WordPress Hacked – How to Secure Your Site in 2020 [Guide]

Updated on

 WordPress Hacking - How to Secure Your Site in 2020 [Guide]

Protect WordPress from Hacking [All-in-one Guide]

Was your WordPress hacked in the past? If yes, then you might already know the importance of wordpress security, but if not, then this article is a must read for you.

WordPress hacking is on a rise and it has become a topic of grave concern. Protecting WordPress from attackers and malware is not complicated, we just have to take into account a number of things: various precautions, constant updates and various protections to secure your WordPress from getting hacked in 2020.

Normally, the more popular a website is, the more attacks it receives of all kinds, so we must be prepared to avoid problems in these cases.

Having a secure website is as vital to someone’s online presence as having a website host. If a website is hacked and blacklisted, for example, it loses up to 98% of its traffic. Not having a secure website can be as bad as not having a website, or worse. For example, breach of customer data can lead to lawsuits, hefty fines and a ruined reputation.

As a website owner, there is nothing more terrifying than seeing all your work altered or completely destroyed by an infamous hacker?

We heard about data breaches and hacks in 2019. Lets make it hard for hackers in 2020. In this article we will talk about various security measures we can take to protect wordpress site from getting hacked in 2020.

How many websites get hacked a day?
WordPress Hacked by the Numbers:
 There are about 380 million websites in the U.S. About 30,000 websites are infected with some type of malware daily.

In 2017, 39.3% of hacked WordPress sites recorded outdated installations. In 2018, this had dropped slightly. But in 2019, the numbers rose again. In 2020, its bound to increase many fold, due to advent of new technologies and vulnerabilities. Recently, a spike in WordPress ransomware attacks was also noticed in 2019.

Now, You may think, why would someone come after my small business website? But hacks don’t just happen to the big brands. One report found that small businesses were the victims of 43% of all data breaches. You can read more about this in our post on Website security for small business.

We’ve talked about it recently: if you own a website, not taking certain steps can expose you to the risk of hacking. The proper functioning of your site, as well as your reputation, could suffer. This is especially true for e-commerce sites (📒WordPress Woocommerce Hack), specializing in sales, where banking transactions are commonplace.

Nowadays, the threat of hackers is growing. Attempts to hack are becoming more and more automated and, therefore, will be increasing in 2020.

Most often, hacking is not directly visible. This is happening silently. Your site becomes a hacker’s haunt, exploits its resources and uses it to perpetuate its crimes, including contaminating other websites.

signs of hacked wordpress site

Hacked WordPress Consequences

Humanly speaking, your visitors will ultimately complain of malfunctions on your site, or too slow speed, and will turn away from your company. In terms of SEO, Google will blacklist you, and show warning messages for your website such as “This Site May Be Hacked” message in google. Follow our in depth guide to remove google blacklist warning messages.

Why WordPress Sites Get Hacked – Top Reasons

There are several ways to prevent this disaster scenario.

WordPress Vulnerabilities Which Lead To Hacking

Here are the most common wordpress security vulnerabilities and threats:

SQL Injections

SQL injection attacks are carried out by injecting malicious code into a vulnerable SQL request. They rely on an attacker adding a specially crafted request in the message sent by the website to the database.

A successful attack will modify the query of the database so that it will return the information desired by the attacker, instead of the information expected by the website. SQL injections can even modify or add malicious information to the database. An example of malicious code injection is discussed here.

Cross-site Scripting (XSS)

Cross-site scripting or XSS scripts are a type of website vulnerability that allows attackers to place malicious scripts on trusted websites and applications that, in turn, They install the malware in users’ web browsers. By using cross-site scripts, hackers do not directly attack users or misleadingly direct them to other sites, but freely distribute their malware to thousands of people.

XSS allows intruders who intend to attack a site, inject client-side scripts into Web pages viewed by other users. A cross-site scripting vulnerability can be used by attackers to bypass access controls as the policy of the same origin.

📒 Also ReadWordPress XSS Attack – Exploit & Protection

Credential Brute Force Attacks

Brute Force Attack is a hacking method that uses trial and error techniques to enter a website, a network or a computer system. Hackers use automated software to send a large number of requests to the destination system. With each request, this software attempts to guess the information needed to gain access, such as passwords or PIN codes. These tools can also be disguised using different IP addresses and locations, making it difficult for the target system to identify and block these suspicious activities.

A successful brute force attack can give hackers access to your admin area website. They can install backdoor, malware, steal user information and delete everything on your site. Even unsuccessful brute force attacks can wreak havoc by sending too many requests that slow down your WordPress hosting servers and even block them.

