Search the site:

Copyright 2010 - 2024 @ DevriX - All rights reserved.

Interactive Guide: the Definitive Guide to Securing Your WordPress Website

Interactive Guide_ the Definitive Guide to Securing Your WordPress Website

WordPress is one of the most popular Content Management Systems, used in 42.6% of the websites. The ease of use and the versatility of the platform makes it a popular choice for many users, but that very popularity makes WordPress an attractive target for hackers.

According to several security blogs, in 2012, more than 170,000 WordPress websites were hacked. Recently, a vulnerability in Revolution Slider plugin was the reason for the largest security breach in WordPress. This misuse of an outdated version of the plugin, also known as the Panama Papers Leak, resulted in more than 4.8 million emails being affected.

Content Management Systems

If your website runs on WordPress, you need to think about your site’s security and take the necessary measures needed to harden your WordPress security.

In this guide, we’ll talk about the security risks associated with WordPress and walk you through the basic, and then more advanced security tips. We’ll also provide an overview of some of the best security plugins that can help further in securing your site and cover the first steps you’ll need to take in the event that the worst happens.

What Are the Security Risks Involved with WordPress?

Before diving into the security tips, it’s worth mentioning that the WordPress core software is secure and the WordPress security team is comprised of roughly 50 experts including lead developers and security researchers.

Most security risks associated with WordPress happen because of the human factor and the mere fact that a security vulnerability is present. It is very rare that a hacker is targeting your site unless you are a large corporation like Sony. That said, even large and well-known sites, like Reuters, can become a target for hackers because their WordPress version is outdated.

Outdated WordPress core versions, themes, and plugin files — as well as weak passwords or using the default “admin” username — are just some of the factors that contribute to WordPress’s popularity amongst hackers.

Outdated WordPress Files

According to a research done by Sucuri, in the second quarter of 2016, 56% of the websites running on WordPress were running an outdated version.

Why you shoud use images more often while posting on social networks

Keeping WordPress itself up to date and installing the update when it becomes available is crucial as new releases bring more than just new features. Each WordPress update, whether minor or major, contains bug fixes as well as addresses security issues of older versions.

However, WordPress core is not the only thing that needs to be regularly updated. You also need to keep in mind your theme and the plugins that you have installed. According to research by WPWhiteSecurity, WordPress plugins account for 17% of global WordPress vulnerabilities while themes account for 3% of vulnerabilities.

Not updating WordPress core files, themes and plugins leave your site vulnerable to backdoor exploits.

In the case of a backdoor exploit, the hackers are gaining access to your site through your WordPress admin area, SFTP, FTP, and more. Using one of these methods allows them to infect not only your site but other sites that are hosted on the same server as you.

At first glance, backdoor injections appear to be legitimate WordPress files. What really happens, is that these files exploit weaknesses and bugs in the outdated files and make their way to your database. One of the best examples is the TimThumb exploit which left millions of websites compromised.

Top 3 Out-of-Date WordPress Plugins Contributing to Site Hacks Q2-2016

However, you can easily prevent backdoor exploits by using two-factor authentication, blocking suspicious IP addresses, restricting access to your admin area, and more. We’ll cover those tips below.

Another exploit associated with outdated files is the so-called Pharma Hack. Using this exploit, hackers insert code into WordPress files, which causes search engines to display ads for pharmaceutical products when someone searches for your site. While this is more of an annoyance than having your site infected with malicious files, it is enough for search engines to block your site and list it as spam.

Weak Passwords

WPTemplates has an interesting infographic that indicates weak passwords make up 8% of the hack attempts. Weak passwords make it easy for your site to become a victim of a brute force attack. When this happens, a hacker will attempt various username and password combinations until they find one that works. Usually, these attacks are performed using automated scripts, which will run continuously in the background.

Malicious Redirects

Your .htaccess file also poses a security risk as it can be used to place malicious redirects which direct all your traffic to a malicious website that may infect your visitors with a virus or make them fall victim to a phishing attack.

