Backdoors![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/choose-bright-dark-door_24381-640-min.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nWith the backdoor vulnerability, hackers get secret passages that bypass security encryption for getting access to WordPress websites via irregular methods \u2013 wp-Admin, FTP, SFTP, etc. Once they get an access, hackers can cause disaster on hosting servers with the help of backdoors by cross-site contamination attacks \u2013 affecting multiple sites hosted on the same server. As per the Sucuri\u2019s Q3 2017 report backdoors continue to be one of the many post-hack actions taken by the attackers, with 71% of the infected sites that have some form of backdoor injection.<\/p>\n\n\n\n
Often, backdoors are encrypted in such a way that they appear like legitimate WordPress system files, and get an access to WordPress databases by taking the advantage of weaknesses and bugs in outdated versions of the platform.<\/p>\n\n\n\n
A prime example of backdoor vulnerability, TimThumb fiasco exploited the old scripts and outdated software impacting millions of websites.<\/p>\n\n\n\n
You can prevent the backdoor vulnerability by scanning your WordPress site with tools such as SiteCheck which easily detects the common backdoors. Additionally, you can also block IPs, enable two-factor authentication, restrict admin access and prevent unauthorized execution of PHP files easily to secure from this vulnerability.<\/p>\n\n\n\n
Pharma Hacks![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/pharma-hack-min.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nWith Pharma Hack the hacker can insert rogue code in outdated versions of WordPress websites and plugins, due to which the search engines return ads for pharmaceutical products when an affected website is searched for. The vulnerability appears to be a spam instead of traditional malware. But the search engines get enough reason to block the site for distributing spam.<\/p>\n\n\n\n
Pharma Hack includes backdoors in plugins and databases. However, the exploits are often in the form of encrypted malicious injections present in databases and require a detailed clean-up process to fix the vulnerability. Pharma<\/p>\n\n\n\n
Hacks can be easily prevented by asking your WordPress hosting providers for updating the servers and regularly updating your WordPress installations, themes, and plugins. MilesWeb offers the automatic WordPress updates feature that keeps your WordPress always updated.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/brute-force-min.jpg\")
<\/a><\/figure>Brute-force Login Attempts<\/h3>\n\n\n\nIn Brute-force login attempts, automated scripts are used for abusing weak passwords and gaining access to your site. Limiting login attempts, two-step authentication, blocking IPs, monitoring unauthorized logins and using strong passwords are some of the easiest and highly effective ways to avoid brute-force attacks. Though these security practices are easy to implement many WordPress website owners fail to perform these security practices.<\/p>\n\n\n\n
Due to this, hackers are easily able to destroy as much as 30,000 websites in a single day via brute-force attacks.<\/p>\n\n\n\n
<\/h3>\n\n\n\nMalicious Redirects![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/malicious-redirect-min.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nUsing malicious redirects, backdoors are created in WordPress installations using SFTP, FTP, wp-admin, and other protocols, and redirection codes are injected into the website. Usually, the redirects are placed in your .htaccess file and other WordPress core files in encoded forms that direct the web traffic to malicious sites.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n <\/h3>\n\n\n\n![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/scripting-min.jpg\")
<\/a><\/figure>Cross-Site Scripting (XSS)<\/h3>\n\n\n\nCross-Site Scripting (XSS) involves injecting a malicious script into a trusted website or application. This is used by the attacker to send malicious code, typically browser-side scripts, to the end user without letting them know about it. Usually, the intent is to grab cookie or session data or perhaps even rewrite HTML on a page.
WordFence states that Cross-Site Scripting vulnerabilities, commonly found vulnerability in WordPress plugins by a significant margin.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\nDenial of Service![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/dos-attack-min.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n\n- You aren\u2019t able to log in.<\/li>\n\n\n\n
- Your website home page is blank or displaying \u201cYou have been hacked\u201d message.<\/li>\n\n\n\n
- All content and pages has been removed from your site.<\/li>\n\n\n\n
- You see unknown things like new content, advertisements, pornography materials on your website header and footer. For instance, you might see the homepage is replaced by a static page or new content is added to it.<\/li>\n\n\n\n
- Website redirection to some other sources (spam websites).<\/li>\n\n\n\n
- Your web host sending you emails about spam and other malicious activities.<\/li>\n\n\n\n
- You search on Google \u201csite:example.com\u201d and getting indexed pages and content that looks malicious.<\/li>\n\n\n\n
- While searching for your site, you or your users get a warning in your browser.<\/li>\n\n\n\n
- When you search for your site in Google, it gives a warning that your site may have been hacked.<\/li>\n\n\n\n
- You get a notification from your security plugin about a breach or an unexpected change.<\/li>\n<\/ul>\n\n\n\n
Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n
Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n
#1 Insecure Web Hosting Platform![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/server-min-300x281.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nIt is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\nThis WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n
#2 Use Of Weak Passwords![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/password-new-min-300x286.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nYour admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n
\n- Web hosting control panel account<\/li>\n\n\n\n
- WordPress admin account<\/li>\n\n\n\n
- MySQL databases used for your WordPress website<\/li>\n\n\n\n
- FTP accounts<\/li>\n\n\n\n
- Email accounts used for the WordPress account<\/li>\n<\/ul>\n\n\n\n
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/wordpress-login-min.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nYou must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n
#4 Unprotected Access To The WordPress Admin Area![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/wordpress-users-min-300x300.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nYou can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n
Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n
You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/folder-min-300x278.jpg\")
<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\nFile permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n#6 WordPress Version Not Updated![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/wordpress-version-min.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nSome WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n
In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n
Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n#7 WordPress Plugins And Themes Not Updated![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/plugin-min-300x274.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nJust like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n
<\/h3>\n\n\n\n#8 Use Of FTP In Place Of SFTP \/ SSH![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/ftp-new-min.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nThe FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n
When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n
For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n
#9 Nulled Themes & Plugins![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/nulled-theme-min.jpg\")
<\/a><\/figure><\/h3>\n\n\n\nYou will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n
There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n
Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n![\"\"](\"https:\/\/www.milesweb.co.uk\/blog\/wp-content\/uploads\/2016\/02\/configuration-min.jpg\")
<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\nThe WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n
<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\nThe above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n
You have to use the following tools:<\/strong><\/p>\n\n\n\n\n- FTP access to your server, or a file manager such as cPanel.<\/li>\n\n\n\n
- Advanced text editor, type Notepad ++ or similar. You better really editor ordinary text, but one of these is easier to view the code.<\/li>\n<\/ul>\n\n\n\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n
Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\nIn this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n
\n![\"\"](\"https:\/\/www.milesweb.in\/blog\/wp-content\/uploads\/2016\/02\/code.jpg\")
<\/a><\/figure>\n<\/div>\n\n\nCreate a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code:
<\/p>\n\n\n\n
Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n
Step 2: Backup of Your WordPress<\/h3>\n\n\n\n
Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n
If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\nAn alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\nYou can also change passwords though FTP.<\/p>\n\n\n\n
Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n
Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.milesweb.in\/blog\/wp-content\/uploads\/2016\/02\/db.jpg\")
<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Step 4: Change the Authentication Keys<\/h3>\n\n\n\n
WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n
In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\nStep 5: Scan Files and Folders<\/h3>\n\n\n\n
Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\nIf you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n
If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n
In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n
Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n
You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n
Finally<\/h3>\n\n\n\n
Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n
Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\nNow the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n
\nSecure Your Login Page and Avoid Brute Force Attacks<\/div>\n\n1. Changing your login and password<\/div>\n2. Set up website lockdown and ban users<\/div>\n3. Use 2-factor authentication<\/div>\n4. Rename your login URL<\/div>\n5. Use email as login<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your admin dashboard<\/div>\n\n1. Protect the wp-admin directory<\/div>\n2. Use SSL to encrypt data<\/div>\n3. Add user accounts with care<\/div>\n4. Change the admin username<\/div>\n5.Monitor your files<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure the database<\/div>\n\n1. Change the WordPress database table prefix<\/div>\n2. Back up your site regularly<\/div>\n3. Set strong passwords for your database<\/div>\n4. Check your \u2018comments\u2019 and forms settings<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your hosting setup<\/div>\n\n1. Protect the wp-config.php file<\/div>\n2. Protect xmlrpc.php (optional but recommended)<\/div>\n3. Secure your .htaccess<\/div>\n4. Protect wp-admin files<\/div>\n5. Disallow file editing<\/div>\n6. Connect the server correctly<\/div>\n7. Set directory permissions carefully<\/div>\n8. Disable directory listing with .htaccess<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your WordPress themes and plugins<\/div>\n\n1. Update regularly<\/div>\n2. Update your WordPress version<\/div>\n3. Remove your WordPress version number<\/div>\n<\/div>\n<\/div>\n\n\n\nSecure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n\n![\"\"](\"https:\/\/www.milesweb.in\/blog\/wp-content\/uploads\/2018\/08\/Secure-WordPress-Login-min.png\")
<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\nBelow are the important things to be considered to secure your login:<\/p>\n\n\n\n
1. Changing your login and password<\/h3>\n\n\n\n
Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\nFor creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\nThis is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n
\n- Change wp-login.php to something unique; e.g. my_new_login<\/li>\n\n\n\n
- Change \/wp-admin\/ to something unique; e.g. my_new_admin<\/li>\n\n\n\n
- Change \/wp-login.php?action=register to something unique; e.g. my_new_registration<\/li>\n<\/ul>\n\n\n\n
5. Use email as login<\/h3>\n\n\n\n
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n\n![\"\"](\"https:\/\/www.milesweb.in\/blog\/wp-content\/uploads\/2018\/08\/new-wp-dashboard-min-1024x606.png\")
<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n
Here\u2019s what you can do:<\/p>\n\n\n\n
6. Protect the wp-admin directory<\/h3>\n\n\n\n
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n
Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n
Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n8. Add user accounts with care<\/h3>\n\n\n\n
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n
Secure the database<\/h2>\n\n\n\n![\"\"](\"https:\/\/www.milesweb.in\/blog\/wp-content\/uploads\/2018\/08\/WordPress-Database-min.jpg\")
<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n
11. Change the WordPress database table prefix<\/h3>\n\n\n\n
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n
You need to change it to something unique.<\/p>\n\n\n\n
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n
When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n
There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n13. Set strong passwords for your database<\/h3>\n\n\n\n
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\nAlso, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\nSecure your hosting setup<\/h2>\n\n\n\n![\"\"](\"https:\/\/www.milesweb.in\/blog\/wp-content\/uploads\/2018\/08\/wordpress-security-min.png\")
<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n
Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n
If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n
The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\nIn case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n
For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n
\n![\"\"](\"https:\/\/www.milesweb.in\/blog\/wp-content\/uploads\/2018\/08\/block-xmlrpc-300x90-300x90.png\")
<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
17. Secure your .htaccess<\/h3>\n\n\n\n
Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n
You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n18. Secure your .htaccess<\/h3>\n\n\n\n
The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n
You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\nThis code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n
But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n
Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n
The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n
In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n
This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n
For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n
This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\nSecure your WordPress themes and plugins<\/h2>\n\n\n\n![\"\"](\"https:\/\/www.milesweb.in\/blog\/wp-content\/uploads\/2018\/08\/wordpress_developement-min.jpg\")
<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n
Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n23. Update regularly<\/h3>\n\n\n\n
Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n
So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n
Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n
This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view.
