Posted in:

WordPress Security Guide

Hackers and spammers are everywhere and your website is not spared too. Being one of the largest CMS platforms, WordPress also happens to be frequented by hackers. WordPress websites which attract a lot of traffic are ones which are targeted most. The hackers use your server to spam the emails of your customers. A proper security system in your WordPress website will ensure that your site is safe and invulnerable to such attacks. Here are some WordPress security tips which would help you create a security wall along your website and keep it safe from spammers and hackers.

Have Your Website Hosted with a Good Hosting Company

WordPress security tips

Hosting companies play an important role in safeguarding your website. About 40% hackers attempt to compromise your website from vulnerabilities in hosting platforms. Remember to look for the below points while you select a WordPress hosting company for you.

  • Has trained staff who knows how to take care of WordPress security problems if the situation calls for one.
  • The latest version of MySQL and PHP is supported by them.
  • They have WordPress optimized firewall.
  • Intrusive file detection and malware scanning is present.
  • The hosting company is optimized to run WordPress.

Account isolation should be opted for if you are looking forward to using shared hosting plan. Account isolation makes sure that a single account doesn’t overload the server and cause difficulties for your site. Usually all good hosting companies provide daily backups however, you should take your backups too.

Scanning Your Website

WordPress security tips

The next advice in WordPress security tips is to scan your website. As discussed earlier, hackers use websites to use server to send across spam emails. If you know that your website has been compromised then along with your hosting company you would be able to remove the malicious files uploaded by the hacker. But in case you are unaware about the compromise the hackers will continue to use your server and send spam emails without you discovering it.

The only way you could check whether or not your website is safe is to scan your theme files at regular intervals. There are some useful plugins which could be of your service. WordPress Plugins such as WP Antivirus Site Protection helps in locating Trojan horses, adware, backdoor rookits, PHP mailers, spyware, fraudulent tools, worms and much more. Some of the other plugins with same such abilities are SucuriSitecheck, Ultimate Security Checker and CodeGuard, AntiVirus. You could select one for your site.

A plugin by the name of WP Changes Tracker should also be installed and kept in your website. Even though this is not an anti-virus scanner it displays any changes done on your website. The change log enables you to see any changes that have been made in your website.

Regular scans keep your website safe and free from any malicious activities that might be happening on your site.

Limit Login Attempts

WordPress security tips

An obvious way the hackers try to break through your admin area is by logging in several times by using random username and passwords.

Limiting your login attempts is the best way to avoid this type of attack. Login Security Solution plugin helps in limiting the number of logins from a certain IP range. There are many other plugins meant for WordPress website which offer the same functions such as the mentioned plugin, they can be looked up on the internet and the one you like the best can be used.

When a user fails to log in for a certain number of times that you have opted for they will instantly be logged out of the WordPress site for a certain time. The time of lockout can be fluctuated to more or less according to your choice.

There are times when users who you know have been mistakenly locked out, there is an option to unban them which can be done manually.

The IP addresses of people who are making failed attempts of login are recorded by the plugins. Using this information and you could have these people blocked from your website for an indefinite period.

Strong Login’s

In a report generated by a security company, some time back among the millions of accounts which were breached in the Yahoo security breach, about 17% had passwords ‘1234567’. Keeping a password according to your convenience is inviting hackers to compromise your website. Keeping strong passwords is one of the WordPress security tips to keep your site safe. Brute force automated scripts are used by hackers to get through your website in case your passwords are not strong.

Earlier for the primary administrator account, WordPress had set the default username as ‘admin’ , this has been changed now and you can choose to keep a username of your choice yet hundreds of people continue to use admin as their username. The hackers are not unaware about this situation and in many cases, they just have to make their way through the password with the help of brute force scripts and they can access your administrator account.

Remember to change the default username, this is for the security of your website.  Run the below command in PHPMyAdmin. WP-DBManager is plugin which you can use to run the below command in the admin area. Once done make sure that the plugin is uninstalled else there could be other who could use the plugin to change your username.

UPDATE wp_users SET user_login = ‘newusername’ WHERE user_login = ‘admin’;

Always Backup

WordPress security tips

Another important information in the list of WordPress security tips is to backup always. Since the time storage and computers have been in use it has always been recommended that we backup the data. Irrespective of the tight security which you have used or build up for the safety of your website you should always backup your website.