📒 Also ReadWordPress Brute Force Attack

WordPress Malware Attacks

Using some of the previous security issues as a means to gain unauthorized access to a website, attackers can then:

  1. Inject SEO spam on the page – 📒 Read: How To Fix Japanese Keywords Hack In Your WordPress Site?
  2. Run exploits on the server to escalate access level.
  3. Use visitors’ computers to mine cryptocurrencies –📒 WordPress ransomware
  4. Launch attacks against other sites
  5. Store botnets command & control scripts
  6. Show unwanted ads, redirect visitors to scam sites –📒 WordPress malware redirect
  7. Host malicious downloads
  8. Drop a backdoor to maintain access –📒 WordPress Backdoor
  9. Collect visitor information or credit card data (eg 📒 Branco de oro hack)

DDoS Attacks

A Distributed Denial of Service (DDoS) attack on wordpress sites, also called a WordPress DDoS attack, is an attack on a computer or network system that causes a service or resource to be inaccessible to legitimate users. Normally it causes the loss of network connectivity due to the consumption of the transfer of information (bandwidth) of the victim’s network.

It is generated by saturating the ports with information flow, causing the server (s) to be overloaded and unable to continue providing services, so it is called “denial” because it makes the server not supply the number of requests. This technique is used by so-called hackers to knock out target servers.

But before we proceed further, an important question arises:

How to check if your WordPress site is secure or not?

A secure website must have all the web application firewalls activated to prevent any kind of WordPress hack. It must also follow wordpress security best practices for known or most common wordpress vulnerabilities. You can use our WordPress security scanner below to see if a website has a firewall, any security anomalies, malware, or if it is blacklisted.

 wordpress security scanner

 

How to Secure Your WordPress Site from Hackers in 2020?

Tips to secure your WordPress site and keeping hackers at bay.

Many other actions can strengthen your web protection. But these elements in themselves are already ignored by many site administrators. Relatively simple to implement, you can try these methods can only be beneficial for you and your users.

Keep your WordPress up-to-date

This may seem pretty obvious, but it’s one of the most basic and important steps. It is important to make updates as soon as possible at the release of a new version of WordPress, especially scripts or plugins. Many of them are open-source, which means that everyone can analyze their source code and discover the flaws. These security holes are one of the most common ways for hackers to access your website.

To secure your website from these attacks, it is strongly recommended to update your plugin, scripts and WordPress versions.

Avoid free WP themes

On many CMS themes are legion, whether paid or free. They make it possible to add functionalities to a site, to automate actions, to simplify the administration and to make the whole thing more attractive for Internet users.

It is therefore tempting to use them, especially when they are free.

But you should know that free themes are not without risk. If they are fully finalized and approved by the community at a given time (often testing and commenting on novelties, to allow them to improve if needed), this does not guarantee that they will still be relevant.

Because of their free, these themes are not necessarily followed by their developer in the long term. So, they are not updated . What refers to the previous point: a lack of update involves surviving flaws and, ultimately , a possible incompatibility between the free themes and the rest of the site which has been updated.

Install security plugins

WordPress (WP) is the most used website platform. In addition to updating all software, it is crucial for a WordPress site to use security plugins and guarantee maximum security. There are many free and paid wordpress security plugins to keep your site secure.

These plugins offer additional features to make your WordPress site secure and reduce the risk of hacking.

These options address the security vulnerabilities that are inherent in each platform, foiling additional types of hacking attempts that could threaten your website.

Use HTTPS

In addition to using security plugins, you should also consider upgrading to HTTPS “secure hypertext transfer protocol” to further enhance the security of your site. Web sites using the standard protocol for data transfer between the server and the client’s browser, HTTP or hypertext transfer protocol are likely to intercept the data and use it maliciously. HTTPS makes the exchange of information via your website more secure and impenetrable.

The use of HTTPS is strongly recommended for an e-commerce site, or a site dealing with confidential and private information about customers.

Choose the right web host

You can, of course, choose your accommodation based on very cheap offers. However, you may be exposed to cyberattacks. For this reason, it is reasonable to find a reputable web hosting providers that offer features such as a secure SSL server (required for HTTPS), SSH Secure Shell Access, secure email support, a database secure, regular backups, etc. If you have any doubts about data hosting security, try to get a recommendation from a vendor. Host and protect did some research and compared different web hosting providers and then selected the best ones in their wordpress hosting guide.