The hackers can use FTP, SFTP, or wp-admin to inject the code not only in your .htaccess file but also all other WordPress core files.

Vulnerabilities in the Hosting Platform

Another WordPress site security risk comes from using an insecure hosting platform. While a cheap hosting plan is very appealing at first, the saying “You get what you pay for” certainly rings true.

If the hosting provider doesn’t have security features such as a firewall or 24/7 monitoring, the chances of your site becoming a target are much greater. It’s also worth mentioning that shared hosting plans are at a greater risk for cross-site contamination because you share resources with many other sites. It’s easy for a hacker to use a neighboring website to attack yours.

DOS Attacks or Denial of Service Attacks

Lastly, the largest and most dangerous threat is the Denial of Service attack, which exploits bugs and errors in the code to overwhelm the memory of the site’s operating system. This type of attack can bring down a large number of sites using a specific platform, and large companies and business are especially attractive for DOS attackers.

Here is a guide on how to improve your WordPress security and prevent DOS attacks.

Now that we’ve covered the most common security risks associated with WordPress are; let’s go over the tips on how to improve WordPress security to make your site more secure and less vulnerable to attacks.

Basic WordPress Security Tips

The following section will cover the most basic tips for securing your website that will serve as the first line of defense to strengthen your site.

Invest in a Secure Hosting Plan

One of the best things you can do for the security of your website is to choose a reputable hosting provider that places a high emphasis on security.

The host should also perform backups on a daily basis as well as perform regular malware scans. Other security features include secure networking and file transfer encryption protocols, firewall protection, and some hosts even employ DDOS protection measures.

It’s worth mentioning that ideally, your chosen hosting provider is thoroughly familiar with the WordPress platform and uses an optimized hosting environment built with WordPress in mind. There are several hosting providers who specialize in managed WordPress hosting that have all those features in place and take care of the technical side of maintaining and keeping your site protected.

Use a Strong Password and Username

During the WordPress installation phase, you should never leave the username as “admin.” Instead, opt for a username that’s harder to guess as “admin” is the first username hackers will attempt in a brute-force attack.

Your password should also be strong and consist of mixed case letters, numbers, and ideally a special character. While remembering that password may be a lot harder than a family member’s birthday or your pet’s name, it’s a lot more difficult to guess for the attackers as well. Consider using a password manager like LastPass to store or even generate those secure passwords for you.

The above tip is great if this is your first time installing a password. However, if you’ve already installed WordPress and didn’t follow the tip above, all is not lost. All you need to do is create a new admin user for your site. To do so, log into your dashboard and go to Users > Add New.

WP Admin panel

Choose a username and a password keeping the above tips in mind and use a different email address from the one used for your current user. Make sure the user role is set to Administrator and then click the Add New User button.

Once the user was created, log in with your new credentials and go back to Users > All Users. Hover over your previous admin user and click on Delete. You will be asked whether you want to delete all of their posts or assign them to your new user. Select the option to assign them to the new admin user and then click Confirm deletion.

Create a New User to Post Content With

Another tip that can increase the security of your site is to create a user with the role set to author or editor and use it to post content on your site. This makes it harder for hackers to try and abuse the visible username for brute-force attacks. Even if they manage to gain access to your site, they won’t have administrator privileges, which will make it harder to do actual damage to your site.

Install a Backup Plugin

Backups are the best weapon against hackers. While you can do a lot to strengthen your website, unfortunately, you cannot eliminate all of the threats. Having a backup system in place will allow you to recover your website in the event of a hack and ensure that you can get your site back up and running as quickly as possible. There are plenty backup plugins such as Updraft Plus, which is a free plugin, or VaultPress which is a paid backup plugin. Some of them even allow you to restore your site with one click.

Keep in mind that your backed up files should be kept in a remote location and not on your hosting server. A good option is to use a cloud service like Dropbox or Amazon.

