Protect WordPress from Hacking [All-in-one Guide]
Table of Contents [TOC]
- Protect WordPress from Hacking [All-in-one Guide]
- Hacked WordPress Consequences
- Why WordPress Sites Get Hacked – Top Reasons
- WordPress Vulnerabilities Which Lead To Hacking
- How to check if your WordPress site is secure or not?
- How to Secure Your WordPress Site from Hackers in 2020?
- Keep your WordPress up-to-date
- Avoid free WP themes
- Install security plugins
- Use HTTPS
- Choose the right web host
- Use parameterized queries
- Use CSP – The powerful XSS attacks
- Make sure your passwords are secure
- Lock down your directory and file permissions
- Keep your error messages simple and helpful
- Invest in automatic backups
- Use an SSL protocol
- Hide and protect your admin pages
- Enhance .Htaccess Security
- Watch out for malicious file uploads
- Get Help Securing Your WP site
- Like this:
Was your WordPress hacked in the past? If yes, then you might already know the importance of wordpress security, but if not, then this article is a must read for you.
WordPress hacking is on a rise and it has become a topic of grave concern. Protecting WordPress from attackers and malware is not complicated, we just have to take into account a number of things: various precautions, constant updates and various protections to secure your WordPress from getting hacked in 2021.
Normally, the more popular a website is, the more attacks it receives of all kinds, so we must be prepared to avoid problems in these cases.
Having a secure website is as vital to someone’s online presence as having a website host. If a website is hacked and blacklisted, for example, it loses up to 98% of its traffic. Not having a secure website can be as bad as not having a website, or worse. For example, breach of customer data can lead to lawsuits, hefty fines and a ruined reputation.
As a website owner, there is nothing more terrifying than seeing all your work altered or completely destroyed by an infamous hacker?
We heard about data breaches and hacks in 2020. Lets make it hard for hackers in 2021. In this article we will talk about various security measures we can take to protect wordpress site from getting hacked in 2021.
In 2017, 39.3% of hacked WordPress sites recorded outdated installations. In 2018, this had dropped slightly. But in 2019-20, the numbers rose again. In 2020, its bound to increase many fold, due to advent of new technologies and vulnerabilities. Recently, a spike in WordPress ransomware attacks was also noticed in 2019-20.
Now, You may think, why would someone come after my small business website? But hacks don’t just happen to the big brands. One report found that small businesses were the victims of 43% of all data breaches. You can read more about this in our post on Website security for small business.
We’ve talked about it recently: if you own a website, not taking certain steps can expose you to the risk of hacking. The proper functioning of your site, as well as your reputation, could suffer. This is especially true for e-commerce sites (📒WordPress Woocommerce Hack), specializing in sales, where banking transactions are commonplace.
Nowadays, the threat of hackers is growing. Attempts to hack are becoming more and more automated and, therefore, will be increasing in 2020.
Most often, hacking is not directly visible. This is happening silently. Your site becomes a hacker’s haunt, exploits its resources and uses it to perpetuate its crimes, including contaminating other websites.
Hacked WordPress Consequences
Humanly speaking, your visitors will ultimately complain of malfunctions on your site, or too slow speed, and will turn away from your company. In terms of SEO, Google will blacklist you, and show warning messages for your website such as “This Site May Be Hacked” message in google. Follow our in depth guide to remove google blacklist warning messages.
Why WordPress Sites Get Hacked – Top Reasons
- Insecure Web Hosting
- Using weak or duplicate passwords
- Unprotected Access to WordPress Admin (wp-admin Directory)
- Incorrect WP File Permissions
- Outdated WordPress Installation
- Outdated WordPress Plugins or Themes
- Using Plain FTP instead of SFTP/SSH
- Using Admin as WordPress Username – 📒 How To Change Your WordPress Username
- Using Nulled Themes and Plugins (📒 Also Read:Detect Malware in WordPress Themes , WordPress Theme Security)
- Not Securing WordPress Configuration wp-config.php File
- Not Changing WordPress Table Prefix
- Corrupt WP tables (📒 Repair WordPress Database – Fix Corrupted Tables)
There are several ways to prevent this disaster scenario.