Use parameterized queries

The SQL injections are not only sneaky, but can also be very dangerous if a hacker manages to inject into your site. Usually, these injections take place through the web forms that you use to gather information from visitors to your site.

If you do not submit the necessary constraints to all fields on a web form, hackers will be able to insert code that, in turn, allows them to hack your database and steal any confidential information available.

In order to protect your website against these injections, all you have to do is permanently use parameterized queries. Your website will have specific parameters to prevent hackers from accessing your data and entering their malicious code.

Use CSP  – The powerful XSS attacks

These attacks are similar to SQL injections because hackers use web form fields of HTML codes to access them. However, they are much more dangerous than SQL injections. Cross-site scripting ( XSS) attacks refer to the insertion of malicious script tags and JavaScript into your website, which can spread to the accounts of all visitors who display the page on which they were served. inserted.

To prevent XSS attacks, make sure that visitors do not have the privileges (or opportunity) to insert JavaScript or script tags anywhere on your site.

The Content Security Policy (CSP) is a Web application mechanism that is implemented upstream of the HTTP request, which limits the interpretation of the script and nested framework (iframe) directly. in the client browser. A defense in depth which consists of a simple declarative policy of the server, via the HTTP header, to indicate to the browser the sources from which the application plans to load the resources.

But beware that the CSP is very effective, by improving your security, it is at the mercy of the browser. Since only the “Edge” version of Internet Explorer browsers is compatible, the question does not even arise.

Make sure your passwords are secure

It is better to use passwords always more complex, mixing lowercase letters, capital letters, numbers, and special characters for all your accounts and especially for the administrator account of your site. Never use simple passwords. Do not use passwords such as your child’s name or birthday, as hackers can usually easily access this information.

In addition, make sure everyone who has access to your website uses a secure password that is impossible to guess. the use of a weak password by a user could endanger your entire website and all visitor accounts.

Lock down your directory and file permissions

WordPress directory browsing allows any visitor to your site to see and browse the contents of the folders in your WordPress site. Everyone can visit a directory of your site, see the files and open them at will. By default, the majority of hosts have chosen to block access to directories, for obvious reasons of security, however, there are still many hosts that do not disable access to the directory of hosted sites.

To be clear, if directory browsing is enabled and you do not have a  blank index.html or index.php file in a given directory, a visitor will be able to view the contents of the directory in his browser, getting the same access to the parent directory, and the ability to trace all directories present, revealing the workings of your WordPress site.

This display may encourage hackers to try to destroy your site, or at least facilitate their work of breaking. Hackers can easily search Google to find sites for which directory access is allowed, then choose their next victims based on the results. In addition to containing all the scripts and data necessary for the proper functioning of your website, each of these files and folders is assigned a set of permissions to control who can read, write and execute a file or folder, depending on the user the group to which they belong.

On the Linux operating system, permissions are visible as a three-digit code, with each digit representing an integer between 0 to 7. The first digit represents the permissions for the file owner, the second is for anyone assigned to the owner group and the third for everyone. Assignations work as follows:

  • 4 equals Read
  • 2 equals Write
  • 1 equals Execute
  • 0 equals no permissions for that user

As an example, use the permission code “644.”  In this case, a “6” (or “4+2”) in the first position gives the file’s owner the ability to read and write the file.

The “4” in the second and third positions means that group users and Internet users, in general, can only read the file, which protects it from unexpected manipulations.

So, a file with “777” (or 4+2+1 / 4+2+1 / 4+2+1) permissions is readable, write-able, and executable by the user, the group, and everyone else in the world.

As expected, a file that has been assigned a permission code, which gives any user on the Web an ability to write and execute it, is much less secure than a locked file in order to reserve all rights to the owner. Of course, there are valid reasons to open access to other user groups (anonymous FTP download, for example), but these instances need to be carefully considered to avoid creating a security risk for the website.

For this reason, the golden rule is to set wordpress file and folder permissions as follows:

  • Folders and directories = 755
  • Individual files = 644

To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP.  Once there, you’ll see all existing file permissions (as in the following example generated using the Filezilla FTP program):

The final column in this example displays the file and folder permissions in wordpress currently assigned to the website’s content.

To change these permissions in Filezilla, simply right click the folder or file in question and

select the “File permissions” option.  This will launch a screen that allows you to assign different permissions using a series of checkboxes:

Although each web host’s or FTP program’s backend might show slightly different options, the basic process for changing permissions remains the same. In our next article, we will be talking more about how to modify wordpress file permissions in detail.