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\n
It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/a><\/figure><\/h3>\n\n\n\nWith the backdoor vulnerability, hackers get secret passages that bypass security encryption for getting access to WordPress websites via irregular methods \u2013 wp-Admin, FTP, SFTP, etc. Once they get an access, hackers can cause disaster on hosting servers with the help of backdoors by cross-site contamination attacks \u2013 affecting multiple sites hosted on the same server. As per the Sucuri\u2019s Q3 2017 report backdoors continue to be one of the many post-hack actions taken by the attackers, with 71% of the infected sites that have some form of backdoor injection.<\/p>\n\n\n\n
Often, backdoors are encrypted in such a way that they appear like legitimate WordPress system files, and get an access to WordPress databases by taking the advantage of weaknesses and bugs in outdated versions of the platform.<\/p>\n\n\n\n
A prime example of backdoor vulnerability, TimThumb fiasco exploited the old scripts and outdated software impacting millions of websites.<\/p>\n\n\n\n
You can prevent the backdoor vulnerability by scanning your WordPress site with tools such as SiteCheck which easily detects the common backdoors. Additionally, you can also block IPs, enable two-factor authentication, restrict admin access and prevent unauthorized execution of PHP files easily to secure from this vulnerability.<\/p>\n\n\n\n
Pharma Hacks<\/a><\/figure><\/h3>\n\n\n\nWith Pharma Hack the hacker can insert rogue code in outdated versions of WordPress websites and plugins, due to which the search engines return ads for pharmaceutical products when an affected website is searched for. The vulnerability appears to be a spam instead of traditional malware. But the search engines get enough reason to block the site for distributing spam.<\/p>\n\n\n\n
Pharma Hack includes backdoors in plugins and databases. However, the exploits are often in the form of encrypted malicious injections present in databases and require a detailed clean-up process to fix the vulnerability. Pharma<\/p>\n\n\n\n
Hacks can be easily prevented by asking your WordPress hosting providers for updating the servers and regularly updating your WordPress installations, themes, and plugins. MilesWeb offers the automatic WordPress updates feature that keeps your WordPress always updated.<\/p>\n\n\n\n
<\/a><\/figure>Brute-force Login Attempts<\/h3>\n\n\n\nIn Brute-force login attempts, automated scripts are used for abusing weak passwords and gaining access to your site. Limiting login attempts, two-step authentication, blocking IPs, monitoring unauthorized logins and using strong passwords are some of the easiest and highly effective ways to avoid brute-force attacks. Though these security practices are easy to implement many WordPress website owners fail to perform these security practices.<\/p>\n\n\n\n
Due to this, hackers are easily able to destroy as much as 30,000 websites in a single day via brute-force attacks.<\/p>\n\n\n\n
<\/h3>\n\n\n\nMalicious Redirects<\/a><\/figure><\/h3>\n\n\n\nUsing malicious redirects, backdoors are created in WordPress installations using SFTP, FTP, wp-admin, and other protocols, and redirection codes are injected into the website. Usually, the redirects are placed in your .htaccess file and other WordPress core files in encoded forms that direct the web traffic to malicious sites.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n <\/h3>\n\n\n\n<\/a><\/figure>Cross-Site Scripting (XSS)<\/h3>\n\n\n\nCross-Site Scripting (XSS) involves injecting a malicious script into a trusted website or application. This is used by the attacker to send malicious code, typically browser-side scripts, to the end user without letting them know about it. Usually, the intent is to grab cookie or session data or perhaps even rewrite HTML on a page.
WordFence states that Cross-Site Scripting vulnerabilities, commonly found vulnerability in WordPress plugins by a significant margin.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\nDenial of Service<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n\n- You aren\u2019t able to log in.<\/li>\n\n\n\n
- Your website home page is blank or displaying \u201cYou have been hacked\u201d message.<\/li>\n\n\n\n
- All content and pages has been removed from your site.<\/li>\n\n\n\n
- You see unknown things like new content, advertisements, pornography materials on your website header and footer. For instance, you might see the homepage is replaced by a static page or new content is added to it.<\/li>\n\n\n\n
- Website redirection to some other sources (spam websites).<\/li>\n\n\n\n
- Your web host sending you emails about spam and other malicious activities.<\/li>\n\n\n\n
- You search on Google \u201csite:example.com\u201d and getting indexed pages and content that looks malicious.<\/li>\n\n\n\n
- While searching for your site, you or your users get a warning in your browser.<\/li>\n\n\n\n
- When you search for your site in Google, it gives a warning that your site may have been hacked.<\/li>\n\n\n\n
- You get a notification from your security plugin about a breach or an unexpected change.<\/li>\n<\/ul>\n\n\n\n
Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n
Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n
#1 Insecure Web Hosting Platform<\/a><\/figure><\/h3>\n\n\n\nIt is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\nThis WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n
#2 Use Of Weak Passwords<\/a><\/figure><\/h3>\n\n\n\nYour admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n
\n- Web hosting control panel account<\/li>\n\n\n\n
- WordPress admin account<\/li>\n\n\n\n
- MySQL databases used for your WordPress website<\/li>\n\n\n\n
- FTP accounts<\/li>\n\n\n\n
- Email accounts used for the WordPress account<\/li>\n<\/ul>\n\n\n\n
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username<\/a><\/figure><\/h3>\n\n\n\nYou must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n
#4 Unprotected Access To The WordPress Admin Area<\/a><\/figure><\/h3>\n\n\n\nYou can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n
Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n
You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n
<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\nFile permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n#6 WordPress Version Not Updated<\/a><\/figure><\/h3>\n\n\n\nSome WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n
In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n
Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n#7 WordPress Plugins And Themes Not Updated<\/a><\/figure><\/h3>\n\n\n\nJust like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n
<\/h3>\n\n\n\n#8 Use Of FTP In Place Of SFTP \/ SSH<\/a><\/figure><\/h3>\n\n\n\nThe FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n
When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n
For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n
#9 Nulled Themes & Plugins<\/a><\/figure><\/h3>\n\n\n\nYou will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n
There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n
Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\nThe WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n
<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\nThe above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n
You have to use the following tools:<\/strong><\/p>\n\n\n\n\n- FTP access to your server, or a file manager such as cPanel.<\/li>\n\n\n\n
- Advanced text editor, type Notepad ++ or similar. You better really editor ordinary text, but one of these is easier to view the code.<\/li>\n<\/ul>\n\n\n\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n
Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\nIn this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\nCreate a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code:
<\/p>\n\n\n\n
Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n
Step 2: Backup of Your WordPress<\/h3>\n\n\n\n
Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n
If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\nAn alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\nYou can also change passwords though FTP.<\/p>\n\n\n\n
Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n
Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Step 4: Change the Authentication Keys<\/h3>\n\n\n\n
WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n
In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\nStep 5: Scan Files and Folders<\/h3>\n\n\n\n
Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\nIf you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n
If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n
In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n
Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n
You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n
Finally<\/h3>\n\n\n\n
Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n
Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\nNow the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n
\nSecure Your Login Page and Avoid Brute Force Attacks<\/div>\n\n1. Changing your login and password<\/div>\n2. Set up website lockdown and ban users<\/div>\n3. Use 2-factor authentication<\/div>\n4. Rename your login URL<\/div>\n5. Use email as login<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your admin dashboard<\/div>\n\n1. Protect the wp-admin directory<\/div>\n2. Use SSL to encrypt data<\/div>\n3. Add user accounts with care<\/div>\n4. Change the admin username<\/div>\n5.Monitor your files<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure the database<\/div>\n\n1. Change the WordPress database table prefix<\/div>\n2. Back up your site regularly<\/div>\n3. Set strong passwords for your database<\/div>\n4. Check your \u2018comments\u2019 and forms settings<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your hosting setup<\/div>\n\n1. Protect the wp-config.php file<\/div>\n2. Protect xmlrpc.php (optional but recommended)<\/div>\n3. Secure your .htaccess<\/div>\n4. Protect wp-admin files<\/div>\n5. Disallow file editing<\/div>\n6. Connect the server correctly<\/div>\n7. Set directory permissions carefully<\/div>\n8. Disable directory listing with .htaccess<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your WordPress themes and plugins<\/div>\n\n1. Update regularly<\/div>\n2. Update your WordPress version<\/div>\n3. Remove your WordPress version number<\/div>\n<\/div>\n<\/div>\n\n\n\nSecure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\nBelow are the important things to be considered to secure your login:<\/p>\n\n\n\n
1. Changing your login and password<\/h3>\n\n\n\n
Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\nFor creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\nThis is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n
\n- Change wp-login.php to something unique; e.g. my_new_login<\/li>\n\n\n\n
- Change \/wp-admin\/ to something unique; e.g. my_new_admin<\/li>\n\n\n\n
- Change \/wp-login.php?action=register to something unique; e.g. my_new_registration<\/li>\n<\/ul>\n\n\n\n
5. Use email as login<\/h3>\n\n\n\n
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n
Here\u2019s what you can do:<\/p>\n\n\n\n
6. Protect the wp-admin directory<\/h3>\n\n\n\n
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n
Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n
Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n8. Add user accounts with care<\/h3>\n\n\n\n
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n
Secure the database<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n
11. Change the WordPress database table prefix<\/h3>\n\n\n\n
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n
You need to change it to something unique.<\/p>\n\n\n\n
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n
When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n
There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n13. Set strong passwords for your database<\/h3>\n\n\n\n
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\nAlso, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\nSecure your hosting setup<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n
Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n
If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n
The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\nIn case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n
For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
17. Secure your .htaccess<\/h3>\n\n\n\n
Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n
You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n18. Secure your .htaccess<\/h3>\n\n\n\n
The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n
You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\nThis code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n
But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n
Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n
The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n
In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n
This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n
For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n
This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\nSecure your WordPress themes and plugins<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n
Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n23. Update regularly<\/h3>\n\n\n\n
Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n
So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n
Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n
This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view.
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\n
It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/a><\/figure><\/h3>\n\n\n\nWith Pharma Hack the hacker can insert rogue code in outdated versions of WordPress websites and plugins, due to which the search engines return ads for pharmaceutical products when an affected website is searched for. The vulnerability appears to be a spam instead of traditional malware. But the search engines get enough reason to block the site for distributing spam.<\/p>\n\n\n\n
Pharma Hack includes backdoors in plugins and databases. However, the exploits are often in the form of encrypted malicious injections present in databases and require a detailed clean-up process to fix the vulnerability. Pharma<\/p>\n\n\n\n
Hacks can be easily prevented by asking your WordPress hosting providers for updating the servers and regularly updating your WordPress installations, themes, and plugins. MilesWeb offers the automatic WordPress updates feature that keeps your WordPress always updated.<\/p>\n\n\n\n
<\/a><\/figure>Brute-force Login Attempts<\/h3>\n\n\n\nIn Brute-force login attempts, automated scripts are used for abusing weak passwords and gaining access to your site. Limiting login attempts, two-step authentication, blocking IPs, monitoring unauthorized logins and using strong passwords are some of the easiest and highly effective ways to avoid brute-force attacks. Though these security practices are easy to implement many WordPress website owners fail to perform these security practices.<\/p>\n\n\n\n
Due to this, hackers are easily able to destroy as much as 30,000 websites in a single day via brute-force attacks.<\/p>\n\n\n\n
<\/h3>\n\n\n\nMalicious Redirects<\/a><\/figure><\/h3>\n\n\n\nUsing malicious redirects, backdoors are created in WordPress installations using SFTP, FTP, wp-admin, and other protocols, and redirection codes are injected into the website. Usually, the redirects are placed in your .htaccess file and other WordPress core files in encoded forms that direct the web traffic to malicious sites.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n <\/h3>\n\n\n\n<\/a><\/figure>Cross-Site Scripting (XSS)<\/h3>\n\n\n\nCross-Site Scripting (XSS) involves injecting a malicious script into a trusted website or application. This is used by the attacker to send malicious code, typically browser-side scripts, to the end user without letting them know about it. Usually, the intent is to grab cookie or session data or perhaps even rewrite HTML on a page.
