1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to protect Wordpress from hacking?

Discussion in 'Content Management' started by Mr.Dog, Dec 1, 2018.

  1. #1
    Hi,
    SEMrush
    I'm pretty much a beginner with Wordpress, but I've been coding sites for years.
    Once I made a small Wordpress site and it was hacked in a matter of days, content completely eliminated. Now I want to prevent this from happening.

    What can I do?

    What I first did when installing Wordpress was to changed the "wp" folder into some strange name. As I know, hackers often go for the "wp" name.

    What others tips could you give me?
     
    Mr.Dog, Dec 1, 2018 IP
    SEMrush
  2. CenTex Hosting

    CenTex Hosting Member

    Messages:
    71
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    33
    #2
    Here are a few tips.

    1. don't use a nulled theme
    2. use plugins from companies that have been around for some time
    3. keep Wordpress updated as well as the plugins
    4. Change the user name to something different than admin and use a more secure password
    5. use a program like word fence to help block attempt into logging into your site.

    Hope this helps.
     
    CenTex Hosting, Dec 1, 2018 IP
    Karen May Jones and Mr.Dog like this.
  3. mmerlinn

    mmerlinn Notable Member

    Messages:
    2,049
    Likes Received:
    247
    Best Answers:
    6
    Trophy Points:
    240
    #3
    No matter what you do, Turdpress CANNOT be made hack-proof. Too damn much UNTESTED bloated code involved for anyone to plug every hole.

    Since you have been coding sites for years, why are you migrating to something like Turdpress? Why not keep coding yourself where YOU have COMPLETE control over security?
     
    mmerlinn, Dec 1, 2018 IP
  4. Mr.Dog

    Mr.Dog Active Member

    Messages:
    912
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    60
    #4
    I am moving to Wordpress to make things easier: post content faster, easier.

    I know about some limitations and disadvantages, but I just have to keep up with the trends. I also want to learn to master Wordpress.
     
    Mr.Dog, Dec 2, 2018 IP
  5. mmerlinn

    mmerlinn Notable Member

    Messages:
    2,049
    Likes Received:
    247
    Best Answers:
    6
    Trophy Points:
    240
    #5
    Good luck. You will need it.

    I tried several different site "designers" years ago and finally got so frustrated with them that I went the opposite direction you are going, and have never regretted it. I wrote my own program to build and maintain my website. When I don't like something, or need to add a feature, I simply modify my program. My program will not do what Turdpress does and Turdpress cannot do what I need done.

    I typically add/modify 200 pages PER DAY for my website, something that NO off the shelf CMS can nor will ever do. Before I wrote my own program, I seldom could maintain even 5 pages per day. Now I can do 40 times as much in the same time.

    Basically I have TOTAL control with my program, so if an issue raises its ugly head, I can swat it, then go back to work taking care of my customers.

    If an issue arises in Turdpress, it often means spending HOURS trying to fix the problem, then once that problem is fixed, discovering that the fix created another problem needing to be fixed.

    You are a coder. As such I don't understand why you simply do not write your own website manager and leave the Turdpress bugs for others to swat.
     
    mmerlinn, Dec 2, 2018 IP
  6. service.komputer

    service.komputer Active Member

    Messages:
    19
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    68
    #6
    - disable user registration, if you dont need it.
    - put login lockdown to prevent login bruteforce.
    - use well known and secure hosting provide or server.
     
    service.komputer, Dec 2, 2018 IP
    Karen May Jones likes this.
  7. dcristo

    dcristo Illustrious Member

    Messages:
    19,665
    Likes Received:
    1,162
    Best Answers:
    7
    Trophy Points:
    470
    Articles:
    7
    #7
    Wordfence is a great security plugin for WordPress.
     
    dcristo, Dec 2, 2018 IP
    Suckerpunch likes this.
  8. webhost.uk.net

    webhost.uk.net Well-Known Member

    Messages:
    293
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    128
    #8
    Most points are covered, just make sure to use Cloudlinux to help improve server end security
     
    webhost.uk.net, Dec 3, 2018 IP
  9. Mr.Dog

    Mr.Dog Active Member

    Messages:
    912
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    60
    #9
    I thought similarly, but I was coding every article manually and it was frustrating to write even a single article per day. Let alone, upload it via FTP.