Good companies who offer hosting services always backup your website but you never know when misfortune could hit. Maybe the data center of the hosting company is damaged because of flooding or power surge, your internal backups and the main website would both be lost in the process, but you would be safe if you take external website backups.

WordPress backup services such as CodeGuard or Blog Vault which could be of assistance here. These are automated backup services and the procedure of backup and restoring is made hassle free by them.

You could also use a plugin for this – Backup Creator or WordPress Backup to Dropbox are good choices although there are hundreds more which offer to provide you with backup service.

Relying completely on internal backups is not the solution if your website is compromised then the entire content can be deleted or altered which means an external backup is the safest.

Security Plugins

WordPress security tips

WordPress is frequently used by newbies who are not quite technical and would like to consider defending their site with a strong security solution which would take care of all the security measures. Besides scanning your WordPress site and patching the loopholes they also provide your site with firewall and keep a check on malicious files.

Here are some of the security plugins which could be of assistance to you.

One of the well-known plugins which is Wordfence Security which offers a firewall that blocks security threats, has mobile phone two-factor authentication login, scans for phishing attempts, malware, doesn’t take weak passwords, detects DDoS attacks, sends email notifications if there are failed login attempts and features several more features to keep your site secure.

The Acunetic WP Security plugin features some powerful functions which fortifies the defence system of your website. Besides checking admin area, theme files and strength of passwords you also get to monitor live traffic with this plugin. Features such as removing update notifications, PHP error report disabling and getting rid of WordPress version are some of the useful options which comes along with it.

Once of the most downloaded and popular security plugins is the iThemes Security. The plugin observes file changes and detects bots and sends notification to the user. It also checks for security threats, scans your entire site, repairs all damaged files and displays random version numbers users who are not administrators.

Having such security plugins will give you peace of mind as you know your website is safe from attackers.

Change WordPress Default Admin User

Normally, the default Admin user is “admin” during installation. Change the Admin user name will increase the security of website.

This is simple and instant. You need to select Create New User on the login page and enter your details – the username and the password of your choice. WordPress can give you the option of deleting the other user or assigning it to a different user. For those who have many posts that have been written by the old user, you can choose the latter and assign it to a different user with a different username and password.

If you have already installed WordPress and have been using it for some time, you can change WordPress default admin user simply in your site. This is for those who do not want to wander into the databases or find the database process complex. Login to Users and select Add New from your user account preferences. You now need to fill the information you need for a new account. Click Save Changes and you are good to go. You now need to log out and then log in with the new username to verify that it has already been created. Just like creating a new account during installation, you should delete the old account. Go to your WordPress admin and select User list. You can see the admin account that you should select and delete it.

Be Careful About Uploading

upload filesIt is unnecessary that you may need to upload something into your site, such as the images, music files, and movie files. Before uploading, you’d better figure out whether these files have carried the virus that will affect your site negatively. Even after downloading, you have to scan the whole site to check for the malicious data.

Use SSH instead of FTP

Both SSH and FTP are network protocol used for the data communication. However, FTP fails to achieve the same security level as SSH, for the FTP credentials are not encrypted. SSH, however, is totally different. It makes use of the latest advanced technologies and algorithm to ensure a safe data transforming environment.

Use SSL Certificate

SSL represents for Secure Socket Layer that sets up a safe channel between browsers and servers. It is used to certify the user and the server. Besides, it can ensure the security of transferring data by encrypting and hiding them. Considering search engine, such as Google, prefer website with SSL certificate, this is one of the basic feature you should apply to your WordPress nowadays.

Many web hosts (for example Bisend) offer free SSL certificate in its hosting package, however you could choose a paid SSL certificate which will give your visitors more confidence in the security of your site.

