Malicious hackers are always looking for ways into your WordPress site by exploiting vulnerabilities. Having your website hacked is a concern for all WordPress users and online business owners. Keep reading to see what you can do to help hackproof your WordPress website and the steps you can take if you get hacked.
A few years ago, we moved to this big old farmhouse on many acres. We knew there would take some work to get the house and the property in tip-top top shape. Security wasn’t our biggest concern at first since I had a big (rather friendly) chocolate lab that always had my back. But Rocco was the kind of dog who would bark at a stranger until they were close enough to lick them to death. I found that out the first time a stranger walked up to our door.
See, even though I grew up in the suburbs of Pittsburgh, I knew my neighbors, went to school with many of my community, and was actively involved in the neighborhood. But being in a strange place, I quickly realized that while most people meant well, some did not, and I did not know who was who. I set out to meet as many people as I could in my new normal.
Being proactive is the key to keeping things safe and secure while giving you peace of mind that you are protected enough from bad things.
With this three-step safety practice: Identity, Protect, and Recover, you can have peace of mind too.
1 – Identify Your Needs
The first thing you need to do to keep your WordPress website safe is to identify your asset needs. Your website has many pieces, including domains, hosting, themes, and plugins. Whether you are having your site developed by a WordPress designer or doing it yourself, these are items you’ll need before you can create your website.
Domain names are the way to our online space. Once you pick the perfect business name, you need a domain name to go with it that allows people to find you on the web easily.
To purchase a domain name, you are going to need to do that through a domain name registrar. They are companies that manage the domain names, and they have to be accredited by ICANN (Internet Corporation for Assigned Names and Numbers), a non-profit delegated the responsibility to manage the Domain Name System.
You want to watch out for a few things when registering your domain name, including pricing add-ons, transfer fees (because you may not want to stay with your original registrar forever), customer support, or auto-renew.
But we’re not talking about registering a domain name. We’re talking about security. So let’s discuss some best domain registration practices.
Register your domain name. I’ve seen some designers and developers who will register your domain name. The problem is that you won’t own complete access to the account. Not that every person who does this is shady, but think about what would happen if you part ways with this person. Will they give you access?
Protect your privacy. Your risk level rises when your personal information is available in the WHOIS database. By using private registration, you alleviate that risk because anyone searching WHOIS will see the name of your proxy service. Privacy protection also helps to prevent unwanted solicitation or spamming.
Going with a quality host for the obvious performance is always a good idea. But it’s an even better decision for the simple reason of security.
Your web hosting provider should be as invested as you in the security of your web space. Many of the top hosting accounts, such as Cloudways and WPEngine, offer applications and tools to keep your site running securely.
For the safest bet, here are some things you want to look for:
- Regular backups and restore points
- Performs regular network monitoring
- 24/7/365 phone or chat support
- Latest SSD hardware, including support for PHP7 and HTTP/s
- SSL, Firewall, and DDoS prevention
- Employs at least 128 but AES encryption
- Written policies in case of a breach
Once you choose your host, you want to be sure you can access the file system and database through SFTP, SSH, PHPMyAdmin, or cPanel.
You’ll also want to keep this information on hand as part of your web records. When working with a developer or maintenance provider, they’ll need access to keep your site in tip-top shape.
Every WordPress install comes with the default theme designed to work well with the framework version, but many people choose to replace it with one that is more tailored to their business needs. Making that choice is more than the theme being pretty; you need to be functional, well-coded, and kept up-to-date.
When picking a new theme or having a developer create a new theme for you, you’ll want to follow these best practices.
Find a reputable source. WordPress has an official Theme Directory, and a few good choices exist, including Kadence and Astra themes. But often, the developer will choose a premium theme, so you must read the reviews, support options, and terms thoroughly.
Run a security check. Themecheck.info is a service that lets you verify themes for security and code quality. Not only can you check the theme you are interested in using, but you can see others that users have uploaded. If your theme shows up green, you’re good to go.