    Then, responsive designs became popular and then more and more requirements and features appeared on the market.

    I saw amateurs (who had no idea of online marketing or SEO) pass me by with their "install 'n' publish" Wordpress sites. They cosmetized them along the way and they do a heck-of-a-lot more than I did in a lot less time. It took them 3 weeks to do what I needed 3 months for.

    Then it became obvious I needed some automatization (yes, I disliked Wordpress a lot and specifically avoided it, therefore I coded).

    I need to swap for Wordpress CMS, because:
    - I just post 'n' it's up! (no long coding for 6+ hours to publish 3-5 articles per day), an article can be done in 15-45 minutes (mine are rather complex with a bunch of images)
    - I can program posts for weeks in advance (the system keeps posting even while I'm away or busy)
    - a few modifications can propagate to the entire site...
    - creating responsive sites is easier
    - etc.

    But yes, I know a plethora of limitations apply, it's easier to hack etc. etc. :( Well, I guess I have to adapt and work something out for that.

    The negative aspect of this all is that besides trying Wordpress about 9 years ago, I haven't been on the platform ever since and moving a 500+ page complex site with its own arborescent structure without ruining the original pages/extensions is... well,... not easy.
     
    Mr.Dog, Dec 3, 2018 IP
  10. OpenScribes

    OpenScribes Active Member

    Messages:
    10
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    86
    #10
    Don't make your config.php world readable
     
    OpenScribes, Dec 21, 2018 IP
  11. Mr.Dog

    Mr.Dog Active Member

    Messages:
    912
    Likes Received:
    16
    Best Answers:
    0
    Trophy Points:
    60
    #11
    Where is that file? What does it do and how do I block it from being readable?
     
    Mr.Dog, Jan 2, 2019 IP
  12. Suckerpunch

    Suckerpunch Well-Known Member

    Messages:
    169
    Likes Received:
    13
    Best Answers:
    0
    Trophy Points:
    140
    #12
    Suckerpunch, Jan 2, 2019 IP
  13. MilesWeb

    MilesWeb Well-Known Member

    Messages:
    852
    Likes Received:
    32
    Best Answers:
    7
    Trophy Points:
    123
    #13
    Below are some tips to prevent your WordPress website from hacking:
    Change your username and password: Avoid using "admin" as your username, instead use irrelevant user name or something that you will remember. For password, select a small sentence, pick the initials of the words in that and mix and match those with numbers and symbols.
    Create a website lockdown and ban users: You can create a lock for your website which will keep the outsiders away by giving them failed login attempts. In simple manner, if the hacker tries to login to the website with wrong passwords, your site will get locked and you will receive the notification for this.
    Use email for log-in: You should use email address for log-in as those can't be easily identified as the usernames.
    Protect your wp-admin directory: The wp-admin directory is the main part of your WordPress website. So, make sure you password protect it.
    Take website backup regularly: It is important that you take your website backup regularly so that even if there is any issue you will have your backup maintained.
     
    MilesWeb, Jan 10, 2019 IP
  14. sathikdm

    sathikdm Member

    Messages:
    6
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    38
    #14
    1. Never Use Nulled Themes & Plugins
    2. Keep Your WordPress Updated
    3. Remove the Plugins not updated for a longtime
    4. Use the Plugins & Themes after check the Ratings, Reviews & Installation Count
    5. Use Different Usernames like A-dmin
    6. Use CloudFlare
    7. Use Strong Passwords like NAME#web$156% or Generated Passwords
    8. Don't use the same username & password on the websites you are going to register as a user
     
    sathikdm, Jan 10, 2019 IP
  15. thatJRyan

    thatJRyan Peon

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #15
    Hi mate, the most secure action you should take prior to seeking any other security methods is taking regular backups for your site(better offsite backups). It's also the easiest and cost-efficient way to make sure your site is on the safe side.
    Shamefully I would recommend you to give my backup plugin - WPvivid Backup/Restore a try. It's fully featured and is super easy to use. And most importantly, it's completely free(free update and support). You can find it at WordPress plugin repository: https://wordpress.org/plugins/wpvivid-backuprestore/
    I hope you'll find it helpful.
     