Install a Security Plugin

WordPress has a number of security plugins that can help you implement various security measures. Some like iThemes Security allows you to change the admin username and enforce strong passwords for all users, limit the number of login attempts before a user is locked out, change the ID of the administrator user, hide your WordPress version, and more.

Some like Sucuri allow you to implement a firewall on top of security features similar to those mentioned above.

A security plugin will help you keep track of everything that happens on your site and alert you whenever it notices any suspicious activity.

However, it’s worth mentioning that security plugins do have a significant impact on WordPress performance and add to the overhead on top of WordPress which slows down your site. For that reason, and because you cannot prevent attacks from accessing the server and the database in the first place, many hosting vendors implement security measures on a server level.

Lock Down the Admin Area

Locking down your admin area is another effective way to protect your site. It makes it harder for hackers to find a backdoor into your site. You can lock down your admin area by changing the default wp-admin login URL and limiting the number of login attempts before a user is locked out.

The default login URL for a WordPress site is domainname.com/wp-admin. The biggest problem with this URL is that it’s known by all the hackers and bots and used in all the scripts they use to gain access to your site.

Changing that URL makes it harder to get into your site and can be done with a plugin like WPS Hide Login. When you activate the plugin, all you have to do is pick a unique URL for the login area.

Limiting the login attempts can be done with the Login Lockdown plugin, which allows you to set the maximum number of attempts, the duration of the lockdown, and more.

Login Lockdown

Alternatively, if you’re already using iThemes Security, you can enable both of these options in the plugin settings.

Do keep in mind that too many plugins can cause a lot of problems and negatively affect the performance of your site, especially if the plugins you’re using are complex in nature. According to a case study done by PagePipe, several security plugins can lead to a significant consumption of available server memory and add extra load time to your site.

Keep Everything Up to Date

We’ve already mentioned that keeping WordPress as well as your theme and plugins up to date is vital. This will ensure you’re protected from security vulnerabilities. On top of that, you should delete any unused themes and plugins to minimize the chances of backdoor exploits, as deactivating them is not enough.

Luckily, security updates are shipped in all minor versions of WordPress which are automatically updated. In any case, don’t put off updating WordPress files and keep an eye out for update notifications in the admin area.

Keep Your Computer Safe

Lastly, don’t forget to keep your computer safe. Accessing your site from an infected computer or uploading files from it can result in your site being infected as well, so installing an antivirus program is a great idea to keep in mind.

Avoid using open Wi-Fi networks or public computers to access your site as doing so can leave your site vulnerable to hacking attempts. Rather look for a secure VPN to ensure the security of your network.

Intermediate Security Tips

Once you have the basic security measures in place, you can take things further by implementing more advanced measures to harden your WordPress site security.

Change Your Database Prefix

By default, WordPress uses a wp prefix for your database, a fact which is well-known among hackers and bots. This makes it easier for the hackers to guess your table prefix and gain access to your site using automated SQL injections. Setting a different prefix for your database is easy during the WordPress installation phase; however, you can do it even if your site is already established.

Before doing anything, keep in mind that you should backup your site in case something goes wrong during the process. Manually changing the prefix requires modifying your wp-config.php and changing the table names using phpMyAdmin. Here’s how it’s done.

Log in to your cPanel and go to File Manager. Locate the wp-config.php file in the WordPress root directory and change to table prefix line. Remember to replace the example with your own desired prefix which can consist of letters, numbers, and underscores.

$table_prefix = 'ydnwp_123456_';

Next, go to phpMyAdmin and change all the table names. Since there are 11 tables that need name changing, you can use the following SQL query.

SQL

In your phpMyAdmin area, click to SQL, enter the provided query, and then click Go.