Some Common Preventive Actions

The security of the site depends on how you handle it on a daily basis. Your daily actions determine its safety and security. This can be further boosted if you follow some precautions such as WordPress security tips given below:

  • If you are uploading files to your website then a Secure FTP client should be used.
  • Avoid logging in to your website on networks that are not secured
  • Also avoid using your website from the computer of a cyber café to avoid people tracking your login details. Also if you are in public place ensure no one sees you entering your login details.
  • Don’t share your login details with people who are not trustworthy neither make anyone the editor for your website who you think are unreliable.
  • Installing a firewall on your system will give you an added protection.
  • Don’t let others upload files to your website as someone could upload malicious scripts.
  • If you suspect authors or editors doing something to harm your website then you can track their activities with plugins like Audit Trail.
  • Use anti-virus software’s like Avira, Norton or anyone which you find suitable for your system.
  • Don’t give access to website hosting area to just anyone.

Following these small precautions will help you keep your website safe.

Always Keep Your WordPress Updated

WordPress security tips

Updates are there for a reason and forgetting to update or purposely not updating is the biggest mistake that you can make. Every updated version comes with fixes and helps you fix all glitches and issues in the earlier version. Using an old version of WordPress will only make your site more vulnerable, giving an open invitation to the hackers. WordPress usually releases two versions in a year and can be easily distinguished as the updates come in increased numbers such as 4.0,4.1,4.2,4.4,4.5,4.6…. and so on. Every big update will give you added features and functions with which you can improve your website. With every big update follow smaller updates which are usually released to fix small issues or bugs which come up in these big updates. These smaller updates will be seen in numbers like 4.9.1, 4.9.2 … and so on. This is why neither the big nor the small updates should be ignored or left out.

Using the code below will let you be carefree while all the updates both major and minor are applied automatically. You need to add the code to your wp-config.php file:

1# Enable all core updates, including minor and major:

2 define( ‘WP_AUTO_UPDATE_CORE’, true );

While there are safety measures which are already in place to ensure that the website doesn’t break while an auto update is happening, there always remains a risk. There is only one reason to why a website would break after a major update is when you have plugins which are not consistently updated. Ensure that all the plugins that have been installed on your system are updated else a major update might break your WordPress site. This is also why some people prefer to handle the updates themselves. If you think auto updates could pose a problem you can disable all the auto-updates using the below code in your wp-config.php file:

1 # Disable all core updates:

2 define( ‘WP_AUTO_UPDATE_CORE’, false );

WordPress security tips

Besides these above WordPress security tips, you should also ensure that you take care of the installation settings. Small things kept in mind will help you to keep your website safe from the hackers and spammers. Whether your site is a small one or one which attracts huge traffic leave no loopholes in the security system.

Key Signs That Your WordPress Site Has Been Hacked

Across the globe, more than 130,000 WordPress sites are being attacked per minute. In below, we will show you the key signs that your WordPress site has been hacked.

1. Sudden Drop in Website Traffic

Google Analytics is a useful tool to check your traffic stats. When taking a close look at the reports, you may notice a sudden drop in traffic. In this case, an attention should be paid to your WordPress security.

Hacked WordPress - Sudden Traffic Drop

Malware and trojans prefer hijacking website traffic and redirecting it to spammy websites. However, there are some instances where logged in users won’t be redirected, which takes you a longer time to notice the malicious deeds.

Also, Google’s safe browsing tool can be the reason for the sudden drop in traffic. Users might be warned not to visit your website with a lack of security. It is recorded that almost 20,000 new websites are on the Google blacklists per week.

2. Inability to Login

The inability to log into dashboard is one of the key signs among hacked websites. This may be because you don’t know the changed passwords. Sometimes, hackers should be the sinners for the changed passwords.

Hacked WordPress - Inability to Login

Another reason may lie in the admin account which has been deleted from WordPress. Thus from the login page is no way to reset your password due to the non-existence account. In fact, adding an admin account can be possible with the use of phpMyAdmin or FTP client. However, you should also have a clear idea how your website has been hacked to avoid the reoccurrence of this situation.

3. Unwarranted Content

With the creation of a backdoor on your WordPress site, hackers will have access to your files and database. Then they have the ability to add following things to your WordPress site: such as, numerous invisible codes which can be detected by Google, bad links in the footer file or anywhere, and new bad content. But unwarranted content would be invisible so that you might know nothing about this for a while.

To solve the data infection, there is the need to find and fix the backdoor. After all, deleting the unwarranted content cannot protect your website from the repeated situation.