WordFence states that Cross-Site Scripting vulnerabilities, commonly found vulnerability in WordPress plugins by a significant margin.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\nDenial of Service<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n\n- You aren\u2019t able to log in.<\/li>\n\n\n\n
- Your website home page is blank or displaying \u201cYou have been hacked\u201d message.<\/li>\n\n\n\n
- All content and pages has been removed from your site.<\/li>\n\n\n\n
- You see unknown things like new content, advertisements, pornography materials on your website header and footer. For instance, you might see the homepage is replaced by a static page or new content is added to it.<\/li>\n\n\n\n
- Website redirection to some other sources (spam websites).<\/li>\n\n\n\n
- Your web host sending you emails about spam and other malicious activities.<\/li>\n\n\n\n
- You search on Google \u201csite:example.com\u201d and getting indexed pages and content that looks malicious.<\/li>\n\n\n\n
- While searching for your site, you or your users get a warning in your browser.<\/li>\n\n\n\n
- When you search for your site in Google, it gives a warning that your site may have been hacked.<\/li>\n\n\n\n
- You get a notification from your security plugin about a breach or an unexpected change.<\/li>\n<\/ul>\n\n\n\n
Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n
Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n
#1 Insecure Web Hosting Platform<\/a><\/figure><\/h3>\n\n\n\nIt is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\nThis WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n
#2 Use Of Weak Passwords<\/a><\/figure><\/h3>\n\n\n\nYour admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n
\n- Web hosting control panel account<\/li>\n\n\n\n
- WordPress admin account<\/li>\n\n\n\n
- MySQL databases used for your WordPress website<\/li>\n\n\n\n
- FTP accounts<\/li>\n\n\n\n
- Email accounts used for the WordPress account<\/li>\n<\/ul>\n\n\n\n
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username<\/a><\/figure><\/h3>\n\n\n\nYou must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n
#4 Unprotected Access To The WordPress Admin Area<\/a><\/figure><\/h3>\n\n\n\nYou can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n
Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n
You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n
<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\nFile permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n#6 WordPress Version Not Updated<\/a><\/figure><\/h3>\n\n\n\nSome WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n
In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n
Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n#7 WordPress Plugins And Themes Not Updated<\/a><\/figure><\/h3>\n\n\n\nJust like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n
<\/h3>\n\n\n\n#8 Use Of FTP In Place Of SFTP \/ SSH<\/a><\/figure><\/h3>\n\n\n\nThe FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n
When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n
For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n
#9 Nulled Themes & Plugins<\/a><\/figure><\/h3>\n\n\n\nYou will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n
There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n
Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\nThe WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n
<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\nThe above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n
You have to use the following tools:<\/strong><\/p>\n\n\n\n\n- FTP access to your server, or a file manager such as cPanel.<\/li>\n\n\n\n
- Advanced text editor, type Notepad ++ or similar. You better really editor ordinary text, but one of these is easier to view the code.<\/li>\n<\/ul>\n\n\n\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n
Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\nIn this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\nCreate a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code:
<\/p>\n\n\n\n
Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n
Step 2: Backup of Your WordPress<\/h3>\n\n\n\n
Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n
If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\nAn alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\nYou can also change passwords though FTP.<\/p>\n\n\n\n
Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n
Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Step 4: Change the Authentication Keys<\/h3>\n\n\n\n
WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n
In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\nStep 5: Scan Files and Folders<\/h3>\n\n\n\n
Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\nIf you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n
If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n
In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n
Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n
You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n
Finally<\/h3>\n\n\n\n
Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n
Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\nNow the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n
\nSecure Your Login Page and Avoid Brute Force Attacks<\/div>\n\n1. Changing your login and password<\/div>\n2. Set up website lockdown and ban users<\/div>\n3. Use 2-factor authentication<\/div>\n4. Rename your login URL<\/div>\n5. Use email as login<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your admin dashboard<\/div>\n\n1. Protect the wp-admin directory<\/div>\n2. Use SSL to encrypt data<\/div>\n3. Add user accounts with care<\/div>\n4. Change the admin username<\/div>\n5.Monitor your files<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure the database<\/div>\n\n1. Change the WordPress database table prefix<\/div>\n2. Back up your site regularly<\/div>\n3. Set strong passwords for your database<\/div>\n4. Check your \u2018comments\u2019 and forms settings<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your hosting setup<\/div>\n\n1. Protect the wp-config.php file<\/div>\n2. Protect xmlrpc.php (optional but recommended)<\/div>\n3. Secure your .htaccess<\/div>\n4. Protect wp-admin files<\/div>\n5. Disallow file editing<\/div>\n6. Connect the server correctly<\/div>\n7. Set directory permissions carefully<\/div>\n8. Disable directory listing with .htaccess<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your WordPress themes and plugins<\/div>\n\n1. Update regularly<\/div>\n2. Update your WordPress version<\/div>\n3. Remove your WordPress version number<\/div>\n<\/div>\n<\/div>\n\n\n\nSecure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\nBelow are the important things to be considered to secure your login:<\/p>\n\n\n\n
1. Changing your login and password<\/h3>\n\n\n\n
Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\nFor creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\nThis is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n
\n- Change wp-login.php to something unique; e.g. my_new_login<\/li>\n\n\n\n
- Change \/wp-admin\/ to something unique; e.g. my_new_admin<\/li>\n\n\n\n
- Change \/wp-login.php?action=register to something unique; e.g. my_new_registration<\/li>\n<\/ul>\n\n\n\n
5. Use email as login<\/h3>\n\n\n\n
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n
Here\u2019s what you can do:<\/p>\n\n\n\n
6. Protect the wp-admin directory<\/h3>\n\n\n\n
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n
Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n
Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n8. Add user accounts with care<\/h3>\n\n\n\n
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n
Secure the database<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n
11. Change the WordPress database table prefix<\/h3>\n\n\n\n
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n
You need to change it to something unique.<\/p>\n\n\n\n
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n
When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n
There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n13. Set strong passwords for your database<\/h3>\n\n\n\n
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\nAlso, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\nSecure your hosting setup<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n
Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n
If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n
The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\nIn case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n
For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
17. Secure your .htaccess<\/h3>\n\n\n\n
Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n
You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n18. Secure your .htaccess<\/h3>\n\n\n\n
The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n
You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\nThis code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n
But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n
Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n
The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n
In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n
This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n
For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n
This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\nSecure your WordPress themes and plugins<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n
Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n23. Update regularly<\/h3>\n\n\n\n
Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n
So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n
Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n
This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view.
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\n
It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/a><\/figure>Brute-force Login Attempts<\/h3>\n\n\n\nIn Brute-force login attempts, automated scripts are used for abusing weak passwords and gaining access to your site. Limiting login attempts, two-step authentication, blocking IPs, monitoring unauthorized logins and using strong passwords are some of the easiest and highly effective ways to avoid brute-force attacks. Though these security practices are easy to implement many WordPress website owners fail to perform these security practices.<\/p>\n\n\n\n
Due to this, hackers are easily able to destroy as much as 30,000 websites in a single day via brute-force attacks.<\/p>\n\n\n\n
<\/h3>\n\n\n\nMalicious Redirects<\/a><\/figure><\/h3>\n\n\n\nUsing malicious redirects, backdoors are created in WordPress installations using SFTP, FTP, wp-admin, and other protocols, and redirection codes are injected into the website. Usually, the redirects are placed in your .htaccess file and other WordPress core files in encoded forms that direct the web traffic to malicious sites.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n <\/h3>\n\n\n\n<\/a><\/figure>Cross-Site Scripting (XSS)<\/h3>\n\n\n\nCross-Site Scripting (XSS) involves injecting a malicious script into a trusted website or application. This is used by the attacker to send malicious code, typically browser-side scripts, to the end user without letting them know about it. Usually, the intent is to grab cookie or session data or perhaps even rewrite HTML on a page.