RENAME table `wp_commentmeta` TO `ydnwp_123456_commentmeta`;
RENAME table `wp_comments` TO `ydnwp_123456_comments`;
RENAME table `wp_links` TO `ydnwp_123456_links`;
RENAME table `wp_options` TO `ydnwp_123456_options`;
RENAME table `wp_postmeta` TO `ydnwp_123456_postmeta`;
RENAME table `wp_posts` TO `ydnwp_123456_posts`;
RENAME table `wp_terms` TO `ydnwp_123456_terms`;
RENAME table `wp_termmeta` TO `wp_a123456_termmeta`;
RENAME table `wp_term_relationships` TO `ydnwp_123456_term_relationships`;
RENAME table `wp_term_taxonomy` TO `ydnwp_123456_term_taxonomy`;
RENAME table `wp_usermeta` TO `ydnwp_123456_usermeta`;
RENAME table `wp_users` TO `ydnwp_123456_users`;

Depending on the plugins you’re using, you may need to add additional lines following the above format to update their tables.

Once you’ve updated the tables, run the following query to find any other fields which are still using wp_ as the prefix and replace them one by one:

SELECT * FROM `ydnwp_123456_options` WHERE `option_name` LIKE '%wp_%'

Finally, search theuser_meta with all the fields using the old prefix and replace them:

SELECT * FROM `ydnwp_123456_usermeta` WHERE `meta_key` LIKE '%wp_%'

Once you’ve done all that, test your website and make another backup to make sure you have the new structure in place.

Secure Your .htaccess and wp-config.php Files

The wp-config.php files are the most important file on your website. If you’re using an Apache server, another important file is the .htaccess. With the .htaccess file, you can redirect certain URLs, configure pretty permalinks, and strengthen your site’s security.

The wp-config.php file contains your database connection settings, table prefix, security or SALT keys, and other information which can be used to hack your site.

The following lines of code will help make your site more secure. Remember to add all of the lines outside the # BEGIN WordPress and # END WordPress tags, otherwise, WordPress will override those changes with the next update.

The first bit of code will protect the wp-config.php file. Add this to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

You can also protect .htaccess itself by adding the following to it:

<Files .htaccess>
order allow,deny
deny from all
</Files>

Use the following to limit the access to wp-login.php:

<Files wp-login.php>
order deny,allow
Deny from all
# allow access from my IP address
allow from 192.168.1.1
</Files>

Make sure that your vendor provides a static IP address in order to prevent a lock-in due to a sudden IP change.

Use the following snippet to prevent PHP file execution:

<Files *.php>
deny from all
</Files>

In case you don’t want to do this manually, then consider contacting your hosting provider to help you implement these tips in your IDS/IPS systems.

Change the File Permissions

While you’re on the backend of your hosting server, you should double-check the file permissions for your WordPress site. There are various levels that you can use which dictate who and what can read, write, modify, and access the files and folders on your hosting server. If any of the files have permissions set to something like 777, hackers could upload malicious files or modify existing ones to include malicious code. In your cPanel, go to File Manager and set the permissions as follows:

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

According to WordPress Codex, these are the recommended settings, and they have a detailed guide to setting the correct file permissions.

Enable Two-Factor Authentication

If you’ve followed the guide so far, you’ve probably gone back and changed your password. However, no matter how secure your password is, there is always a risk of someone discovering what it is. That’s why enabling two-factor authentication is another protective measure that requires your password and a second method (usually a code sent via a text message or a one-time password) to login to your site.

Since it’s highly unlikely that the hacker will have both your password and your phone number, this method is an excellent way to stop brute force attacks in their tracks.

To enable it for your site, you can take advantage of the plugin offered by  Two Factor Authentication. Another good option is the Google Authenticator plugin which is completely free and allows for an unlimited number of uses.

You’ll also need to install a phone app that will generate the security codes for you automatically so you can use them to login to your website.

Disable XML-RPC

Since WordPress 3.5, XML-RPC was enabled by default with every WordPress installation. It helps your site to connect with WordPress mobile apps as well as some apps that allow you to publish your blog posts straight to your site remotely. Some plugins like Jetpack rely on XML-RPC as well.

However, it’s also a target for brute force attacks since hackers can exploit it to execute multiple commands inside a single HTTP request with the system.multicall method. This feature is not really needed on your site so you can disable it using a plugin like the
Disable XML-RPC plugin.