WordPress Vulnerabilities Which Lead To Hacking
Here are the most common wordpress security vulnerabilities and threats:
SQL injection attacks are carried out by injecting malicious code into a vulnerable SQL request. They rely on an attacker adding a specially crafted request in the message sent by the website to the database.
A successful attack will modify the query of the database so that it will return the information desired by the attacker, instead of the information expected by the website. SQL injections can even modify or add malicious information to the database. An example of malicious code injection is discussed here.
Cross-site Scripting (XSS)
Cross-site scripting or XSS scripts are a type of website vulnerability that allows attackers to place malicious scripts on trusted websites and applications that, in turn, They install the malware in users’ web browsers. By using cross-site scripts, hackers do not directly attack users or misleadingly direct them to other sites, but freely distribute their malware to thousands of people.
XSS allows intruders who intend to attack a site, inject client-side scripts into Web pages viewed by other users. A cross-site scripting vulnerability can be used by attackers to bypass access controls as the policy of the same origin.
📒 Also Read – WordPress XSS Attack – Exploit & Protection
Credential Brute Force Attacks
Brute Force Attack is a hacking method that uses trial and error techniques to enter a website, a network or a computer system. Hackers use automated software to send a large number of requests to the destination system. With each request, this software attempts to guess the information needed to gain access, such as passwords or PIN codes. These tools can also be disguised using different IP addresses and locations, making it difficult for the target system to identify and block these suspicious activities.
A successful brute force attack can give hackers access to your admin area website. They can install backdoor, malware, steal user information and delete everything on your site. Even unsuccessful brute force attacks can wreak havoc by sending too many requests that slow down your WordPress hosting servers and even block them.
📒 Also Read – WordPress Brute Force Attack
WordPress Malware Attacks
Using some of the previous security issues as a means to gain unauthorized access to a website, attackers can then:
- Inject SEO spam on the page – 📒 Read: How To Fix Japanese Keywords Hack In Your WordPress Site?
- Run exploits on the server to escalate access level.
- Use visitors’ computers to mine cryptocurrencies –📒 WordPress ransomware
- Launch attacks against other sites
- Store botnets command & control scripts
- Show unwanted ads, redirect visitors to scam sites –📒 WordPress malware redirect
- Host malicious downloads
- Drop a backdoor to maintain access –📒 WordPress Backdoor
- Collect visitor information or credit card data (eg 📒 Branco de oro hack)
A Distributed Denial of Service (DDoS) attack on wordpress sites, also called a WordPress DDoS attack, is an attack on a computer or network system that causes a service or resource to be inaccessible to legitimate users. Normally it causes the loss of network connectivity due to the consumption of the transfer of information (bandwidth) of the victim’s network.
It is generated by saturating the ports with information flow, causing the server (s) to be overloaded and unable to continue providing services, so it is called “denial” because it makes the server not supply the number of requests. This technique is used by so-called hackers to knock out target servers.
But before we proceed further, an important question arises:
How to check if your WordPress site is secure or not?
A secure website must have all the web application firewalls activated to prevent any kind of WordPress hack. It must also follow wordpress security best practices for known or most common wordpress vulnerabilities. You can use our WordPress security scanner below to see if a website has a firewall, any security anomalies, malware, or if it is blacklisted.
How to Secure Your WordPress Site from Hackers in 2020?
Tips to secure your WordPress site and keeping hackers at bay.
Many other actions can strengthen your web protection. But these elements in themselves are already ignored by many site administrators. Relatively simple to implement, you can try these methods can only be beneficial for you and your users.