WordFence states that Cross-Site Scripting vulnerabilities, commonly found vulnerability in WordPress plugins by a significant margin.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\nDenial of Service<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n\n- You aren\u2019t able to log in.<\/li>\n\n\n\n
- Your website home page is blank or displaying \u201cYou have been hacked\u201d message.<\/li>\n\n\n\n
- All content and pages has been removed from your site.<\/li>\n\n\n\n
- You see unknown things like new content, advertisements, pornography materials on your website header and footer. For instance, you might see the homepage is replaced by a static page or new content is added to it.<\/li>\n\n\n\n
- Website redirection to some other sources (spam websites).<\/li>\n\n\n\n
- Your web host sending you emails about spam and other malicious activities.<\/li>\n\n\n\n
- You search on Google \u201csite:example.com\u201d and getting indexed pages and content that looks malicious.<\/li>\n\n\n\n
- While searching for your site, you or your users get a warning in your browser.<\/li>\n\n\n\n
- When you search for your site in Google, it gives a warning that your site may have been hacked.<\/li>\n\n\n\n
- You get a notification from your security plugin about a breach or an unexpected change.<\/li>\n<\/ul>\n\n\n\n
Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n
Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n
#1 Insecure Web Hosting Platform<\/a><\/figure><\/h3>\n\n\n\nIt is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\nThis WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n
#2 Use Of Weak Passwords<\/a><\/figure><\/h3>\n\n\n\nYour admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n
\n- Web hosting control panel account<\/li>\n\n\n\n
- WordPress admin account<\/li>\n\n\n\n
- MySQL databases used for your WordPress website<\/li>\n\n\n\n
- FTP accounts<\/li>\n\n\n\n
- Email accounts used for the WordPress account<\/li>\n<\/ul>\n\n\n\n
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username<\/a><\/figure><\/h3>\n\n\n\nYou must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n
#4 Unprotected Access To The WordPress Admin Area<\/a><\/figure><\/h3>\n\n\n\nYou can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n
Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n
You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n
<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\nFile permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n#6 WordPress Version Not Updated<\/a><\/figure><\/h3>\n\n\n\nSome WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n
In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n
Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n#7 WordPress Plugins And Themes Not Updated<\/a><\/figure><\/h3>\n\n\n\nJust like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n
<\/h3>\n\n\n\n#8 Use Of FTP In Place Of SFTP \/ SSH<\/a><\/figure><\/h3>\n\n\n\nThe FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n
When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n
For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n
#9 Nulled Themes & Plugins<\/a><\/figure><\/h3>\n\n\n\nYou will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n
There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n
Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\nThe WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n
<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\nThe above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n
You have to use the following tools:<\/strong><\/p>\n\n\n\n\n- FTP access to your server, or a file manager such as cPanel.<\/li>\n\n\n\n
- Advanced text editor, type Notepad ++ or similar. You better really editor ordinary text, but one of these is easier to view the code.<\/li>\n<\/ul>\n\n\n\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n
Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\nIn this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\nCreate a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code:
<\/p>\n\n\n\n
Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n
Step 2: Backup of Your WordPress<\/h3>\n\n\n\n
Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n
If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\nAn alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\nYou can also change passwords though FTP.<\/p>\n\n\n\n
Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n
Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Step 4: Change the Authentication Keys<\/h3>\n\n\n\n
WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n
In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\nStep 5: Scan Files and Folders<\/h3>\n\n\n\n
Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\nIf you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n
If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n
In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n
Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n
You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n
Finally<\/h3>\n\n\n\n
Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n
Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\nNow the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n
\nSecure Your Login Page and Avoid Brute Force Attacks<\/div>\n\n1. Changing your login and password<\/div>\n2. Set up website lockdown and ban users<\/div>\n3. Use 2-factor authentication<\/div>\n4. Rename your login URL<\/div>\n5. Use email as login<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your admin dashboard<\/div>\n\n1. Protect the wp-admin directory<\/div>\n2. Use SSL to encrypt data<\/div>\n3. Add user accounts with care<\/div>\n4. Change the admin username<\/div>\n5.Monitor your files<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure the database<\/div>\n\n1. Change the WordPress database table prefix<\/div>\n2. Back up your site regularly<\/div>\n3. Set strong passwords for your database<\/div>\n4. Check your \u2018comments\u2019 and forms settings<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your hosting setup<\/div>\n\n1. Protect the wp-config.php file<\/div>\n2. Protect xmlrpc.php (optional but recommended)<\/div>\n3. Secure your .htaccess<\/div>\n4. Protect wp-admin files<\/div>\n5. Disallow file editing<\/div>\n6. Connect the server correctly<\/div>\n7. Set directory permissions carefully<\/div>\n8. Disable directory listing with .htaccess<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your WordPress themes and plugins<\/div>\n\n1. Update regularly<\/div>\n2. Update your WordPress version<\/div>\n3. Remove your WordPress version number<\/div>\n<\/div>\n<\/div>\n\n\n\nSecure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\nBelow are the important things to be considered to secure your login:<\/p>\n\n\n\n
1. Changing your login and password<\/h3>\n\n\n\n
Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\nFor creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\nThis is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n
\n- Change wp-login.php to something unique; e.g. my_new_login<\/li>\n\n\n\n
- Change \/wp-admin\/ to something unique; e.g. my_new_admin<\/li>\n\n\n\n
- Change \/wp-login.php?action=register to something unique; e.g. my_new_registration<\/li>\n<\/ul>\n\n\n\n
5. Use email as login<\/h3>\n\n\n\n
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n
Here\u2019s what you can do:<\/p>\n\n\n\n
6. Protect the wp-admin directory<\/h3>\n\n\n\n
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n
Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n
Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n8. Add user accounts with care<\/h3>\n\n\n\n
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n
Secure the database<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n
11. Change the WordPress database table prefix<\/h3>\n\n\n\n
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n
You need to change it to something unique.<\/p>\n\n\n\n
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n
When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n
There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n13. Set strong passwords for your database<\/h3>\n\n\n\n
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\nAlso, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\nSecure your hosting setup<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n
Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n
If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n
The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\nIn case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n
For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
17. Secure your .htaccess<\/h3>\n\n\n\n
Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n
You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n18. Secure your .htaccess<\/h3>\n\n\n\n
The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n
You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\nThis code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n
But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n
Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n
The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n
In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n
This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n
For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n
This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\nSecure your WordPress themes and plugins<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n
Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n23. Update regularly<\/h3>\n\n\n\n
Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n
So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n
Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n
This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view.
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\n
It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/a><\/figure><\/h3>\n\n\n\nUsing malicious redirects, backdoors are created in WordPress installations using SFTP, FTP, wp-admin, and other protocols, and redirection codes are injected into the website. Usually, the redirects are placed in your .htaccess file and other WordPress core files in encoded forms that direct the web traffic to malicious sites.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n <\/h3>\n\n\n\n<\/a><\/figure>Cross-Site Scripting (XSS)<\/h3>\n\n\n\nCross-Site Scripting (XSS) involves injecting a malicious script into a trusted website or application. This is used by the attacker to send malicious code, typically browser-side scripts, to the end user without letting them know about it. Usually, the intent is to grab cookie or session data or perhaps even rewrite HTML on a page.
WordFence states that Cross-Site Scripting vulnerabilities, commonly found vulnerability in WordPress plugins by a significant margin.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\nDenial of Service<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n\n- You aren\u2019t able to log in.<\/li>\n\n\n\n
- Your website home page is blank or displaying \u201cYou have been hacked\u201d message.<\/li>\n\n\n\n
- All content and pages has been removed from your site.<\/li>\n\n\n\n
- You see unknown things like new content, advertisements, pornography materials on your website header and footer. For instance, you might see the homepage is replaced by a static page or new content is added to it.<\/li>\n\n\n\n
- Website redirection to some other sources (spam websites).<\/li>\n\n\n\n
- Your web host sending you emails about spam and other malicious activities.<\/li>\n\n\n\n
- You search on Google \u201csite:example.com\u201d and getting indexed pages and content that looks malicious.<\/li>\n\n\n\n
- While searching for your site, you or your users get a warning in your browser.<\/li>\n\n\n\n
- When you search for your site in Google, it gives a warning that your site may have been hacked.<\/li>\n\n\n\n
- You get a notification from your security plugin about a breach or an unexpected change.<\/li>\n<\/ul>\n\n\n\n
Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n
Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n
#1 Insecure Web Hosting Platform<\/a><\/figure><\/h3>\n\n\n\nIt is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\nThis WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n
#2 Use Of Weak Passwords<\/a><\/figure><\/h3>\n\n\n\nYour admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n
\n- Web hosting control panel account<\/li>\n\n\n\n
- WordPress admin account<\/li>\n\n\n\n
- MySQL databases used for your WordPress website<\/li>\n\n\n\n
- FTP accounts<\/li>\n\n\n\n
- Email accounts used for the WordPress account<\/li>\n<\/ul>\n\n\n\n
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username<\/a><\/figure><\/h3>\n\n\n\nYou must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n
#4 Unprotected Access To The WordPress Admin Area<\/a><\/figure><\/h3>\n\n\n\nYou can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n
Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n
You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n
<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\nFile permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n#6 WordPress Version Not Updated<\/a><\/figure><\/h3>\n\n\n\nSome WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n
In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n
Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n#7 WordPress Plugins And Themes Not Updated<\/a><\/figure><\/h3>\n\n\n\nJust like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n
<\/h3>\n\n\n\n#8 Use Of FTP In Place Of SFTP \/ SSH<\/a><\/figure><\/h3>\n\n\n\nThe FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n
When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n
For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n
#9 Nulled Themes & Plugins<\/a><\/figure><\/h3>\n\n\n\nYou will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n
There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n
Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\nThe WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n
<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\nThe above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n
You have to use the following tools:<\/strong><\/p>\n\n\n\n\n- FTP access to your server, or a file manager such as cPanel.<\/li>\n\n\n\n
- Advanced text editor, type Notepad ++ or similar. You better really editor ordinary text, but one of these is easier to view the code.<\/li>\n<\/ul>\n\n\n\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n
Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\nIn this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\nCreate a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code:
<\/p>\n\n\n\n
Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n
Step 2: Backup of Your WordPress<\/h3>\n\n\n\n
Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n
If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\nAn alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\nYou can also change passwords though FTP.<\/p>\n\n\n\n
Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n
Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Step 4: Change the Authentication Keys<\/h3>\n\n\n\n
WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n
In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\nStep 5: Scan Files and Folders<\/h3>\n\n\n\n
Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\nIf you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n
If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n
In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n
Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n
You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n
Finally<\/h3>\n\n\n\n
Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n
Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\nNow the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n
\nSecure Your Login Page and Avoid Brute Force Attacks<\/div>\n\n1. Changing your login and password<\/div>\n2. Set up website lockdown and ban users<\/div>\n3. Use 2-factor authentication<\/div>\n4. Rename your login URL<\/div>\n5. Use email as login<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your admin dashboard<\/div>\n\n1. Protect the wp-admin directory<\/div>\n2. Use SSL to encrypt data<\/div>\n3. Add user accounts with care<\/div>\n4. Change the admin username<\/div>\n5.Monitor your files<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure the database<\/div>\n\n1. Change the WordPress database table prefix<\/div>\n2. Back up your site regularly<\/div>\n3. Set strong passwords for your database<\/div>\n4. Check your \u2018comments\u2019 and forms settings<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your hosting setup<\/div>\n\n1. Protect the wp-config.php file<\/div>\n2. Protect xmlrpc.php (optional but recommended)<\/div>\n3. Secure your .htaccess<\/div>\n4. Protect wp-admin files<\/div>\n5. Disallow file editing<\/div>\n6. Connect the server correctly<\/div>\n7. Set directory permissions carefully<\/div>\n8. Disable directory listing with .htaccess<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your WordPress themes and plugins<\/div>\n\n1. Update regularly<\/div>\n2. Update your WordPress version<\/div>\n3. Remove your WordPress version number<\/div>\n<\/div>\n<\/div>\n\n\n\nSecure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\nBelow are the important things to be considered to secure your login:<\/p>\n\n\n\n
1. Changing your login and password<\/h3>\n\n\n\n
Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\nFor creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\nThis is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n
\n- Change wp-login.php to something unique; e.g. my_new_login<\/li>\n\n\n\n
- Change \/wp-admin\/ to something unique; e.g. my_new_admin<\/li>\n\n\n\n
- Change \/wp-login.php?action=register to something unique; e.g. my_new_registration<\/li>\n<\/ul>\n\n\n\n
5. Use email as login<\/h3>\n\n\n\n
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n
Here\u2019s what you can do:<\/p>\n\n\n\n
6. Protect the wp-admin directory<\/h3>\n\n\n\n
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n
Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n
Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n8. Add user accounts with care<\/h3>\n\n\n\n
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n
Secure the database<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n
11. Change the WordPress database table prefix<\/h3>\n\n\n\n
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n
You need to change it to something unique.<\/p>\n\n\n\n
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n
When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n
There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n13. Set strong passwords for your database<\/h3>\n\n\n\n
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\nAlso, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\nSecure your hosting setup<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n
Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n
If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n
The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\nIn case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n
For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
17. Secure your .htaccess<\/h3>\n\n\n\n
Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n
You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n18. Secure your .htaccess<\/h3>\n\n\n\n
The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n
You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\nThis code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n
But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n
Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n
The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n
In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n
This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n
For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n
This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\nSecure your WordPress themes and plugins<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n
Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n23. Update regularly<\/h3>\n\n\n\n
Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n
So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n
Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n
This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view.
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\n
It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/h3>\n\n\n\n<\/a><\/figure>Cross-Site Scripting (XSS)<\/h3>\n\n\n\nCross-Site Scripting (XSS) involves injecting a malicious script into a trusted website or application. This is used by the attacker to send malicious code, typically browser-side scripts, to the end user without letting them know about it. Usually, the intent is to grab cookie or session data or perhaps even rewrite HTML on a page.