Some security plugins, like the ones mentioned earlier, will also allow you to disable this feature.

If you prefer to do it manually and are using the Apache configuration, you can add the following code to your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 192.168.1.1
</Files>

Remember to replace the IP address with your own.

Switch to HTTPS and SSL

By now, you probably know that you should be using an SSL certificate and HTTPS protocol, especially if you collect sensitive user information on your site. But commercial sites aren’t the only ones that could benefit from SSL and HTTPS. The HTTPS protocol allows a user’s browser to connect to the server your site is hosted on securely.

It increases your WordPress site’s security, and it can impact your search engine ranking. It also helps establish trust in your visitors. According to research from GlobalSign, 28.9% of visitors look for the green address bar when they visit a site.

SSL certificates can be obtained through a provider like GlobalSign or through your hosting provider. Once you obtain the certificate, you’ll need to install it on your server and then update your site’s address to use the HTTPS.

Disable Theme and Plugin Editing on the Backend

By default, WordPress allows you to edit theme and plugin files directly from your dashboard. While this is handy for quick tweaks to your theme’s files, it also allows anyone who logs into your site to modify those files. You can disable that by editing your wp-config.php file. Add this line to prevent theme and plugin editing:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Advanced Tips

The following section will walk you through some advanced security tipsto improve WordPress security.

Harden Your wp-config.php File

As mentioned before, the wp-config.php file contains all the confidential details about your site. Protecting it via the .htaccess file is a step in the right direction but here are some additional tips to make it more secure.

Move The File

The wp-config.php file resides in the root directory of your site. By moving to a non-www accessible directory you can make it harder for hackers to gain access to it.

First, copy everything from wp-config.php into a new file. Then, add a line of code to your old wp-config.php file that will include the new file you created:

<?php
include('/home/yourname/wp-config.php');

Finally, save the new file in a different location. You will need to ensure that proper file permissions are in place to avoid an unauthorized access error resulting in WordPress execution. You’ll also need to allow WordPress to access the file and because of that, PHP may require the open_basedir() inclusion of the new path.

Change the Default Secret Keys to Something Else

WordPress Security Keys are used to handle the encryption of information stored in user’s cookies. You’ll recognize them when you come across the following code in your wp-config.php:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

They need to be randomly generated for each install and you can manually generate them through WordPress Salts Key Generator.

Disable error reporting

Error reporting will often display your server path when a plugin or a theme causes an error. Disable it by adding the following code to your wp-config.php file:

error_reporting(0);
@ini_set(‘display_errors’, 0);

Remove the WordPress version number

If you take a look at the source code of your website, you’ll be able to see which version of WordPress your site uses. Hackers use this information to determine which security holes they can exploit.

Add the following line of code to your theme’s functions.php file to remove the version number:

remove_action('wp_head', 'wp_generator');

Use Security Headers

Security headers

HTTP security headers are usually configured at the server level, and they help mitigate attacks and security vulnerabilities. You can implement six of the most important ones by modifying the functions.php file.

Content Security Policy

This header helps mitigate XSS or cross-site scripting attacks which are responsible for nearly 80% of all security incidents. A CSP header whitelists the allowed sources of scripts, styles, images, and other content.

Enable it by adding the following line:

header('Content-Security-Policy: default-src https:');

X-Frame-Options

The X-Frame Options header will help you prevent clickjacking via iframes. It tells the browser that it shouldn’t render a page in a frame or an object.
Include it in your functions.php like so:

header('X-Frame-Options: SAMEORIGIN');

X-XSS-Protection and X-Content-Type-Options

These two headers protect against XSS attacks and instruct IE not to sniff mime types.

Use the following snippet to include them in your functions.php file:

header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');

HTTP Strict Transport Security (HSTS)

Use this header to tell the browser it should communicate with the server only over HTTPS:

header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');

Lastly, implement Cookie with HTTPOnly and Secure flag in WordPress to instruct the browser to trust the cookie only by the server and that cookie is accessible over secure SSL channels.

