1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to improve security on your own WordPress website.

Discussion in 'Programming' started by JayLee1, Nov 21, 2016.

  1. #1
    Hi there,

    Recently my website was hacked (a malicious code was inserted). I panicked and I hired a freelancer to fix it. Hi cleaned up files and a few days later the problem repeated again. Wordfence plugin scan found the same malicious files.

    So, I started to dig into it to find a solution. Below you can find my suggestions on how to improve security. Please share yours to help others.

    1. I added these lines of code in .htaccess to hide wp-config.php and .htaccess:

    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files>
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>
    
    Code (markup):
    Disable file editing in wp-config.php by adding this line of code:

    define('DISALLOW_FILE_EDIT', true);
    
    Code (markup):
    Just applying this three codes I prevented my website to be hacked.
    SEMrush
     
    JayLee1, Nov 21, 2016 IP
    SEMrush
  2. Einheijar

    Einheijar Well-Known Member

    Messages:
    537
    Likes Received:
    13
    Best Answers:
    3
    Trophy Points:
    115
    #2
    PHP files by default aren't readable, although disabling file editing is a good idea. That way even if they have wp-admin they can't edit files though plugin/theme editor although if they were to download a plugin that can browse filetree, that would be pretty moot as well.
     
    Einheijar, Nov 21, 2016 IP
  3. expertlook

    expertlook Greenhorn

    Messages:
    5
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #3
    I also see this type of problem, I am professional web developer and designer.

    you need to take WordPress security seriously. Here are 7 security step

    1. customize the login page URL and even the page’s interaction
    2. A lock-down feature for failed login attempts can solve a huge problem.
    3. Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel.
      SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.
    4. Change the WordPress database table prefix
    5. Back up your site regularly
    6. Set strong passwords for your database
    7. Add the following to the wp-config.php file (at the very end):
      define('DISALLOW_FILE_EDIT', true);

    M.K Gupta
     
    Last edited by a moderator: Nov 30, 2016
    expertlook, Nov 22, 2016 IP
  4. VideoWhisper.com

    VideoWhisper.com Well-Known Member Premium Member

    Messages:
    331
    Likes Received:
    6
    Best Answers:
    2
    Trophy Points:
    113
    Digital Goods:
    2
    #4
    VideoWhisper.com, Nov 22, 2016 IP
  5. JayLee1

    JayLee1 Greenhorn

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #5
    Thanks for all your suggestions guys! My site was breached again. I restored my backup and I added a new security plugin Anti-Malware from GOTMLS.NET
    After scanning public_html the plugin did a good job and found few malicious scripts that Wordfence Plugin did not.
    These scripts might be leftover from the days before I implemented other security stuff.

    Will share the results shortly.
     
    JayLee1, Nov 23, 2016 IP
  6. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #6
    Well... here's one thing: IF your site gets hacked, don't "fix" it. You disable it, you scrub it clean (and by that I mean you start over, get the hosting service to wipe your account, and set it up again), and then you upload a fresh version of the latest WordPress, and you add the minimum of plugins and theme you need, and remove every other theme that might linger. Then you check your DB-backup, for all the posts on the blog, and you go through that backup and check for exploits stored in the database. You also re-upload every single file you've used on the site - images, videos etc. THEN, you can start thinking about "upping the security" - when you're actually sure there is no malicious code left.
     
    PoPSiCLe, Nov 23, 2016 IP
    WebGeek182 and sarahk like this.
  7. bbharath

    bbharath Well-Known Member

    Messages:
    260
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    108
    #7
    Well my blog too got attacks seeral times and at the end switched to default theme. The problem shows most time these hackers are just entering through themes and then database.
    Please update us so we can too avoid from these serious attacks.
     
    bbharath, Dec 7, 2016 IP
  8. karen9999

    karen9999 Active Member

    Messages:
    278
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    78
    #8
    It’s lame to download pirated plugins anyway, but if you needed more of a deterrent than that, totally legitimate plugins are often corrupted with malware by the time they hit these illegal download sites.
     
    karen9999, Dec 7, 2016 IP
  9. JayLee1

    JayLee1 Greenhorn

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #9
    Almost 2 months now and ALL good - site is clean to date.
     
    JayLee1, Dec 11, 2016 IP
  10. anhnt1289

    anhnt1289 Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #10
    The All In One WordPress Security plugin will take your website security:
    • User Accounts Security
    • User Login Security
    • User Registration Security
    • Database Security
    • File System Security
    • htaccess and wp-config.php File Backup and Restore
    • Blacklist Functionality
    • Firewall Functionality
    • Security Scanner
    • Comment SPAM Security
     
    anhnt1289, Dec 12, 2016 IP
  11. avvntech

    avvntech Greenhorn

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #11
    Use wordpress plugins and SSL Security
    SSL is best option
     
    avvntech, Dec 12, 2016 IP
  12. mmerlinn

    mmerlinn Prominent Member

    Messages:
    2,627
    Likes Received:
    537
    Best Answers:
    6
    Trophy Points:
    320
    #12
    Although the above suggestions work to stop KNOWN exploits of Turdpress, what about the UNKNOWN security holes that will eventually be found? Or eventually will be introduced in updated versions of Turdpress?

    Just one more reason to write your own code instead of using Turdpress, Bootcrap, or any other Clusterf**k that has security holes so big that you could dump a mountain into.
     
    mmerlinn, Dec 16, 2016 IP
  13. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #13
    Note: writing your own code is no guarantee against security exploits. Especially if you're a noob and clueless. There are plenty of security faults responsible for every major break-in / hack the last 10 years, and most of that is in-house developed code.
     
    PoPSiCLe, Dec 18, 2016 IP
    WebGeek182 likes this.
  14. Karly_C

    Karly_C Peon

    Messages:
    18
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    3
    #14
    Even with writing your own code or secure coding and what not, you likely won't be able to spot all possible vulnerabilities. Also, the reason why you clean out your site first and start again is so your perimeter security can be deployed more effectively. After cleaning up, you raise the security of your site with some sort of intrusion detection and just focus on scrubbing incoming queries/traffic for malicious behavior. WAF can stop most web attacks and with how frequently my site gets brute forced and scanned for vulnerabilities (definitely by hackers), it's an essential part of any website set-up.
     
    Karly_C, Dec 19, 2016 IP
  15. freelancewebaz

    freelancewebaz Well-Known Member

    Messages:
    976
    Likes Received:
    23
    Best Answers:
    1
    Trophy Points:
    145
    #15
    Also, don't forget to change the security strings in your wp-config.php after a compromise to invalidate any existing session cookies. A lot of people forget that bit and after paying for the cleanup find their site still harboring unwanted guests. You can find the secret key generator here and then paste the entire block in place of the existing values in your config.
     
    freelancewebaz, Dec 27, 2016 IP
  16. JayLee1

    JayLee1 Greenhorn

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #16
    Just a quick update, my site is STILL clean ;-)
     
    JayLee1, Jan 2, 2017 IP