WordFence states that Cross-Site Scripting vulnerabilities, commonly found vulnerability in WordPress plugins by a significant margin.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\nDenial of Service<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n\n- You aren\u2019t able to log in.<\/li>\n\n\n\n
- Your website home page is blank or displaying \u201cYou have been hacked\u201d message.<\/li>\n\n\n\n
- All content and pages has been removed from your site.<\/li>\n\n\n\n
- You see unknown things like new content, advertisements, pornography materials on your website header and footer. For instance, you might see the homepage is replaced by a static page or new content is added to it.<\/li>\n\n\n\n
- Website redirection to some other sources (spam websites).<\/li>\n\n\n\n
- Your web host sending you emails about spam and other malicious activities.<\/li>\n\n\n\n
- You search on Google \u201csite:example.com\u201d and getting indexed pages and content that looks malicious.<\/li>\n\n\n\n
- While searching for your site, you or your users get a warning in your browser.<\/li>\n\n\n\n
- When you search for your site in Google, it gives a warning that your site may have been hacked.<\/li>\n\n\n\n
- You get a notification from your security plugin about a breach or an unexpected change.<\/li>\n<\/ul>\n\n\n\n
Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n
Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n
#1 Insecure Web Hosting Platform<\/a><\/figure><\/h3>\n\n\n\nIt is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\nThis WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n
#2 Use Of Weak Passwords<\/a><\/figure><\/h3>\n\n\n\nYour admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n
\n- Web hosting control panel account<\/li>\n\n\n\n
- WordPress admin account<\/li>\n\n\n\n
- MySQL databases used for your WordPress website<\/li>\n\n\n\n
- FTP accounts<\/li>\n\n\n\n
- Email accounts used for the WordPress account<\/li>\n<\/ul>\n\n\n\n
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username<\/a><\/figure><\/h3>\n\n\n\nYou must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n
#4 Unprotected Access To The WordPress Admin Area<\/a><\/figure><\/h3>\n\n\n\nYou can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n
Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n
You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n
<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\nFile permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n#6 WordPress Version Not Updated<\/a><\/figure><\/h3>\n\n\n\nSome WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n
In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n
Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n#7 WordPress Plugins And Themes Not Updated<\/a><\/figure><\/h3>\n\n\n\nJust like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n
<\/h3>\n\n\n\n#8 Use Of FTP In Place Of SFTP \/ SSH<\/a><\/figure><\/h3>\n\n\n\nThe FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n
When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n
For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n
#9 Nulled Themes & Plugins<\/a><\/figure><\/h3>\n\n\n\nYou will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n
There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n
Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\nThe WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n
<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\nThe above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n
You have to use the following tools:<\/strong><\/p>\n\n\n\n\n- FTP access to your server, or a file manager such as cPanel.<\/li>\n\n\n\n
- Advanced text editor, type Notepad ++ or similar. You better really editor ordinary text, but one of these is easier to view the code.<\/li>\n<\/ul>\n\n\n\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n
Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\nIn this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\nCreate a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code:
<\/p>\n\n\n\n
Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n
Step 2: Backup of Your WordPress<\/h3>\n\n\n\n
Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n
If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\nAn alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\nYou can also change passwords though FTP.<\/p>\n\n\n\n
Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n
Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Step 4: Change the Authentication Keys<\/h3>\n\n\n\n
WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n
In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\nStep 5: Scan Files and Folders<\/h3>\n\n\n\n
Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\nIf you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n
If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n
In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n
Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n
You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n
Finally<\/h3>\n\n\n\n
Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n
Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\nNow the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n
\nSecure Your Login Page and Avoid Brute Force Attacks<\/div>\n\n1. Changing your login and password<\/div>\n2. Set up website lockdown and ban users<\/div>\n3. Use 2-factor authentication<\/div>\n4. Rename your login URL<\/div>\n5. Use email as login<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your admin dashboard<\/div>\n\n1. Protect the wp-admin directory<\/div>\n2. Use SSL to encrypt data<\/div>\n3. Add user accounts with care<\/div>\n4. Change the admin username<\/div>\n5.Monitor your files<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure the database<\/div>\n\n1. Change the WordPress database table prefix<\/div>\n2. Back up your site regularly<\/div>\n3. Set strong passwords for your database<\/div>\n4. Check your \u2018comments\u2019 and forms settings<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your hosting setup<\/div>\n\n1. Protect the wp-config.php file<\/div>\n2. Protect xmlrpc.php (optional but recommended)<\/div>\n3. Secure your .htaccess<\/div>\n4. Protect wp-admin files<\/div>\n5. Disallow file editing<\/div>\n6. Connect the server correctly<\/div>\n7. Set directory permissions carefully<\/div>\n8. Disable directory listing with .htaccess<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your WordPress themes and plugins<\/div>\n\n1. Update regularly<\/div>\n2. Update your WordPress version<\/div>\n3. Remove your WordPress version number<\/div>\n<\/div>\n<\/div>\n\n\n\nSecure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\nBelow are the important things to be considered to secure your login:<\/p>\n\n\n\n
1. Changing your login and password<\/h3>\n\n\n\n
Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\nFor creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\nThis is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n
\n- Change wp-login.php to something unique; e.g. my_new_login<\/li>\n\n\n\n
- Change \/wp-admin\/ to something unique; e.g. my_new_admin<\/li>\n\n\n\n
- Change \/wp-login.php?action=register to something unique; e.g. my_new_registration<\/li>\n<\/ul>\n\n\n\n
5. Use email as login<\/h3>\n\n\n\n
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n
Here\u2019s what you can do:<\/p>\n\n\n\n
6. Protect the wp-admin directory<\/h3>\n\n\n\n
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n
Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n
Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n8. Add user accounts with care<\/h3>\n\n\n\n
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n
Secure the database<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n
11. Change the WordPress database table prefix<\/h3>\n\n\n\n
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n
You need to change it to something unique.<\/p>\n\n\n\n
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n
When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n
There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n13. Set strong passwords for your database<\/h3>\n\n\n\n
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\nAlso, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\nSecure your hosting setup<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n
Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n
If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n
The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\nIn case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n
For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
17. Secure your .htaccess<\/h3>\n\n\n\n
Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n
You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n18. Secure your .htaccess<\/h3>\n\n\n\n
The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n
You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\nThis code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n
But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n
Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n
The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n
In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n
This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n
For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n
This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\nSecure your WordPress themes and plugins<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n
Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n23. Update regularly<\/h3>\n\n\n\n
Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n
So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n
Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n
This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view.
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\n
It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/a><\/figure>Cross-Site Scripting (XSS)<\/h3>\n\n\n\nCross-Site Scripting (XSS) involves injecting a malicious script into a trusted website or application. This is used by the attacker to send malicious code, typically browser-side scripts, to the end user without letting them know about it. Usually, the intent is to grab cookie or session data or perhaps even rewrite HTML on a page.
WordFence states that Cross-Site Scripting vulnerabilities, commonly found vulnerability in WordPress plugins by a significant margin.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\nDenial of Service<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n\n- You aren\u2019t able to log in.<\/li>\n\n\n\n
- Your website home page is blank or displaying \u201cYou have been hacked\u201d message.<\/li>\n\n\n\n
- All content and pages has been removed from your site.<\/li>\n\n\n\n
- You see unknown things like new content, advertisements, pornography materials on your website header and footer. For instance, you might see the homepage is replaced by a static page or new content is added to it.<\/li>\n\n\n\n
- Website redirection to some other sources (spam websites).<\/li>\n\n\n\n
- Your web host sending you emails about spam and other malicious activities.<\/li>\n\n\n\n
- You search on Google \u201csite:example.com\u201d and getting indexed pages and content that looks malicious.<\/li>\n\n\n\n
- While searching for your site, you or your users get a warning in your browser.<\/li>\n\n\n\n
- When you search for your site in Google, it gives a warning that your site may have been hacked.<\/li>\n\n\n\n
- You get a notification from your security plugin about a breach or an unexpected change.<\/li>\n<\/ul>\n\n\n\n
Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n
Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n
#1 Insecure Web Hosting Platform<\/a><\/figure><\/h3>\n\n\n\nIt is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\nThis WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n
#2 Use Of Weak Passwords<\/a><\/figure><\/h3>\n\n\n\nYour admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n
\n- Web hosting control panel account<\/li>\n\n\n\n
- WordPress admin account<\/li>\n\n\n\n
- MySQL databases used for your WordPress website<\/li>\n\n\n\n
- FTP accounts<\/li>\n\n\n\n
- Email accounts used for the WordPress account<\/li>\n<\/ul>\n\n\n\n
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username<\/a><\/figure><\/h3>\n\n\n\nYou must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n
#4 Unprotected Access To The WordPress Admin Area<\/a><\/figure><\/h3>\n\n\n\nYou can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n
Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n
You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n
<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\nFile permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n#6 WordPress Version Not Updated<\/a><\/figure><\/h3>\n\n\n\nSome WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n
In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n
Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n#7 WordPress Plugins And Themes Not Updated<\/a><\/figure><\/h3>\n\n\n\nJust like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n
<\/h3>\n\n\n\n#8 Use Of FTP In Place Of SFTP \/ SSH<\/a><\/figure><\/h3>\n\n\n\nThe FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n
When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n
For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n
#9 Nulled Themes & Plugins<\/a><\/figure><\/h3>\n\n\n\nYou will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n
There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n
Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\nThe WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n
<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\nThe above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n
You have to use the following tools:<\/strong><\/p>\n\n\n\n\n- FTP access to your server, or a file manager such as cPanel.<\/li>\n\n\n\n
- Advanced text editor, type Notepad ++ or similar. You better really editor ordinary text, but one of these is easier to view the code.<\/li>\n<\/ul>\n\n\n\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n
Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\nIn this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\nCreate a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code:
<\/p>\n\n\n\n
Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n
Step 2: Backup of Your WordPress<\/h3>\n\n\n\n
Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n
If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\nAn alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\nYou can also change passwords though FTP.<\/p>\n\n\n\n
Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n
Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Step 4: Change the Authentication Keys<\/h3>\n\n\n\n
WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n
In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\nStep 5: Scan Files and Folders<\/h3>\n\n\n\n
Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\nIf you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n
If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n
In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n
Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n
You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n
Finally<\/h3>\n\n\n\n
Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n
Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\nNow the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n
\nSecure Your Login Page and Avoid Brute Force Attacks<\/div>\n\n1. Changing your login and password<\/div>\n2. Set up website lockdown and ban users<\/div>\n3. Use 2-factor authentication<\/div>\n4. Rename your login URL<\/div>\n5. Use email as login<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your admin dashboard<\/div>\n\n1. Protect the wp-admin directory<\/div>\n2. Use SSL to encrypt data<\/div>\n3. Add user accounts with care<\/div>\n4. Change the admin username<\/div>\n5.Monitor your files<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure the database<\/div>\n\n1. Change the WordPress database table prefix<\/div>\n2. Back up your site regularly<\/div>\n3. Set strong passwords for your database<\/div>\n4. Check your \u2018comments\u2019 and forms settings<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your hosting setup<\/div>\n\n1. Protect the wp-config.php file<\/div>\n2. Protect xmlrpc.php (optional but recommended)<\/div>\n3. Secure your .htaccess<\/div>\n4. Protect wp-admin files<\/div>\n5. Disallow file editing<\/div>\n6. Connect the server correctly<\/div>\n7. Set directory permissions carefully<\/div>\n8. Disable directory listing with .htaccess<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your WordPress themes and plugins<\/div>\n\n1. Update regularly<\/div>\n2. Update your WordPress version<\/div>\n3. Remove your WordPress version number<\/div>\n<\/div>\n<\/div>\n\n\n\nSecure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\nBelow are the important things to be considered to secure your login:<\/p>\n\n\n\n
1. Changing your login and password<\/h3>\n\n\n\n
Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\nFor creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\nThis is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n
\n- Change wp-login.php to something unique; e.g. my_new_login<\/li>\n\n\n\n
- Change \/wp-admin\/ to something unique; e.g. my_new_admin<\/li>\n\n\n\n
- Change \/wp-login.php?action=register to something unique; e.g. my_new_registration<\/li>\n<\/ul>\n\n\n\n
5. Use email as login<\/h3>\n\n\n\n
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n
Here\u2019s what you can do:<\/p>\n\n\n\n
6. Protect the wp-admin directory<\/h3>\n\n\n\n
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n
Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n
Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n8. Add user accounts with care<\/h3>\n\n\n\n
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n
Secure the database<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n
11. Change the WordPress database table prefix<\/h3>\n\n\n\n
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n
You need to change it to something unique.<\/p>\n\n\n\n
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n
When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n
There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n13. Set strong passwords for your database<\/h3>\n\n\n\n
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\nAlso, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\nSecure your hosting setup<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n
Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n
If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n
The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\nIn case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n
For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
17. Secure your .htaccess<\/h3>\n\n\n\n
Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n
You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n18. Secure your .htaccess<\/h3>\n\n\n\n
The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n
You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\nThis code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n
But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n
Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n
The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n
In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n
This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n
For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n
This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\nSecure your WordPress themes and plugins<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n
Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n23. Update regularly<\/h3>\n\n\n\n
Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n
So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n
Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n
This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view.