4. Defaced Homepage

Some intruders try to keep secret the fact that your WordPress site has been attacked. However, others love to announce that your website experienced an attack. Even, they will extort money from you to restore the normal function. One of the most obvious ways, hackers often think, is to deface your WordPress homepage.

Hacked WordPress - Defaced Homepage

5. Suspicious User Accounts

Hackers attacked your website are likely to create spam user accounts. With the support of user registration and without the use of any spam registration protection, you can easily delete suspicious user accounts like common spams. However, suspicious user accounts can be the signs to identify hacked WordPress sites if you don’t allow user registration.

During the process to fix this, you will have trouble deleting suspicious user accounts with the administrator user role.

6. Email Issues

Once attacked, your mail server will probably be the source of spam emails. Free email accounts are often a common feature with a WordPress web host. Therefore, most of you send WordPress emails via the mail server.

Hacked WordPress - Email Issues

When encountering the failure to send or receive WordPress emails, you can doubt whether your mail server has been attacked.

7. Incorrect Meta in Search Results

From your WordPress dashboard, everything seems to work as usual. Through the manual search to your website content, however, strange title and incorrect meta description will show on the search results. This could be because hackers have invited themselves into your website and injected malicious code into the backend. But the damage is only visible to search engines.

8. Slow and Unresponsive WordPress Site

On the internet, each website can be a victim of service attacks. With the use of fake ips, attackers either send too many requests or try to break into your WordPress site.

These activities will slow down your WordPress site and even make it unresponsive. Your server logs should be checked to find the suspicious ips and block them. Ips sending too many requests should draw your special attention.

Hacked WordPress - Slow Speed

There is also a great possibility that your WordPress site is just slow without being hacked. If so, you are advised to read our guidance on how to reduce server response time.

Wrap Up

Restoring a hacked website can be quite troublesome. With the goal to clean up your database, many detailed methods and tips are available from our guide on how to fix a hacked WordPress site in above.

How to Fix a Hacked WordPress Site

In this case your WordPress site has been hacked, here, we’d like to list some necessary steps when you find that you WordPress sites are hacked, along with some precaution tips against the online hackers.

Basic Things You Need to Do When WordPress Hacked

Once you make sure that your WordPress site is hacked, you’d better not to be panic but stay calm, carrying out the following steps in the very beginning.

Step 1: Inform the World of Your Hacking Issue

Hacking MessagePersonally, when your website is under hacking, you’d better tell your readers about the situation, so that they will not be misled by the wrong information or be negatively affected by some infected contents. Here, you can write out a warning message along with your contact method, and place it at the most obvious location of your webpage, such as the sidebar.

Besides the online readers, you also should pay attention to the search engines. Generally, when searching spiders find that your website is hacked, they will tag your site as a harmful one and down your ranking to some extent. Therefore, to avoid them finding the situation, you’d better turn off your site temporarily so that they will not browse your webpage until it is back to normal.

To make your site unavailable during some days, you can adopt the WP Maintenance Mode plugin, with which you can let both search engines and your visitors know that your website is down and is coming soon. Note that this kind of maintenance mood does not harm your SEO and previous traffic.

Step 2: Contact Your Web Hosting Provider

In fact, the vulnerabilities of hosting environment are more likely to cause the hacking issue, so you need to tell them that your website is hacked so that they can check and fix if the trouble is caused by their hosting solutions.

Also, many web hosts close your website automatically when some suspicious factors are observed. Therefore, you need to contact them to get your site up and running.

Step 3: Restore Your Backup Files

It is great if you have backed up your WordPress site just a few days ago, for you can get everything back to normal simply using the latest backup files. To do this, you can either use some WordPress plugins like BackupBuddy or the tool of phpMyAdmin.

Step 4: Figure Out the Latest Changes

This can happen if you use SSH access. Here, you can run some special commends to figure out which files are changed during the recent days. This practice is more likely to help you grab the virus placed by hackers.

For instance, you want to scan the changes during the last two days, you can use the following line.