Keep your error messages simple and helpful

Detailed error messages can be useful internally to help you identify what’s wrong and know how to fix it. But when these error messages are displayed to outside visitors, improper error handling may reveal sensitive information to a potential hacker about your website vulnerabilities.

Be careful about the information you provide in an error message, to make sure that you do not provide information that would help a hacker. Keep your error messages simple and never reveal too much. But also avoid ambiguities, so your visitors can always learn enough information through the error message to know what to do next.

Read more on some of the most common WordPress errors/messages:

Invest in automatic backups

Even if you do everything else on this list, there are still some chances for you to face some hackers. The worst-case scenario of a website hack is to lose everything, all the data because you forgot to back your website up. The best way to protect yourself from such loss of data is to always have a recent backup.

📒 Also ReadHow to Backup WordPress Database Manually?  |  Export WordPress Database PhpMyadmin

Use an SSL protocol

We’ve talked about it lately: an SSL protocol is a tool that encrypts your data. It can be compared to a lock on a door: when your data is transferred from your server to one of your users, the process is secured with an SSL certificate and nobody can interfere.

In addition, Chrome and Firefox web browsers are beginning to make it clear which sites are using SSL and which are not. This may encourage users to prefer a protected site to its competitor without SSL protocol.

Last but not least, an SSL certificate will help your SEO and enhance your security and the trust of your users.

In the case of a data breach, there is no need to be panicked, when you have a current backup. You can make a habit out of manually backing your website up daily or weekly. But if there’s even the slightest chance you’ll forget, invest in automatic backups. It’s a cheap way to buy peace of mind and recovering is much easy.

Hide and protect your admin pages

Administration pages are a prime target for hackers; they allow them to access your data and those of your customers. And these pages are particularly easy to find to have a similar name by default, including WordPress, Drupal, Prestashop and other CMS equivalent. Changing the name of the administration directory will complicate the task of hackers and may discourage them. In the same idea, use a personal, complex and searched password.

📒Also Read  How To Delete Invisible/Hidden Admin User In WordPress?

Enhance .Htaccess Security

If your website does get hacked, most attackers modify the .htaccess file to reroute traffic off your site or to power pages with their own files. The .htaccess file is a hidden text file used by the Apache web server to configure your website without the need to create or modify global settings. Use .htaccess files to restrict access to specific files or directories that may contain sensitive information. Learn how to use the .htaccess file effectively to improve your site security and performance. Make your WordPress website secure with a few htaccess tweaks.

For improved security, Modify your .htaccess file to:

📒 Detailed Guide – WordPress .htaccess hacked – Cleanup & Prevent .htaccess Attack

Make WordPress website secure with .htaccess snippets

Watch out for malicious file uploads

When anyone has the option to upload something to your website, they could abuse the privilege by loading a malicious file, overwriting one of the existing files important to your website, or uploading a file so large it brings your whole website down.

If possible, simply don’t accept any file uploads through your website. Many small business websites can get by without offering the option of file uploads at all. If that describes you, you can skip everything else in this step.

But eliminating file uploads isn’t an option for all websites. Some types of businesses, like accountants or healthcare providers, need to give customers a way to securely provide documents.

When someone has the option of uploading any type of file to your WordPress, they can abuse the privilege by uploading a malicious file, overwriting one of the important files existing on the website or uploading such a large file that it tears down their entire website.

If possible, simply do not accept file uploads from anyone through your website. Many small business websites can survive without offering the option to upload files at all. If that describes you, you can skip everything else in this step.

If you need to allow file uploads to your website, follow these steps to make sure the safety of WordPress:

  • Automatically rename files upon upload.
  • Create a whitelist of allowed file extensions.
  • Use file type verification.
  • Implement WordPress Two-Factor Authentication (2FA)
  • Keep the upload folder outside of the webroot.
  • Set maximum file size. Avoid distributed denial of service (DDoS) attacks by rejecting any files over a certain size.
  • Scan all uploaded files for malware.

Get Help Securing Your WP site

Don’t procrastinate taking the above mentioned steps. Securing your wordpress site by following wordpress security tips and learning how to protect against hackers and how to remove malware from wordpress plays an important role in keeping your site healthy and safe in 2020 and beyond!

Also Read our in-depth guides & checklists: 

Looking for a new hosting provider?  Contact us for a great holiday deals.

Don’t worry about getting tripped up in the process. Wp hacked help has world-class support available around the clock!  We can help you get secure!

Leave a Reply

Your email address will not be published. Required fields are marked *