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\n
It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Denial of Service<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n\n- You aren\u2019t able to log in.<\/li>\n\n\n\n
- Your website home page is blank or displaying \u201cYou have been hacked\u201d message.<\/li>\n\n\n\n
- All content and pages has been removed from your site.<\/li>\n\n\n\n
- You see unknown things like new content, advertisements, pornography materials on your website header and footer. For instance, you might see the homepage is replaced by a static page or new content is added to it.<\/li>\n\n\n\n
- Website redirection to some other sources (spam websites).<\/li>\n\n\n\n
- Your web host sending you emails about spam and other malicious activities.<\/li>\n\n\n\n
- You search on Google \u201csite:example.com\u201d and getting indexed pages and content that looks malicious.<\/li>\n\n\n\n
- While searching for your site, you or your users get a warning in your browser.<\/li>\n\n\n\n
- When you search for your site in Google, it gives a warning that your site may have been hacked.<\/li>\n\n\n\n
- You get a notification from your security plugin about a breach or an unexpected change.<\/li>\n<\/ul>\n\n\n\n
Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n
Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n
#1 Insecure Web Hosting Platform<\/a><\/figure><\/h3>\n\n\n\nIt is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\nThis WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n
#2 Use Of Weak Passwords<\/a><\/figure><\/h3>\n\n\n\nYour admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n
\n- Web hosting control panel account<\/li>\n\n\n\n
- WordPress admin account<\/li>\n\n\n\n
- MySQL databases used for your WordPress website<\/li>\n\n\n\n
- FTP accounts<\/li>\n\n\n\n
- Email accounts used for the WordPress account<\/li>\n<\/ul>\n\n\n\n
All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username<\/a><\/figure><\/h3>\n\n\n\nYou must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n
#4 Unprotected Access To The WordPress Admin Area<\/a><\/figure><\/h3>\n\n\n\nYou can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n
Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n
You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n
<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\nFile permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n
<\/h3>\n\n\n\n <\/h3>\n\n\n\n#6 WordPress Version Not Updated<\/a><\/figure><\/h3>\n\n\n\nSome WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n
In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n
Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n#7 WordPress Plugins And Themes Not Updated<\/a><\/figure><\/h3>\n\n\n\nJust like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n
<\/h3>\n\n\n\n#8 Use Of FTP In Place Of SFTP \/ SSH<\/a><\/figure><\/h3>\n\n\n\nThe FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n
When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n
For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n
#9 Nulled Themes & Plugins<\/a><\/figure><\/h3>\n\n\n\nYou will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n
There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n
Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\nThe WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n
<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\nThe above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n
You have to use the following tools:<\/strong><\/p>\n\n\n\n\n- FTP access to your server, or a file manager such as cPanel.<\/li>\n\n\n\n
- Advanced text editor, type Notepad ++ or similar. You better really editor ordinary text, but one of these is easier to view the code.<\/li>\n<\/ul>\n\n\n\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n
Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\nIn this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\nCreate a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code:
<\/p>\n\n\n\n
Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n
Step 2: Backup of Your WordPress<\/h3>\n\n\n\n
Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n
If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\nAn alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\nYou can also change passwords though FTP.<\/p>\n\n\n\n
Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n
Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Step 4: Change the Authentication Keys<\/h3>\n\n\n\n
WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n
In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\nStep 5: Scan Files and Folders<\/h3>\n\n\n\n
Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\nIf you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n
If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n
In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n
Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n
You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n
Finally<\/h3>\n\n\n\n
Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n
Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\nNow the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n
\nSecure Your Login Page and Avoid Brute Force Attacks<\/div>\n\n1. Changing your login and password<\/div>\n2. Set up website lockdown and ban users<\/div>\n3. Use 2-factor authentication<\/div>\n4. Rename your login URL<\/div>\n5. Use email as login<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your admin dashboard<\/div>\n\n1. Protect the wp-admin directory<\/div>\n2. Use SSL to encrypt data<\/div>\n3. Add user accounts with care<\/div>\n4. Change the admin username<\/div>\n5.Monitor your files<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure the database<\/div>\n\n1. Change the WordPress database table prefix<\/div>\n2. Back up your site regularly<\/div>\n3. Set strong passwords for your database<\/div>\n4. Check your \u2018comments\u2019 and forms settings<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your hosting setup<\/div>\n\n1. Protect the wp-config.php file<\/div>\n2. Protect xmlrpc.php (optional but recommended)<\/div>\n3. Secure your .htaccess<\/div>\n4. Protect wp-admin files<\/div>\n5. Disallow file editing<\/div>\n6. Connect the server correctly<\/div>\n7. Set directory permissions carefully<\/div>\n8. Disable directory listing with .htaccess<\/div>\n<\/div>\n<\/div>\n\n\n\n\nSecure your WordPress themes and plugins<\/div>\n\n1. Update regularly<\/div>\n2. Update your WordPress version<\/div>\n3. Remove your WordPress version number<\/div>\n<\/div>\n<\/div>\n\n\n\nSecure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\nBelow are the important things to be considered to secure your login:<\/p>\n\n\n\n
1. Changing your login and password<\/h3>\n\n\n\n
Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\nFor creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\nThis is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n
\n- Change wp-login.php to something unique; e.g. my_new_login<\/li>\n\n\n\n
- Change \/wp-admin\/ to something unique; e.g. my_new_admin<\/li>\n\n\n\n
- Change \/wp-login.php?action=register to something unique; e.g. my_new_registration<\/li>\n<\/ul>\n\n\n\n
5. Use email as login<\/h3>\n\n\n\n
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n
Here\u2019s what you can do:<\/p>\n\n\n\n
6. Protect the wp-admin directory<\/h3>\n\n\n\n
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n
Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n
Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n8. Add user accounts with care<\/h3>\n\n\n\n
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n
Secure the database<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n
11. Change the WordPress database table prefix<\/h3>\n\n\n\n
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n
You need to change it to something unique.<\/p>\n\n\n\n
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n
When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n
There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n13. Set strong passwords for your database<\/h3>\n\n\n\n
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\nAlso, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\nSecure your hosting setup<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n
Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n
If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n
The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\nIn case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n
For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n
\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
17. Secure your .htaccess<\/h3>\n\n\n\n
Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n
You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n18. Secure your .htaccess<\/h3>\n\n\n\n
The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n
You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\nThis code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n
But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n
Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n
The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n
In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n
This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n
For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n
This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\nSecure your WordPress themes and plugins<\/h2>\n\n\n\n<\/a><\/figure>\n<\/div>\n\n\n<\/p>\n\n\n\n
Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n
Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n23. Update regularly<\/h3>\n\n\n\n
Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n
So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n
Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n
If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n
This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view.
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\n
It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":"
Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/a><\/figure><\/h3>\n\n\n\nAnd now this is the most dangerous of all, Denial of Service (DoS) vulnerability. This exploits errors and bugs in the code to overcome the memory of website operating systems. Hackers have threatened millions of websites and earned millions of dollars by abusing outdated and buggy versions of WordPress software with DoS attacks. Though small companies won\u2019t be a target of financially motivated cybercriminals, they try to commit outdated vulnerable websites to create botnet chains for attacking large businesses.<\/p>\n\n\n\n
Unfortunately, even the latest WordPess software versions can\u2019t broadly fight against the high-profile DoS attacks, but will surely help you to avoid getting trapped in the fight between financial institutions and refined cybercriminals.<\/p>\n\n\n\n
How to identify if your website has actually been hacked?<\/h2>\n\n\n\n
The worst thing happened, when you entered to your blog and tried to open it but you have a warning message saying that your site has been hacked. OMG. \u2026\u2026 What to do now?<\/p>\n\n\n\n
Of course, now you wonder how to recover the hacked WordPress site.<\/p>\n\n\n\n
But the first thing that you should do is don\u2019t panic, take deep breath and get relaxed and try to identify the problem.<\/p>\n\n\n\n
First thing you have to do is to figure out whether your site has actually been hacked or not.<\/p>\n\n\n\n
Yes, obviously it is the first thing you need to know.<\/p>\n\n\n\n
There are plugins to detect whether your website was infected or not. For me one of the best tools to identify the WordPress infections is \u201cSucuri\u201d. In addition, by using Sucuri WordPress plugin you will get alert messages every time when someone will try to attack on your website.<\/p>\n\n\n\n