Plugins are what add functionality to your WordPress site, and there are tons out there. If you add a shop or member area, you’re likely to add a plugin to achieve this. And you’ll likely need a plugin for SEO, social sharing, and even security.
The WordPress plugin directory is the starting point for most people. It has thousands of plugins available, which is great, but it can decide on the perfect plugin a little overwhelming. You also have choices from premium plugins (like Gravity Forms) that are not found in the repository.
When choosing a plugin, you need to ask yourself:
- Does the plugin have a large install base, usually found in the number of downloads?
- Are there user reviews and what is the average rating?
- Has the developer actively been supporting and updating the plugin?
- Does the vendor list terms of service or use?
- Which version of WordPress is it compatible with?
- What type of feedback or support questions is being asked?
- Will it enhance the user experience?
You want to stay away from older versions of a plugin or those that may not be compatible with the latest WordPress release. Performance is also a big consideration because a secure plugin doesn’t necessarily mean a fast plugin.
2 – Protect
Hackers usually exploit the vulnerabilities of your site, like weak passwords, easy-to-guess admin usernames, and outdated security in your theme or plugins. You can save yourself many worries with a few simple things you can do to maintain your site.
First, you should install a security plugin to help monitor activity and privacy controls on your WordPress website. Two of our favorites are iThemes Security (available in our maintenance package and Shield, a low-cost ($24/year) plugin. These plugins help you enable two-step authentication, provide brute force protection, monitor core file changes, and provide some user management options.
The security plugin is not designed to 100% guarantee full-proof security, but it does give you peace of mind and eyes on site.
Strong Login Credentials
Securing your WordPress site begins with making sure your credentials are not easy to guess. Never use admin, your site address, or other easy-to-guess names as your username. But even more important is using a strong password for your WordPress user accounts.
There are a lot of password tools available to you, including WordPress’s option, Secure Password Generator or LastPass also has a generate password feature, and you don’t need an account to do that. Try it out now. Try to make your password at least 12 characters long; the longer, the better.
You also want to consider using the multi-factor authentication that we mentioned above in the security plugin area. Multi-factor adds another layer like ticking a box, sending a text message, or adding in a word or code. The idea is that bots cannot do the second step since they auto-generate random usernames and passwords.
You need to keep your website updated with the WordPress framework, theme(s), and plugins. Running updates allows your files to include the most recent version, which usually provides security patches and fixes.
By default, every WordPress site has automatic updates enabled for minor core releases and translation files. It is possible to disable these automatic updates. Still, automatic updates for minor core releases are one of the best ways to guarantee your site stays up-to-date and secure moving forward. For that reason, disabling automatic updates is strongly discouraged.
Auto-updates don’t cover your theme or plugin, though, and that is why it’s crucial to regularly run the updates or have a maintenance plan in place so that you don’t have old files on the server.
Many people overlook the importance of SSL and HTTPS. Even Google changed their rules by marking sites without them unsafe in their search results. HTTPS is not reserved for e-commerce and online shops. The idea behind SSL is to protect your user’s information, including the details they provide on your contact forms.
SSL certificates can be obtained (and added) for free on most web hosts, and there are three types of certificates.
- Extended Validation (EV SSL) requires extended validation of the business. It validates domain ownership and organization information, plus the organization’s legal existence.
- Organization Validated (OV SSL) validates the domain ownership, plus organization information included in the certificate, such as name, city, state, and country.
- Domain Validated (DV SSL) validates the domain is registered, and someone with admin rights is aware of and approves the certificate request.
Appropriately installed SSL certificate will
- Safer, more secure data transfer between servers, with less chance of interception
- Gives you freedom from security warning messages
- Instantly secures your website and visitors
- Increased trust with customers
3 – Detection and Response
Brute-Force Login Attempts
Brute-force login attempts are automated scripts designed to exploit weak user credentials to gain access to your site. Monitoring for these attempts is critical, and you should have policies in place to help guard against them. You can do the following:
- Implement a lock-out policy that will lock someone out for a specified amount of time after some failed login attempts.