@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

Once you’ve implemented these headers, you can test them by going to https://securityheaders.io.

If you prefer to use a plugin, you can use the Security Headers plugin which will implement them for you.

Prevent Hotlinking

Hotlinking refers to another website using the URL which points directly to your website and the location of the image. While it’s not a security breach, it is considered theft, and it can incur a lot of additional costs, especially if the site that stole your image is extremely popular.

To prevent this from happening, add the following line to your .htaccess file if your site is using Apache server:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Remember to replace the domain name with your actual domain name.

If you’re using NGINX, add the following rule to your config file:

location ~ .(gif|png|jpe?g)$ {
valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;
if ($invalid_referer) {
return 403;
}
}

If you’re using a CDN, follow this guide to prevent hotlinking from CDN or ask your CDN provider to help you protect your site from falling prey to hotlinking.

Add Security Questions to Your Login Screen

We mentioned before that you could use two-factor authentication to secure your login area. However, if you’re not a fan of installing an extra app on your phone, you can add security questions to your login screen.

WP Security Questions plugin

Simply, install and activate the plugin and then configure the questions by going to Settings > Security Questions.

Log Out Idle Users

If you have multiple users on your WordPress website, consider using a plugin like Inactivate Logout to log them out after a period of inactivity automatically. Sometimes, users may log in to write a post, but they may get distracted and step away from the screen. During their away time, their session can be hijacked, and hackers can gain access to your site.

With the plugin installed, you can configure the logout duration and the idle behavior in the plugin settings.

WordPress Security Plugins Overview

Now that you know how to secure your website, let’s go over the most popular security plugins. Some of them will help you implement most of the steps discussed in this guide. Others will provide you with firewall protection or allow you to perform very specific security tweaks.

Sucuri Security

Sucuri plugin

Sucuri Security is a free plugin that will allow you to harden your website with one click. It includes features such as:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions Walkthrough
  • Security Notifications

You can also purchase their firewall add-on designed to protect your website from a variety of website attacks such as:

  • Denial of Service (DOS / DDOS) Attacks
  • Exploitation of Software Vulnerabilities
  • Zero Day Disclosure Patches
  • Brute Force Attacks against your Access Control Mechanisms

Wordfence Security

Wordfence Security plugin

Wordfence Security is a Web Application Firewall that provides you with real-time visibility into traffic and hack attempts on your WordPress website. The plugin also includes additional features such as:

  • Blocking features against known attackers, malicious networks, and bots.
  • Login Security with two-factor authentication, enforcing strong passwords and limiting login attempts.
  • Security scanning of core files, themes, and plugins for known vulnerabilities, file changes, and back door and malware scans.
  • Monitoring features of real-time traffic, DNS changes, and disk space to prevent DDoS attacks which attempt to consume all disk space to create a denial of service.
  • And more…

iThemes Security

iThemes security plugin

The iThemes Security is a comprehensive plugin with more than 30 ways to secure and protect your website. Most of the tips discussed in the basic and intermediate section of this guide can be done on your site with one click. As a reminder, this plugin allows you to:

  • Change the admin username and the ID of the admin user
  • Limit login attempts
  • Disable XML-RPC
  • Hide WordPress version
  • Rename your database
  • Protect your .htaccess file
  • Change the wp-admin URL
  • And more…

WP Security Audit Log

WP Security Audit Log plugin

The last plugin on the list, WP Security Audit Log, helps you keep a log of everything that happens on your WordPress site. It supports WordPress multisite, and you can use it to keep an audit log of the WooCommerce store and product changes as well. Some of its features include:

  • Security alerts for when a new user is created, a user logs in for the first time, a user role is changed, a user installs or deactivates a plugin or modifies a post.
  • Alerts when users delete or permanently delete a post on a page or a custom post type, category, or tag.
  • Alerts for users who modify WordPress widgets or upload any type of files.
  • And much more…

How Many Security Plugins Should You Install

Most security plugins can be divided into three categories:

Plugins that harden the security of WordPress.
Plugins that protect WordPress from external attacks.
Plugins that monitor and keep an audit log of everything that is happening on WordPress.