You can identify if your site is really hacked if you face the below situations:<\/strong><\/p>\n\n\n\n Now you are sure that you have actually been hacked. So what next thing you can do to get your WordPress website back.<\/p>\n\n\n\n Below are the top 10 reasons why your WordPress website can get hacked:<\/p>\n\n\n\n Let\u2019s have a look at some of the top reasons why a WordPress website can get hacked:<\/p>\n\n\n\n It is extremely important to research about the WordPress hosting platform before signing up for one. Some hosting companies do not secure their web hosting platforms completely. As a result of this, all the websites hosted on their server are vulnerable to the hacking attempts and malicious activities. This can be avoided by choosing a secure WordPress hosting platform. At MilesWeb, WordPress hosting is fast, easy and highly secure.<\/p>\n\n\nWith every WordPress hosting package, MilesWeb also provides services like server caching, cloning, CDN, Railgun and daily backups. <\/a><\/span>Share on X<\/a><\/span>\n\n\n\n This WordPress hosting platform is crafted for high-performance and faster page load speed. All the WordPress hosting packages at MilesWeb are backed by the latest Intel Xeon processors that help in making your website fast, efficient and completely secured.<\/p>\n\n\n\n Your admin password is the key to your WordPress website. It is highly important to use a strong and unique password for every account mentioned below as a hacker can breach into your website if he gets access to these accounts:<\/p>\n\n\n\n All the accounts mentioned above are protected through passwords. If you use weak passwords, it becomes very easy for the hackers to get to your password with some hacking tools. You can avoid this with the use of strong and complicated passwords that are not easy to guess.<\/p>\n\n\n\n You must refrain from using \u2018Admin\u2019 as your WordPress username. If the username of your WordPress admin account is \u2018Admin\u2019, then change it to a different username right away because hackers look for the admin username to breach into your account. If you change your admin username to something else, the hackers would not easily know that this is your admin account. You can share the login credentials of the admin username to the clients and users on the website if you wish to.<\/p>\n\n\n\n You can perform various functions on your website through the WordPress admin area. This is the most commonly attacked part of the WordPress website. If your WordPress admin area is unprotected, hackers can crack your website by trying various methods. You can restrict the hackers by adding various layers of authentication to get to your WordPress admin directory.<\/p>\n\n\n\n Your first step is to password protect the WordPress admin area. This adds an additional layer of security and anyone who tries to access your WordPress admin account will have to provide the password. If your WordPress website consists of various authors and users, then it is preferable to use strong passwords for all the user accounts.<\/p>\n\n\n\n You can also make use of two factor authentication so that it is not easily possible for the hackers to get into your admin area.<\/p>\n\n\n\n File permissions are basically a set of rules used by the web server. These permissions support the web server in terms of managing access to files on your website. If the file permissions are incorrect, a hacker can get access to write and change the files. It is important to ensure that all your WordPress files must have 644 value as the file permission and all the folders on your WordPress website must have 755 as the file permission.<\/p>\n\n\n\n Some WordPress users do not update the WordPress version in time; at times they feel that by doing so their WordPress website might become slow or might be affected adversely. But that\u2019s not right, when you see a new update for WordPress you must implement it immediately because every new version of WordPress fixes the bugs and security vulnerabilities that were present in the earlier version. Updating the WordPress version is simple yet a very effective way of protecting your website.<\/p>\n\n\n\n In case you are afraid that you might lose some data while updating the WordPress website, then you can create the complete website backup first and then update the website. Thereby, if something goes wrong or if something doesn\u2019t work, then you will not lose any data and you can easily get back to the previous WordPress version.<\/p>\n\n\n\n Related : 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n Just like it is important to update the WordPress version, it is also important to update the plugins and the theme that you are using. If any of your plugin or theme is outdated, then your website becomes vulnerable to hacking attacks. Security defects and bugs are often found in WordPress plugins and themes. Usually, the owners of the plugins and themes fix them immediately, but if the user does not update the theme or plugin, then the website becomes vulnerable. Therefore, it is important to ensure that all your plugins and themes are updated.<\/p>\n\n\n\n The FTP accounts are used for uploading files to the web server through an FTP client. Most of the hosting providers support the FTP connections with various protocols, you can connect with plain FTP, SFTP or SSH.<\/p>\n\n\n\n When you connect to your WordPress website through plain FTP, the password that you enter is sent to the web server unprotected and unencrypted. Hackers might spy on your FTP connection and your password might be easily detected and stolen. Therefore, in place of using FTP, you can make use of the SFTP or SSH connections.<\/p>\n\n\n\n For using the SFTP or SSH connection, there is no need for you to change the FTP client. Most of the FTP clients can connect to your website through SFTP and through SSH as well. For this, all you have to do is change the protocol to \u2018SFTP \u2013 SSH\u2019 while connecting to your website.<\/p>\n\n\n\n You will come across many websites on the net that offer paid WordPress plugins and themes for free. You might easily get allured for downloading and using these plugins and themes. If you download WordPress plugins and themes from unreliable sources, this can have dangerous negative effects on your website. These null plugins and themes can compromise the security of your website and they can also steal sensitive and important information from your website.<\/p>\n\n\n\n There is no harm in having many plugins and themes but you must ensure that you are downloading them through reliable sources. If any plugin or theme you like is a premium one, you can find many other free alternatives to it as WordPress has a wide range of plugins and themes available.<\/p>\n\n\n\n Related : Most Essential WordPress Plugins For Blogs And Websites<\/a><\/strong><\/p>\n\n\n\n The WordPress configuration file : wp-config.php consists of all your WordPress database login credentials. In case this file is compromised, then it will give out information that will make it easier for a hacker to get complete access and control over your website. You can add an additional level of protection to deny access to the wp-config.php file with the use of .htaccess. All you have to do is add the code mentioned below to your .htaccess file.<\/p>\n\n\n\n The above mentioned reasons are the most common for your WordPress site to get hacked. So, make sure you remember them.<\/p>\n\n\n\n Obviously, these measures are not simple and require some technical knowledge, and access out of the ordinary to your WordPress.<\/p>\n\n\n\n You have to use the following tools:<\/strong><\/p>\n\n\n\n As soon as you find that your WordPress is infected, you have to throw down it to prevent hackers from abusing more. There is no way to clean up a website that is online. So, put your website in maintenance mode, work with files, and database quietly.<\/p>\n\n\n\n Follow these steps to get your site in maintenance mode without losing SEO positioning.<\/strong><\/p>\n\n\n\n In this step, we will create a file in the root of your public folder on the server. Usually it is the same where the wp-includes, wp-admin or wp-content folders reside.<\/p>\n\n\n Create a Web page of \u201cmaintenance mode,\u201d which 503.php going to call, and carry the following code: Here you are telling the search engines that you are temporarily out of service, so you will be safe from penalties.<\/p>\n\n\n\n Even if your site could be infected, it is very important to have a backup in case things go from bad to worse. Obtain a complete backup of your website, including all databases. Download files and perform a full export via phpMyAdmin SQL.<\/p>\n\n\n\n If you have your site hosted on a hosting with cPanel, simply enter in your PhpMyAdmin and export the database and generate a zip with all the files in your WordPress folder. It is also a good idea to create a full backup of all that you have in your hosting<\/a>.<\/p>\n\n\n\n An alternative that works very well and you will streamline this step, you can use the WordPress plugin \u201d BackupBuddy. \u201d IMPORTANT: Do not omit this step.<\/p>\n\n\n\n Before you start cleaning your room, go to the WordPress control panel and change the access credentials (for all users), do the same with passwords databases and restores WordPress secret keys found in the file \u201cwp-config.php\u201d. Click here to get secret Keys<\/a> .<\/p>\n\n\n\n You can also change passwords though FTP.<\/p>\n\n\n\n Open wp-config.php file through FTP or the file manager, and locate the section where the database is configured.<\/p>\n\n\n\n Replace the MySQL user\u2019s password in this file. You can change MySQL user\u2019s password by logging into your cPanel >> MySQL<\/strong>.<\/p>\n\n\n <\/p>\n\n\n\n WordPress uses different authentication keys to encrypt the stored information in session cookies; it makes your site more difficult to hack.<\/p>\n\n\n\n In addition to change the cookies, we will invalidate any session that is already open. You can create new keys by using the official WordPress key generator<\/a> . You have to open your wp-config.php file to locate where these keys are, and replace them with the new generated keys.<\/p>\n\n\n\n Once you change MySQL and WordPress passwords, it is recommended to scan the files and folders. You may ask your WordPress hosting provider<\/a> to scan the files and folders using Maldet and Clamscan utilities.<\/p>\n\n\n\n If you find any plugins and themes with malicious files, it is recommended to remove such plugins and vulnerable files and use the alternative option. Even if you reinstall the plugins and themes, it might again get compromised as many plugins and themes have known backdoor.<\/p>\n\n\n\n If there are any plugins and themes which you do not require, make sure you remove them directly.<\/p>\n\n\n\n In recent years, Google has taken the initiative to identify and point out sites that have experienced a security compromise. If you have not checked your site status, then sign in Google Webmaster Tools and check if there are any warnings. You can scan your site by using google webmaster tools.<\/p>\n\n\n\n In Google Webmaster Tools, go to the domain you want to check, and click on \u201cProblems of Security\u201d. You have a breakdown of what Google has indexed and will find all the details and warning messages (if something is there).<\/p>\n\n\n\n Go to this link and scans your web to see what malicious files detected https:\/\/www.google.com\/transparencyreport\/safebrowsing\/diagnostic\/index.html#url<\/p>\n\n\n\n You can see where the malware is hosted, find all the infected files and delete them.<\/p>\n\n\n\n Send request to Google that you have made changes on your website and removed all malicious codes and infected files through Google Webmaster Tools.<\/p>\n\n\n\n Wait\u2026 its not over yet.<\/strong><\/p>\n\n\n\n Now the time is to be prepared for future attacks. Do you want to be?<\/p>\n\n\n\n Below are some tried, tested and efficient ways to protect your WordPress site:<\/p>\n\n\n\n <\/p>\n\n\n\n Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding \/wp-login.php or \/wp-admin\/<\/strong> at the end of your domain name will make it for you.<\/p>\n\n\n\n Below are the important things to be considered to secure your login:<\/p>\n\n\n\n Many WordPress users select \u201cadmin\u201d as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.<\/p>\n\n\n\n Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like \u201ciwbgfMT23$$\u201d<\/strong>. You can make such combinations of the passwords and change them regularly.<\/p>\n\n\n\n For creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.<\/p>\n\n\n\n Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.<\/p>\n\n\n\n The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker\u2019s IP address when the hacker tries to attempt to enter your website.<\/p>\n\n\n\n Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.<\/p>\n\n\n\n Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site\u2019s main URL.<\/p>\n\n\n\n If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack<\/a>. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword \u2026 with millions of such combinations).<\/p>\n\n\n\n This is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:<\/p>\n\n\n\n You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can\u2019t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.<\/p>\n\n\n\n You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn\u2019t any configuration required at all.<\/p>\n\n\n\n For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.<\/p>\n\n\n\n <\/p>\n\n\n\n The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.<\/p>\n\n\n\n Here\u2019s what you can do:<\/p>\n\n\n\n The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.<\/p>\n\n\n\n You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.<\/p>\n\n\n\n The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.<\/p>\n\n\n\n Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.<\/p>\n\n\n\n You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).<\/p>\n\n\n\n Don\u2019t forget that the SSL certificate also has a great impact on your website\u2019s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren\u2019t. This ultimately means that there\u2019s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.<\/p>\n\n\n\n Related: SSL Certificate Can Act Like A Superman To Protect Your Website<\/a><\/strong><\/p>\n\n\n\n In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.<\/p>\n\n\n\n For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.<\/p>\n\n\n\n While installing WordPress, don\u2019t choose the username as \u201cadmin\u201d for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.