Find/home/directoryname/domainname/ -mtime -2 -1s

Clean Up WordPress Manually

After finishing the first two steps as we have mentioned, you have to clean up your WordPress site manually if you have no backup files. This way can erase all the hacking components and make your site be running properly again. We have listed the critical steps in the following.

Backup Everything

No one can ensure that there will be nothing wrong during the cleanup process of WordPress, so you firstly need to have a backup copy of your hacked website; especially your textual files and images that are coming from you originally, for these components are hard to track after your site is fixed.

As for some zip files for themes, plugins and scripts, you are not forced to backup them. After all, you can download them again from the original source. However, you have to make sure that you haven’t made any changes on them.

Download and Install Fresh WordPress with the Latest Version

Now, you need to download and install WordPress with the latest version from This can make sure that all the files and folders are safe without bugging things. Here, do not choose to upgrade WordPress. This practice only replaces some core files, so you cannot make sure that the rest are risk-free, possibly leaving a backdoor to hackers.

Remove Everything in WP Directory

Now, you have all the files and data copied and stored in a safe place, so it’s time to delete everything in your WordPress root directory. This process can completely remove all the dangerous and infected components.

Personally, we recommend you to use File Manager in your control panel. We are not meaning that the utilization of FTP is wrong. This is just because FTP may cause you much time and you may encounter the disconnection issue with your server.

Delete Using File Manger

Upload Your Saved Copies

Next, you can upload everything you have previously downloaded and saved using either File Manger or FTP. Here, you cannot forget to rename your WordPress configuration file as it is named as wp-config-sample.php when you install a new version of WordPress from scratch. Also, do not forget to reset your password and username to close any backdoor for hackers to intrude your site again.

As everything is done, you can run your website to figure out whether there is anything still wrong.

General Hacking Reasons and Corresponding Solutions

Some of you may feel the process of cleanup is complicated and time-consuming, and only just want to repair your site from some hacking components. To be frank, no one knows which part of your site is hacked as a WordPress site is composed by dozens of files, folders and data. But generally, there are three reasons that are more likely to cause your site to be hacked. Therefore, once your site is under hacking, you can try to fix the following things in the very beginning.

Plugin Bugs

At present, even the official WordPress Plugin Directory offers more than 37,000 options of plugins, let alone the offerings from some third parties. This large demand allures many hackers to insert bugs into plugins, especially those free, open-source and non-official ones. As investigated by WPTemplate, 22% of WordPress sites are hacked by bad plugins.

In this case, once your site is hacked, you can firstly clear all your plugins installed on the website. You can do this using your backend admin, but to ensure that you will not leave one infected data left, we highly suggest you to locate to the directory named as “wp-content/plugins” and delete the entire directory in one time, but not some of its files and folders.

Theme Bugs

The same reason as plugins, the WordPress template is another common reason that leads to WordPress hacking issues. Therefore, you can carry out the same procedure as we have mentioned above and resort to the default WordPress themes that can be guaranteed completely bug-free.

Old Version of WordPress Core, Themes and Plugins

The developers of WordPress, your installed themes and plugins will constantly update the items. This is because everything has multiple loopholes. Once hackers find the vulnerabilities, the developers have to fix them and release the new version that is more secure.

However, some of you may forget to update them constantly, so hackers can easily enter your website from the public vulnerabilities. In this case, you can delete the themes and plugins if they are bug containers. Or, you can install a fresh new WordPress and import all your files and folders into it.

Future Hacking Preventions

To be frank, hackers can intrude your website via various channels, so it is impossible to list all the situations. When this happens, the best way is to cleanup your website unless you can find out the real “trouble-maker”. Thus, to avoid such an annoying situation, you’d better carry out a list of precautions to eliminate the possibility of hacking issues.

  • Keep everything up-to-date including WordPress version, plugins, themes and PHP scripts.
  • Regularly scan your local machines to avoid virus and malware.
  • Backup your website at least once a week and keep the backup files secretly.
  • Install special security plugins for WordPress website from the official directory.
  • Hide your WordPress version.
  • Use random and hard-to-remember username and password for admin.
  • Safeguard your WordPress configuration files and configure a login attempts.
  • Keep an eye on everything that is changed on your site using a file monitor plugin.

Leave a Reply

Your email address will not be published. Required fields are marked *