Keep your WordPress up-to-date
This may seem pretty obvious, but it’s one of the most basic and important steps. It is important to make updates as soon as possible at the release of a new version of WordPress, especially scripts or plugins. Many of them are open-source, which means that everyone can analyze their source code and discover the flaws. These security holes are one of the most common ways for hackers to access your website.
To secure your website from these attacks, it is strongly recommended to update your plugin, scripts and WordPress versions.
Avoid free WP themes
On many CMS themes are legion, whether paid or free. They make it possible to add functionalities to a site, to automate actions, to simplify the administration and to make the whole thing more attractive for Internet users.
It is therefore tempting to use them, especially when they are free.
But you should know that free themes are not without risk. If they are fully finalized and approved by the community at a given time (often testing and commenting on novelties, to allow them to improve if needed), this does not guarantee that they will still be relevant.
Because of their free, these themes are not necessarily followed by their developer in the long term. So, they are not updated . What refers to the previous point: a lack of update involves surviving flaws and, ultimately , a possible incompatibility between the free themes and the rest of the site which has been updated.
Install security plugins
WordPress (WP) is the most used website platform. In addition to updating all software, it is crucial for a WordPress site to use security plugins and guarantee maximum security. There are many free and paid wordpress security plugins to keep your site secure.
These plugins offer additional features to make your WordPress site secure and reduce the risk of hacking.
These options address the security vulnerabilities that are inherent in each platform, foiling additional types of hacking attempts that could threaten your website.
In addition to using security plugins, you should also consider upgrading to HTTPS “secure hypertext transfer protocol” to further enhance the security of your site. Web sites using the standard protocol for data transfer between the server and the client’s browser, HTTP or hypertext transfer protocol are likely to intercept the data and use it maliciously. HTTPS makes the exchange of information via your website more secure and impenetrable.
The use of HTTPS is strongly recommended for an e-commerce site, or a site dealing with confidential and private information about customers.
Choose the right web host
You can, of course, choose your accommodation based on very cheap offers. However, you may be exposed to cyberattacks. For this reason, it is reasonable to find a reputable web hosting providers that offer features such as a secure SSL server (required for HTTPS), SSH Secure Shell Access, secure email support, a database secure, regular backups, etc. If you have any doubts about data hosting security, try to get a recommendation from a vendor. Host and protect did some research and compared different web hosting providers and then selected the best ones in their wordpress hosting guide.
Use parameterized queries
The SQL injections are not only sneaky, but can also be very dangerous if a hacker manages to inject into your site. Usually, these injections take place through the web forms that you use to gather information from visitors to your site.
If you do not submit the necessary constraints to all fields on a web form, hackers will be able to insert code that, in turn, allows them to hack your database and steal any confidential information available.
In order to protect your website against these injections, all you have to do is permanently use parameterized queries. Your website will have specific parameters to prevent hackers from accessing your data and entering their malicious code.
Use CSP – The powerful XSS attacks
The Content Security Policy (CSP) is a Web application mechanism that is implemented upstream of the HTTP request, which limits the interpretation of the script and nested framework (iframe) directly. in the client browser. A defense in depth which consists of a simple declarative policy of the server, via the HTTP header, to indicate to the browser the sources from which the application plans to load the resources.
But beware that the CSP is very effective, by improving your security, it is at the mercy of the browser. Since only the “Edge” version of Internet Explorer browsers is compatible, the question does not even arise.
Make sure your passwords are secure
It is better to use passwords always more complex, mixing lowercase letters, capital letters, numbers, and special characters for all your accounts and especially for the administrator account of your site. Never use simple passwords. Do not use passwords such as your child’s name or birthday, as hackers can usually easily access this information.
In addition, make sure everyone who has access to your website uses a secure password that is impossible to guess. the use of a weak password by a user could endanger your entire website and all visitor accounts.
