How to improve security on your own WordPress website.

Hi there,

Recently my website was hacked (a malicious code was inserted). I panicked and I hired a freelancer to fix it. Hi cleaned up files and a few days later the problem repeated again. Wordfence plugin scan found the same malicious files.

So, I started to dig into it to find a solution. Below you can find my suggestions on how to improve security. Please share yours to help others.

1. I added these lines of code in .htaccess to hide wp-config.php and .htaccess:

<Files wp-config.php>
order allow,deny
deny from all
</Files>
<Files .htaccess>
order allow,deny
deny from all
</Files>

Code (markup):

Disable file editing in wp-config.php by adding this line of code:

define('DISALLOW_FILE_EDIT', true);

Code (markup):

Just applying this three codes I prevented my website to be hacked.

 

PHP files by default aren't readable, although disabling file editing is a good idea. That way even if they have wp-admin they can't edit files though plugin/theme editor although if they were to download a plugin that can browse filetree, that would be pretty moot as well.

 

I also see this type of problem, I am professional web developer and designer.

you need to take WordPress security seriously. Here are 7 security step

1. customize the login page URL and even the page’s interaction
2. A lock-down feature for failed login attempts can solve a huge problem.
3. Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel.
   SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.
4. Change the WordPress database table prefix
5. Back up your site regularly
6. Set strong passwords for your database
7. Add the following to the wp-config.php file (at the very end):
   define('DISALLOW_FILE_EDIT', true);

M.K Gupta

 

These 2 plugins should bring great benefits for site reliability:

• WordFence - configure firewall, scans, failed login block, secure passwords
• WP Super Cache - configure cache for visitors to prevent bots/crawlers from hogging resources

Also see http://www.videochat-scripts.com/top-plugins-to-optimize-and-secure-wordpress/ .

 

Thanks for all your suggestions guys! My site was breached again. I restored my backup and I added a new security plugin Anti-Malware from GOTMLS.NET
After scanning public_html the plugin did a good job and found few malicious scripts that Wordfence Plugin did not.
These scripts might be leftover from the days before I implemented other security stuff.

Will share the results shortly.

 

Well... here's one thing: IF your site gets hacked, don't "fix" it. You disable it, you scrub it clean (and by that I mean you start over, get the hosting service to wipe your account, and set it up again), and then you upload a fresh version of the latest WordPress, and you add the minimum of plugins and theme you need, and remove every other theme that might linger. Then you check your DB-backup, for all the posts on the blog, and you go through that backup and check for exploits stored in the database. You also re-upload every single file you've used on the site - images, videos etc. THEN, you can start thinking about "upping the security" - when you're actually sure there is no malicious code left.

 

Well my blog too got attacks seeral times and at the end switched to default theme. The problem shows most time these hackers are just entering through themes and then database.
Please update us so we can too avoid from these serious attacks.

 

It’s lame to download pirated plugins anyway, but if you needed more of a deterrent than that, totally legitimate plugins are often corrupted with malware by the time they hit these illegal download sites.

 

Almost 2 months now and ALL good - site is clean to date.

 

The All In One WordPress Security plugin will take your website security:

• User Accounts Security
• User Login Security
• User Registration Security
• Database Security
• File System Security
• htaccess and wp-config.php File Backup and Restore
• Blacklist Functionality
• Firewall Functionality
• Security Scanner
• Comment SPAM Security

 

Use wordpress plugins and SSL Security
SSL is best option

 

Although the above suggestions work to stop KNOWN exploits of Turdpress, what about the UNKNOWN security holes that will eventually be found? Or eventually will be introduced in updated versions of Turdpress?

Just one more reason to write your own code instead of using Turdpress, Bootcrap, or any other Clusterf**k that has security holes so big that you could dump a mountain into.

 

Note: writing your own code is no guarantee against security exploits. Especially if you're a noob and clueless. There are plenty of security faults responsible for every major break-in / hack the last 10 years, and most of that is in-house developed code.

 

Even with writing your own code or secure coding and what not, you likely won't be able to spot all possible vulnerabilities. Also, the reason why you clean out your site first and start again is so your perimeter security can be deployed more effectively. After cleaning up, you raise the security of your site with some sort of intrusion detection and just focus on scrubbing incoming queries/traffic for malicious behavior. WAF can stop most web attacks and with how frequently my site gets brute forced and scanned for vulnerabilities (definitely by hackers), it's an essential part of any website set-up.

 

Also, don't forget to change the security strings in your wp-config.php after a compromise to invalidate any existing session cookies. A lot of people forget that bit and after paying for the cleanup find their site still harboring unwanted guests. You can find the secret key generator here and then paste the entire block in place of the existing values in your config.

 

Just a quick update, my site is STILL clean ;-)