Hardening plugins are used to perform actions such as renaming the WordPress database table prefixes, change the ID of the WordPress administrator, rename the default WordPress administrator account, change the WordPress login page URL and do other similar tasks. They help you protect your site from hackers exploiting security risks associated with the human factor.

The next category includes WordPress firewall plugins that monitor HTTPS requests reaching your site and block malicious ones.

Finally, the monitoring and auditing plugins will help you ensure that everything happening on your site is legitimate. They monitor what the users are doing and help you trace back the activity in case of a malicious attack.

Before you install all of these plugins, keep in mind that too many plugins can actually do more harm than good, especially if they all do the same thing. When it comes to security plugins, remember that there is no one-size-fits-all solution.

You will need to install several plugins to cover multiple aspects of security but refrain from installing two firewall plugins simply because one of them has extra features that the other one doesn’t. Likewise, there is no need to install a plugin like iThemes Security and Login Lockdown since iThemes security can effectively limit login attempts and change the URL to your admin area.

If you decide to use a security plugin, consider Sucuri Security and opt for their paid firewall add-on paired with WP Security Audit Log.

What to Do if Your Site Gets Hacked

In the event your website gets hacked, there are a few steps that you should take immediately after noticing the breach.

Change Your Passwords and Identify the Hack

The first thing you need to do is to change your password and check your site to identify the hack. Can you log into your dashboard? Is your site redirecting to another site? Do you see a lot of strange links or ads that weren’t there before? Did Google blacklist your site? Once you have the answers to those questions, get in touch with your hosting company.

Contact Your Hosting Company

Let your hosting company know that you suspect your site has been hacked and follow their instructions. Most of the hosting providers will be able to help you determine where the attack originated from and some will even help you clean up your site and remove the compromised files.

Restore from Backup

Go through saved copies of your backed up files and use a backup from before the attack to restore your site. If you aren’t using your site on a daily basis, avoid using the latest backup as it may contain the infected files as well.

Scan for Malware and Remove it

Delete any inactive themes and plugins. You can also use Sucuri’s free scanner to scan your site for malware and show you where the hack is hiding.

Check User Permissions

In your dashboard area, go to Users > All Users and make sure there are no suspicious users who shouldn’t have access to your site. If you see a user that doesn’t belong, delete them.

Change Your Secret Keys

Follow this guide to generate new security keys and add them to your wp-config.php file. Those keys encrypt your password, and if someone guessed your password, they would remain logged in because their cookies are valid. Generating a new set of security keys will invalidate those cookies and force the hacker back to the login screen. This is why changing your password should be the first step as mentioned earlier.

Change Your Passwords AGAIN

Once all of these steps are complete, change your password one more time and this time, make sure also to update your FTP, cPanel, and MySQL password. If you have additional users on your site, reset their passwords through the admin area.

Hire a Professional

If you’re not comfortable doing the cleanup yourself or simply don’t have time for it, consider hiring a professional to do it for you.

Since hackers tend to hide scripts in multiple places, you could miss one file and allow hackers to gain access to your site again. Having a professional do it for you will make sure that no file is missed and all the compromised code was properly removed.

What to Do if Your WordPress Site Gets Hacked

Wrapping Up

WordPress security shouldn’t be taken lightly. While it’s true that the core of WordPress is rather secure, there are plenty of ways hackers can gain access to your site. The steps outlined in this guide will help you keep your site safe by implementing tips such as using strong passwords and clever usernames, changing your database prefix, keeping everything up to date, and more.

Aside from using these tips, you can also make sure your site is less vulnerable to using themes and plugins from reputable sources or having custom solution coded for you by a reputable development company.

Finally, keep in mind that you should backup your site before making any changes to your site. This will allow you to easily restore your site in case you make a mistake while editing files.