- Use a challenge-response test to prevent automated submissions of the login page, such as free reCAPTCHA.
- Enforce the use of strong passwords
- Monitoring and notification by your security plugin.
Malicious redirects create a backdoor into your WordPress installation using FTP, wp-admin, or other protocols to inject redirection codes into the website. Usually, this happens so that the hacker can use your site to generate advertising impressions.
Generally, the malicious WordPress redirect is detected through the site when a visitor is redirected to any other page instead of the page or website he requested. If hackers add any malicious script, it’s often named to look like a legitimate file, like that’s part of WordPress files on the website. A commonplace to hide these files is your uploads folder, but I’ve found them in the plugins folder, theme folders, and even the wp-includes core folder.
You’ll need to remove the malicious scripts that cause website redirection to abusive sites. If you’ve found you’ve been hit with the redirects, hiring a developer or WP clean-up service is best since these files can be well hidden.
You’ve done everything you can to prevent your WordPress site from being hacked. But things happen, and so do hacked sites. What to do when you think a hacker has hit your site?
Hiring a professional is my best piece of advice, but that might not be your first thought. Panic is usually it. It will save you time and heartache to let a professional tackle it from here because there are some things you need to do.
Run A Security Scan
A first step, and most times, it will come back positive, but not always. If you notice things are wonky, the first thing to do is stay calm. With proper backups, all is not lost, and it’s not the end of the world. There now, let’s move on.
Restore Your Backup
You have a backup of your site for additional protection when things go wrong. Nothing is more wrong than having your site hacked. The problem with backups is that you could be restoring a corrupt version if you don’t know when this happened. It’s a good idea to contact your host to see the last backup of your site. Often it’s a day or a week, but sometimes you get lucky, and they have an older version.
When running your site backups or having your maintenance provider run backups be sure that the following applies:
- Have both a database and full site backup of the files.
- The backup copies are reviewed to make sure there is no corruption of data
- Look at your site to make sure nothing is amiss.
- Keep the files off your server so that if something happens on the server end, you have your back files intact.
Remove Malicious Code
If a backup is unavailable or you aren’t sure that it is not corrupted, you’ll need to locate the hack to fix it. Part of the fix entails that you’ll need to find and remove all of the corrupt files. Start by asking yourself these four questions.
- Are you able to log in to your WordPress dashboard using wp-admin or wp-login?
- Is your website sending you to other websites?
- Does your website contain illegal links?
- Has Google pinged you and marked your website as insecure?
If you’ve answered yes to any of those, contact your host to help you find the files that are corrupt or ask them to restore your site to a point you know is good to go.
After removing the malicious files, you also need to reset your SALT keys, review your database, and update all passwords. I also recommend that you reinstall your WordPress core file for an extra layer of the fix.
Finding the files and folders and looking to see what also had been affected is not for the faint of heart, and it is my opinion that you need to stop and hire someone versed in hack removal.
Google is the most popular and top-ranking search engine, so getting blacklisted by them is a big deal. A blacklist means that you’ve been removed from the index or marked with a warning. If Google blacklists your website, it loses about 95% of its organic traffic. Whenever a user visits any blacklisted site, a warning message with a big red splash screen displays, warning you that trouble may be ahead.
If you find your website blacklisted by Google, you should follow these steps to remove your site from Google’s Blacklist or remove Google blacklist Warning.
To request a security issue review from Google:
- Navigate to the Security Issues tab in Search Console.
- Review the issues to confirm all the problems are addressed or cleaned.
- Check the box to confirm I have fixed these issues.
- Click Request a Review.
- Fill in the information with as much detail as possible about what steps were taken to clean the site.
Having a safety plan is the first step to good website help, but having a recovery plan will ensure you are back up and running in no time. Keeping hackers at bay may seem like a lot of work, but an experienced WordPress maintenance provider can take it off your plate and put it onto theirs.
What are you doing to keep hackers at bay on your WordPress website?