<\/p>\n\n\n\n These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the \u201cadmin\u201d username.<\/p>\n\n\n\n For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.<\/p>\n\n\n\n <\/p>\n\n\n\n The site\u2019s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:<\/p>\n\n\n\n In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database.<\/p>\n\n\n\n You need to change it to something unique.<\/p>\n\n\n\n Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.<\/p>\n\n\n\n Though you think your website is secure with all the essentials but it\u2019s always better to improve. So, it\u2019s always better to keep an off-site backup of your website saved somewhere.<\/p>\n\n\n\n When you have a backup, it can help you restore your WordPress website to a working state at any time you require.<\/p>\n\n\n\n There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.<\/p>\n\n\n\n Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup<\/a><\/strong><\/p>\n\n\n\n Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.<\/p>\n\n\n\n As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.<\/p>\n\n\n\n When you enable comments on your posts, it is important to check your \u2018Discussion\u2019<\/strong> settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it\u2019s always the best way for ensuring that no spam comments are entered.<\/p>\n\n\n\n Also, don\u2019t miss to check that akismet is activated and that a Captcha<\/strong> is enabled on all your contact forms.<\/p>\n\n\n\n <\/p>\n\n\n\n Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:<\/p>\n\n\n\n Related: Understanding Managed WordPress Hosting and When do you need one?<\/a><\/strong><\/p>\n\n\n\n Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.<\/p>\n\n\n\n If the wp-config.php file isn\u2019t accessible to the hackers then they can\u2019t breach the security of your site.<\/p>\n\n\n\n The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.<\/p>\n\n\n\n If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.<\/p>\n\n\n\n Only protecting the wp-config file isn\u2019t enough. You also need to protect xmlrpc.php file as hackers commonly use it to hack a WordPress website. This file helps in remote communication with WordPress.<\/p>\n\n\n\n The use of xmlrpc (it is enabled by default from the WordPress version 3.8) can also be done to execute DDoS (Distributed Denial of Service Attacks)<\/a> which can have a big impact on your website.<\/p>\n\n\n\n In case, you use the services such as JetPack, the official mobile wordpress app, pingbacks & trackbacks then only the XMLRPC is needed to be enabled.<\/p>\n\n\n\n For securing your xmlrpc.php file add the below code to your .htaccess:<\/p>\n\n\n <\/p>\n\n\n\n Only tweaking your wp-config.php for security isn\u2019t enough, you also need to secure your .htaccess file. Hackers can easily delete the code securing the wp-config.php file making your WordPress site vulnerable to attacks.<\/p>\n\n\n\n You should consider protecting your .htaccess file as one of the top priorities. You can do this by adding a code in the root .htaccess file of your domain:<\/p>\n\n\n\n The wp-admin file comprises of sensitive data and needs to be accessed only by the owners. You can prevent other users from accessing this file by using .htaccess.<\/p>\n\n\n\n You can add the following code by opening the .htaccess file present in the wp-admin folder:<\/p>\n\n\n\n This code restricts all the users other than those using the \u201cxx.xx.xx.xx\u201d IP (your static IP) from accessing the files in wp-admin.<\/p>\n\n\n\n The users those have admin access to your WordPress dashboard can easily edit any files that are a part of WordPress installation. These files include all the themes and plugins.<\/p>\n\n\n\n But, if you restrict file editing, a hacker too wont\u2019 be able to modify any file even if he gets the admin access to your WordPress dashboard.<\/p>\n\n\n\n Add the following command to the wp-config.php file (at the very end):<\/p>\n\n\n\n It is recommended to connect the server only via SFTP or SSH while setting up your site. Since SFTP offers more security features as compared to the traditional FTP which aren\u2019t included in FTP.<\/p>\n\n\n\n The server when connected in this manner ensures that the files are transferred securely. This service is offered by many hosting providers as a part of their package. In case it\u2019s not, it can be done manually.<\/p>\n\n\n\n If you set wrong directory permissions, it can prove to be fatal, especially in a shared hosting environment.<\/p>\n\n\n\n In this case, it is better to change the files and directory permissions for securing the website at the hosting level. Set the directory permissions to \u201c755\u201d and files to \u201c644\u201d for protecting the complete file system \u2013 directories, sub-directories, and other files.<\/p>\n\n\n\n This is done manually through the Files Manager inside your hosting control panel or via the terminal (connected with SSH) by using the \u201cchmod\u201d command.<\/p>\n\n\n\n In case, you create a new directory as a part of your website and don\u2019t include an index.html file in it, your visitors can get the complete directory listing of everything that is in that directory.<\/p>\n\n\n\n For example, if a directory called \u201cdata\u201d is created, you can see everything in that directory simply by typing http:\/\/www.example.com\/data\/ in your browser. There\u2019s no need of password or anything.<\/p>\n\n\n\n This can be prevented simply by adding the below line of code in your .htaccess file:<\/p>\n\n\n\n <\/p>\n\n\n\n Any WordPress site comprises of themes and plugins as essential ingredients. But it\u2019s quite unfortunate that they can pose serious security threats. Let\u2019s check the ways in which WordPress themes and plugins can be secured:<\/p>\n\n\n\n Related: Top 20 WordPress Plugins for E-commerce Website<\/a><\/strong><\/p>\n\n\n\n Developers support every good software product and also it gets updated regularly, but WordPress gets updated very frequently. These updates are done for fixing the bugs and sometimes contain vital security patches.<\/p>\n\n\n\n If you don\u2019t update your themes and plugins, you can be in a serious trouble. Don\u2019t forget that many hackers rely on the fact that people are least bothered to update their themes and plugins. Often, these hackers exploit bugs that are already fixed.<\/p>\n\n\n\n So, it\u2019s always recommended to update the WordPress products regularly.<\/p>\n\n\n\n Make it a point to update your WordPress site to the latest version. Each time when you see there\u2019s an update available, it means that the WordPress team has already added the security patches.<\/p>\n\n\n\n Similar to all the reputed software products even WordPress is supported by its developers and gets updated quite frequently. These updates are actually the fixes for bugs and also contain vital security patches sometimes.<\/p>\n\n\n\n If you don\u2019t update your themes and plugins, you can face serious trouble. This is because several hackers know that people don\u2019t care much about updating their plugins and themes. Therefore, hackers exploit the bugs that already have been fixed.<\/p>\n\n\n\n This means it is very important to update your WordPress products regularly \u2013 plugins, themes and everything.<\/p>\n\n\n\n It\u2019s very easy to find the current WordPress version. It is basically placed in the site\u2019s source view. It is possible to hide your version number with any security plugin mentioned earlier.<\/p>\n\n\n\n For a beginner, there\u2019s a lot to be taken from this article. It is because it includes everything right from the reasons for website to get hacked, points to identify if your site is really hacked as well as the steps to follow after the site gets hacked and also the tips to secure your website from hackers in future. The more you care about your WordPress website security, the harder it will be for a hacker to break in. It is important to take some protective measure to secure your WordPress website from hackers. You simply need to follow the above mentioned guidelines for your website security. Hackers can cause big losses to your website or business. So, always remember prevention is better than cure.<\/p>\n","protected":false},"excerpt":{"rendered":" Nothing is more frustrating than finding out that your WordPress website is hacked. After all, your WordPress website is your hard work over many months or years and the last thing that you expect isn\u2019t learning that your website is hacked. In order to prevent hackers from attacking your WordPress website, the first step is… Read More<\/a><\/p>\n","protected":false},"author":77,"featured_media":1786,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[281],"tags":[855,856,857,61,788,104,598,858],"class_list":["post-1776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress","tag-how-wordpress-gets-hacked","tag-reasons-for-wordpress-hack","tag-recover-hacked-wordpress-website","tag-wordpress","tag-wordpress-security-tips","tag-wordpress-website","tag-wordpress-website-hacked","tag-wordpress-website-security"],"_links":{"self":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=1776"}],"version-history":[{"count":22,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions"}],"predecessor-version":[{"id":33800,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/posts\/1776\/revisions\/33800"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media\/1786"}],"wp:attachment":[{"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=1776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=1776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milesweb.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=1776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
Top 10 Reasons Why Your WordPress Website Can Get Hacked And How To Prevent Them?<\/h2>\n\n\n\n
#1 Insecure Web Hosting Platform
<\/a><\/figure><\/h3>\n\n\n\n#2 Use Of Weak Passwords
<\/a><\/figure><\/h3>\n\n\n\n\n
#3 Using \u2018Admin\u2019 As The WordPress Username
<\/a><\/figure><\/h3>\n\n\n\n#4 Unprotected Access To The WordPress Admin Area
<\/a><\/figure><\/h3>\n\n\n\n<\/a><\/figure>#5 Incorrect File Permissions<\/h3>\n\n\n\n <\/h3>\n\n\n\n
<\/h3>\n\n\n\n
#6 WordPress Version Not Updated
<\/a><\/figure><\/h3>\n\n\n\n#7 WordPress Plugins And Themes Not Updated
<\/a><\/figure><\/h3>\n\n\n\n <\/h3>\n\n\n\n
#8 Use Of FTP In Place Of SFTP \/ SSH
<\/a><\/figure><\/h3>\n\n\n\n#9 Nulled Themes & Plugins
<\/a><\/figure><\/h3>\n\n\n\n<\/a><\/figure>#10 WordPress Configuration wp-config.php File Not Secured<\/h3>\n\n\n\n<files wp-config.php>\n\norder allow,deny\n\ndeny from all\n\n<\/files><\/pre>\n\n\n\n
Steps to Recover a Hacked WordPress Website<\/h2>\n\n\n\n
\n
Step 1: Put Your Site in Maintenance Mode<\/h3>\n\n\n\n
<\/a><\/figure>\n<\/div>\n\n\n
<\/p>\n\n\n\nStep 2: Backup of Your WordPress<\/h3>\n\n\n\n
Step 3. Change All Passwords and Access<\/h3>\n\n\n\n
<\/a><\/figure>\n<\/div>\n\n\nStep 4: Change the Authentication Keys<\/h3>\n\n\n\n
Step 5: Scan Files and Folders<\/h3>\n\n\n\n
Step 6: Use Google Webmaster Tools<\/h3>\n\n\n\n
Finally<\/h3>\n\n\n\n
Protect Your WordPress Website From Hackers With These 25 Tips<\/h2>\n\n\n\n
Secure Your Login Page and Avoid Brute Force Attacks<\/h2>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\n1. Changing your login and password<\/h3>\n\n\n\n
2. Set up website lock-down and ban users<\/h3>\n\n\n\n
3. Use 2-factor authentication<\/h3>\n\n\n\n
4. Rename your login URL<\/h3>\n\n\n\n
\n
5. Use email as login<\/h3>\n\n\n\n
Secure your admin dashboard<\/h2>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\n6. Protect the wp-admin directory<\/h3>\n\n\n\n
7. Use SSL to encrypt data<\/h3>\n\n\n\n
8. Add user accounts with care<\/h3>\n\n\n\n
9. Change the admin username<\/h3>\n\n\n\n
10. Monitor your files<\/h3>\n\n\n\n
Secure the database<\/h2>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\n11. Change the WordPress database table prefix<\/h3>\n\n\n\n
12. Back up your site regularly<\/h3>\n\n\n\n
13. Set strong passwords for your database<\/h3>\n\n\n\n
14. Check your \u2018comments\u2019 and forms settings<\/h3>\n\n\n\n
Secure your hosting setup<\/h2>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\n15. Protect the wp-config.php file<\/h3>\n\n\n\n
16. Protect xmlrpc.php (optional but recommended)<\/h3>\n\n\n\n
<\/a><\/figure>\n<\/div>\n\n\n17. Secure your .htaccess<\/h3>\n\n\n\n
<Files ~ \u201c^.*\\.([Hh][Tt][Aa])\u201d>\n\nOrder allow,deny\n\ndeny from all\n\nsatisfy all\n\n<\/Files><\/pre>\n\n\n\n
18. Secure your .htaccess<\/h3>\n\n\n\n
#deny access to wp admin\n\norder deny,allow\n\nAllow from xx.xx.xx.xx # This is your static IP\n\ndeny from all<\/pre>\n\n\n\n
19. Disallow file editing<\/h3>\n\n\n\n
define('DISALLOW_FILE_EDIT', true);<\/pre>\n\n\n\n20. Connect the server correctly<\/h3>\n\n\n\n
21. Set directory permissions carefully<\/h3>\n\n\n\n
22. Disable directory listing with .htaccess<\/h3>\n\n\n\n
Options All \u2013Indexes<\/pre>\n\n\n\n
Secure your WordPress themes and plugins<\/h2>\n\n\n
<\/a><\/figure>\n<\/div>\n\n\n23. Update regularly<\/h3>\n\n\n\n
24. Update your WordPress version<\/h3>\n\n\n\n
25. Remove your WordPress version number<\/h3>\n\n\n\n
This indicates that if the hackers know which version of WordPress is being used by you, it is very easy for them to plan the perfect attack.<\/p>\n\n\n\nConclusion<\/h2>\n\n\n\n