users for the website. If they actively use the admin panel, it does not create any issue. But if the admin is full of inactive users, they should immediately be removed, to prevent a chance for any hacker to enter through it.
Inactive user’s passwords may be weak enough as they will not be updated frequently. Hence this becomes vulnerable.
You can change your inactive users and assign them the role as a ‘Subscriber.’ These inactive users even can load up your site and poor your website’s performance. Hence removing will not only remove threat, but will also clear the paths to increase your website functioning.
13. Enabled File Editing
There are multiple users involved while developing a website. All the users must not be granted permission for every file editing unless needed. If any hacker manages to enter the admin directory through them, this will create a problem.
Disable file editing from the admin panel. If you allow file editing, you are welcoming the malware attackers to change your codes or details. Manually restricting permission may be troublesome. Disabling file editing can be done through writing a code:
- define(‘DISALLOW_FILE_EDIT’, true);
14. Losing Un-backed Up Data
If you do not create a regular backup for your website, you might end up losing a panel of essential data.
If the hacker changes any information from your content and is not ready with your original piece of data, you may fall into severe threats.
Backing up data will not save us from hacking, but a backed-up site will help us recover from the damage.
Keep your site and data up-to-date for which backup your sites regularly. This will help to restore your data after the attack. Your hosting provider offers the service of website backup.
Besides, there are multiple plugins available that will backup and restore your data. You can even backup the data of your site directly from WordPress.
Besides, check with your WordPress host, they have the extended service to provide automatic back-ups for your WordPress website.
15. Unsecured Website URL
Unsecured websites are a large source of malware resources. Hackers are prone to hit your site if you don’t have an HTTPS URL.
In fact, searching numerous unprotected sites can lead to malware viruses entering into your device and attacking your data.
Any website you see has HTTPS in their URLs, which means their site is secured, and all the information between the website and its user is secured with the layer of encryption.
You can easily convert your website to HTTPS or download an SSL certificate that secures all the levels of information.
By SSL certificate, you secure everything of your user browser to a safe level. Hackers are less likely to break the encrypted security layer.
You can get your free SSL certificate for your WordPress Website from Letsencrypt.
16. No Security Plugin
Plugins are the prominent features to prevent your WordPress Website from hacking. If you do not run any plugin on your website, you may manually manage the performance of the website.
Though WordPress has its own security features, they are not enough to protect the entire site by every means. Plugins play a part here. They are customizable and can save your targeted WordPress website.
There are numerous WordPress plugins available free on the WordPress directory. They can boost the productivity of your WordPress website. Among them, some of the best WordPress Security Plugins are listed below:
Security Plugins help your website to remain protected and secure from its confidential data. Sometimes repairing a hacked website can be more time and cost-consuming.
WordPress security plugins can detect any threat or notify for any update in advance, preventing your WordPress website from hacking.
We use WordFence as our WordPress security plugin. It feels useful as it works as an endpoint firewall server which provides a better prevention from malware attacks.
17. Unsecured Debug Logs
When any plugin or theme is downloaded, a debug log is created in the PHP file to analyze any error in the files. This is represented by a debug constant.
These log files are kept enabled during the live site to log errors. However, this can sometimes disclose the information to the hackers through which they get a chance to edit and enter malware functionalities.
A debug log contains error information and database operations. Hence it is trivial to secure your website debug log. It is advisable to secure your debug files by withdrawing the constant or setting it to false by default.
- define( ‘WP_DEBUG’, false );
I strongly recommend to do not enable debug logs on production server and keep enabled for staging server only.
18. Unsecure Server
Public servers are always an eye for intended hackers. Never login to any file using any public server. This can be a trap, and hackers can steal a piece of information.
Public servers are always an open-source network. If you try to login to your site using any open networks, you are eventually registering your IP address and other credentials into it. This leaked info is much easier for technocrats to use illegally.
You can use VPN ( Virtual Private Network). This server can be called as a DNS proxy server which adds a request to public DNS and sets up a network.
Any secured WordPress directories or admin sections must be logged in through trusted networks. Your WordPress host sometimes uses a shared network for your site which creates an issue.
Trusted VPN do not tunnel into cryptographic channels instead they use a private network to scroll into details.