Lock down your directory and file permissions
WordPress directory browsing allows any visitor to your site to see and browse the contents of the folders in your WordPress site. Everyone can visit a directory of your site, see the files and open them at will. By default, the majority of hosts have chosen to block access to directories, for obvious reasons of security, however, there are still many hosts that do not disable access to the directory of hosted sites.
To be clear, if directory browsing is enabled and you do not have a blank index.html or index.php file in a given directory, a visitor will be able to view the contents of the directory in his browser, getting the same access to the parent directory, and the ability to trace all directories present, revealing the workings of your WordPress site.
This display may encourage hackers to try to destroy your site, or at least facilitate their work of breaking. Hackers can easily search Google to find sites for which directory access is allowed, then choose their next victims based on the results. In addition to containing all the scripts and data necessary for the proper functioning of your website, each of these files and folders is assigned a set of permissions to control who can read, write and execute a file or folder, depending on the user the group to which they belong.
On the Linux operating system, permissions are visible as a three-digit code, with each digit representing an integer between 0 to 7. The first digit represents the permissions for the file owner, the second is for anyone assigned to the owner group and the third for everyone. Assignations work as follows:
- 4 equals Read
- 2 equals Write
- 1 equals Execute
- 0 equals no permissions for that user
As an example, use the permission code “644.” In this case, a “6” (or “4+2”) in the first position gives the file’s owner the ability to read and write the file.
The “4” in the second and third positions means that group users and Internet users, in general, can only read the file, which protects it from unexpected manipulations.
So, a file with “777” (or 4+2+1 / 4+2+1 / 4+2+1) permissions is readable, write-able, and executable by the user, the group, and everyone else in the world.
As expected, a file that has been assigned a permission code, which gives any user on the Web an ability to write and execute it, is much less secure than a locked file in order to reserve all rights to the owner. Of course, there are valid reasons to open access to other user groups (anonymous FTP download, for example), but these instances need to be carefully considered to avoid creating a security risk for the website.
For this reason, the golden rule is to set wordpress file and folder permissions as follows:
- Folders and directories = 755
- Individual files = 644
To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP. Once there, you’ll see all existing file permissions (as in the following example generated using the Filezilla FTP program):
The final column in this example displays the file and folder permissions in wordpress currently assigned to the website’s content.
To change these permissions in Filezilla, simply right click the folder or file in question and
select the “File permissions” option. This will launch a screen that allows you to assign different permissions using a series of checkboxes:
Although each web host’s or FTP program’s backend might show slightly different options, the basic process for changing permissions remains the same. In our next article, we will be talking more about how to modify wordpress file permissions in detail.
Keep your error messages simple and helpful
Detailed error messages can be useful internally to help you identify what’s wrong and know how to fix it. But when these error messages are displayed to outside visitors, improper error handling may reveal sensitive information to a potential hacker about your website vulnerabilities.
Be careful about the information you provide in an error message, to make sure that you do not provide information that would help a hacker. Keep your error messages simple and never reveal too much. But also avoid ambiguities, so your visitors can always learn enough information through the error message to know what to do next.
Read more on some of the most common WordPress errors/messages:
- “The link you followed has expired” WordPress
- Fix Pluggable.php File Errors in WordPress
- Upload Failed To Write File To Disk Error WordPress
- HTTP Image Upload Error WordPress
- 503 Service Unavailable Error WordPress
- Parse Error: Syntax Error Unexpected ‘ ‘ WordPress
- WP Mail SMTP Not Working
- Sorry, This File Type Is Not Permitted For Security Reasons WordPress
- Error Establishing a Database Connection WordPress
Invest in automatic backups
Even if you do everything else on this list, there are still some chances for you to face some hackers. The worst-case scenario of a website hack is to lose everything, all the data because you forgot to back your website up. The best way to protect yourself from such loss of data is to always have a recent backup.
Use an SSL protocol
We’ve talked about it lately: an SSL protocol is a tool that encrypts your data. It can be compared to a lock on a door: when your data is transferred from your server to one of your users, the process is secured with an SSL certificate and nobody can interfere.