    thatJRyan, Jan 17, 2019 IP
  16. AttaboyRoi

    AttaboyRoi Member

    Messages:
    22
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    33
    #16
    Everyone covered just about everything. I'll add that vulnerability scanning is another method. If you keep the core and plugins updated with security plugins blocking attackers then scanning will be insurance. For the people that built their own sites, XSS is pretty easy to overlook without constant scanning.
     
    AttaboyRoi, Mar 1, 2019 IP
  17. RomanEpo

    RomanEpo Active Member

    Messages:
    126
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    53
    #17
    There are mentioned lots of security trips.i'm just saying which are still not mentioned.
    Disabled wp-login
    Disable directory browsing
    Use Plugin file change restrictions
    Use Security code .htaccess
    Security scan and correct error file.
     
    RomanEpo, Mar 4, 2019 IP
  18. Salman Saleem

    Salman Saleem Greenhorn

    Messages:
    18
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    13
    #18
    I will brief in detail about this..
    To protect your site there are two levels
    Application Level & Server Level
    If a person somehow tries to gain access to wordpress application by content injection or SQL Injection then he can mess with application at application level not at server level. Which mean he cant delete the server data that is wordpress application but he can delete media,post and pages. To counter this level, i have used itheme security because of bruteforceprotection, ipblacklist, 2FA, session hijacking protection and there are many more good features. It can also change login url which can be good for security.
    If you implement security at server level, that can be by
    implementing SSL that can secure websites from attacks (Cloudflare is doing a great work in this)
    Implementing mod security rules that can protect from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts
     
    Salman Saleem, Mar 7, 2019 IP
  19. PASnow

    PASnow Greenhorn

    Messages:
    14
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    11
    #19
    Anyone have experience with either Wordfence or Sucuri Security Plugins? I'm not too savvy on the CPanel/Server Side aspect of hosting, tho I have my own shared hosting account. I'd prefer to have a plug & play security software handle it best, without me resorting to 'Malicious Malware Detected' emails coming thru, and me resorting to a backup (cause how will I know the malware isn't in the backup too?)

    Anyway, are they worth it & accurate, even if a paid version, for the peace of mind?

    Alternatively, are there any methods via most larger hosting companies (GD, Hostgator etc) or in CPanel that could address this internally, or would a 3rd party plugin be needed?
     
    Last edited: Mar 18, 2019
    PASnow, Mar 18, 2019 IP
  20. AttaboyRoi

    AttaboyRoi Member

    Messages:
    22
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    33
    #20
    @PASnow I use both free versions of Wordfence and Sucuri. The reason I use multiple free versions is Sucuri doesn't offer a firewall unless you pay. Sucuri also doesn't have a central management feature which is not a deal breaker unless you manage multiple sites. Wordfence does offer a free central management dashboard which is nice. In my case Wordfence covers the firewall while Sucuri covers changes to the file system. They both overlap in many areas, but I just disable the redundancy. I trust both plugins for what I have them setup for such as notifications when a post changes, admin log-ins, or when a core file is changed.

    I also started tested WP Cerber which found very clean and useful; however, not ready to replace Sucuri. I'm also working with WPScan which shows plugin vulnerabilities - very nice feature, but you have to register for an API key.

    The bottom line is I feel safe with Wordfence, Sucuri, and WPScan. I'm sure there is a speed hit, but I'd rather have full coverage.
     
    AttaboyRoi, Mar 18, 2019 IP