Clean your Hacked Website
After taking care of so many things, still, your website gets attacked, don’t panic and follow the steps to recover from the damage:
1. Identify Hack
The first and foremost step is to identify the hack. For this, you will need to check few things to know the actual damage to the website:
- Check the login access to your admin panel
- Check the redirecting sites which direct from your website
- Check any malware links on the website
- Check Google status of security
It is advisable to change your password before and after the recovery.
2. Check With Your Hosting Company
Host providers can help you in this situation. Share your problem with the company, and they may analyze the problem thoroughly.
Many times, there may be a possibility that the damage has spread beyond the site because of the shared network. In that case, the host can help you solve the problem as they have a team of experts to solve this daily.
3. Restore From Backup
Regularly backing up your site is not enough. If you need to prevent hacking, restore your data regularly besides backup. This will lower the after-effect of hacking.
This proves to be a golden opportunity to beat the hacker. Hence it is an excellent practice to backup your site and restore it to a safer place timely.
4. Malware Scan and Removal
Most of the hackers upload their malware codes in the backdoor. Hence even after malware removal, these files remain hidden in the backdoor.
WordPress Security plugins scan the site thoroughly and detect the location of the harm. This way, it will clean your area thoroughly.
There are few things that you can do: Installing the plugins like WordFence or there are few commands that you can run on your server.
How to scan for malware with ClamAV on Server
1. The first step is to install and get the latest signature updates. To do this on various linux distributions, you can open a terminal and insert below command based on Operating System and press enter:
- a. Debian / Ubuntu
- apt-get update
- apt-get install clamav
- b. RHEL/CentOS
- yum install -y epel-release
- yum install -y clamav
- yum install -y clamd
- c. Fedora
- yum install -y clamav clamav-update
- d. macOS
- brew install clamav
2. You may also build ClamAV from sources for better scanning performance. To update the signatures, you type “sudo freshclam” on a terminal session and press enter:
- sudo freshclam
3. Now we are ready to scan our system. To do this, you can use the “clamscan” command. This is a rich command that can work with many different parameters so you’d better insert “clamscan –-help” on the terminal first and see the various things that what you can do with it:
- clamscan –-help
4. Scan Files for Viruses with ClamAV
The general usage of clamscan is:
- clamscan [options] [file/directory/-]
5. To scan the “Downloads” folder located under the home directory, and choose to output only infected files and ring a bell when (and if) they are found. This translates to the following command on the terminal:
- clamscan -r –bell -i /home/username/Downloads
6. To scan the whole system (it may take a while) and remove all infected files in the process, you can use the command in the following form:
- clamscan -r –remove /
Note: Sometimes, simply removing infected files can cause even more problems or breakages. I suggest that you should always check the output first and then take manual action. Alternatively, you may also use the “move” command integrated as a parameter in the form of “–move=/home/bill/my_virus_collection” (example directory).”
5. Check User Permission
Assign your admin permission to trusted users only. Delete any inactive users that may be a source for any hacker.
Disable or restrict permission to your file directory. This can be done in the settings panel of your admin dashboard.
6. Change Passwords
Change every password and make it a unique one. Weak passwords are a welcoming point for hackers.
Check your password strength before confirming your password.
7. Strengthening Of WordPress Website
Besides maintaining the above 18 remedies, strengthen your website well ahead. For that, keep in mind the following things:
- Install firewall protection
- Install a security plugin
- Disable plugin and themes editing
- Restrict admin permissions
- Limit your login attempts
Running a business online is itself a complex procedure involving a massive amount of resources. Keeping them safe becomes essential not to let your data leak into malicious hands. You can improve your WordPress website performance with this list of 18 fixes and prevent it from hacking.
If you’re not that confident with the technicalities of it all or lack the time, hiring a good agency for WordPress maintenance or to remove malware from the website is the good option. Regular website maintenance and updates are the most effective way to keep your website running smoothly and free from security threats. Let us know other security hacks besides mentioned in this blog in the comment section. I hope, by reading the above WordPress Security Tips, you will have more security of your WordPress Website.
Also, keep in touch with us to avail WordPress security benefits and guidance from our WordPress experts.