In addition, Chrome and Firefox web browsers are beginning to make it clear which sites are using SSL and which are not. This may encourage users to prefer a protected site to its competitor without SSL protocol.
Last but not least, an SSL certificate will help your SEO and enhance your security and the trust of your users.
In the case of a data breach, there is no need to be panicked, when you have a current backup. You can make a habit out of manually backing your website up daily or weekly. But if there’s even the slightest chance you’ll forget, invest in automatic backups. It’s a cheap way to buy peace of mind and recovering is much easy.
Hide and protect your admin pages
Administration pages are a prime target for hackers; they allow them to access your data and those of your customers. And these pages are particularly easy to find to have a similar name by default, including WordPress, Drupal, Prestashop and other CMS equivalent. Changing the name of the administration directory will complicate the task of hackers and may discourage them. In the same idea, use a personal, complex and searched password.
Enhance .Htaccess Security
If your website does get hacked, most attackers modify the .htaccess file to reroute traffic off your site or to power pages with their own files. The .htaccess file is a hidden text file used by the Apache web server to configure your website without the need to create or modify global settings. Use .htaccess files to restrict access to specific files or directories that may contain sensitive information. Learn how to use the .htaccess file effectively to improve your site security and performance. Make your WordPress website secure with a few htaccess tweaks.
For improved security, Modify your .htaccess file to:
- Block Bad Bots
- Disable Directory Browsing –
- Allow Only Selected Files from wp-content
- Restrict All Access to wp-includes
- Allow only Selected IP Addresses to Access wp-admin
- Protect wp-config.php and .htaccess from everyone
- Deny Image Hotlinking
- Enable Browser Caching
- Redirect to a Maintenance page – Read: How to Fix WordPress Stuck in Maintenance Mode? [Tutorial]
- Custom Error Pages
📒 Detailed Guide – WordPress .htaccess hacked – Cleanup & Prevent .htaccess Attack
Watch out for malicious file uploads
When anyone has the option to upload something to your website, they could abuse the privilege by loading a malicious file, overwriting one of the existing files important to your website, or uploading a file so large it brings your whole website down.
If possible, simply don’t accept any file uploads through your website. Many small business websites can get by without offering the option of file uploads at all. If that describes you, you can skip everything else in this step.
But eliminating file uploads isn’t an option for all websites. Some types of businesses, like accountants or healthcare providers, need to give customers a way to securely provide documents.
When someone has the option of uploading any type of file to your WordPress, they can abuse the privilege by uploading a malicious file, overwriting one of the important files existing on the website or uploading such a large file that it tears down their entire website.
If possible, simply do not accept file uploads from anyone through your website. Many small business websites can survive without offering the option to upload files at all. If that describes you, you can skip everything else in this step.
If you need to allow file uploads to your website, follow these steps to make sure the safety of WordPress:
- Automatically rename files upon upload.
- Create a whitelist of allowed file extensions.
- Use file type verification.
- Implement WordPress Two-Factor Authentication (2FA)
- Keep the upload folder outside of the webroot.
- Set maximum file size. Avoid distributed denial of service (DDoS) attacks by rejecting any files over a certain size.
- Scan all uploaded files for malware.
Get Help Securing Your WP site
Don’t procrastinate taking the above mentioned steps. Securing your wordpress site by following wordpress security tips and learning how to protect against hackers and how to remove malware from wordpress plays an important role in keeping your site healthy and safe in 2020 and beyond!
Also Read our in-depth guides & checklists:
- WordPress Website Maintenance Checklist
- WordPress Theme Security
- WordPress Malware Removal Checklist
- HIPAA Compliance Security Checklist
Looking for a new hosting provider? Contact us for a great holiday deals.
Don’t worry about getting tripped up in the process. Wp hacked help has world-class support available around the clock! We can help you get secure!