WordPress Security
All you need to know about WordPress security and how to keep hackers outside of your site :)
There is no doubt that WordPress is one of the best platforms out there to build a website.
It’s very flexible, has an insane amount of themes and plugins for pretty much EVERYTHING, is budget-friendly for the most part, and it’s backed by great page builders too, and state-of-the-art SEO frameworks.
Security-wise, it requires a bit of work to make it a stronghold.
We explore here all essential security practices to help you secure WordPress the right way.
Super Important
There is no miracle :) if you want your website to perform at its best, there are a couple of things you need to be open to doing. Mainly:
- Put some effort into the recommended methods.
- Build your knowledge to be able to do advanced security.
- Invest in tools to help you get the job done.
- Hire professional help if getting to the next level of WordPress security proves to be challenging.
Part of improving performance and scores might include:
- Accommodate/change some code to fix specific security issues.
- Possibly change themes/plugins if the ones used are known to have security flows.
- Add a DNS level security.
- Possibly change hosting, DNS services if there is concrete evidence that they might compromise the site’s security.
Without further ado, I will leave you to it :)
Your WordPress speed and performance journey start here!
Get to know hacking #
Hosting #
Why is hosting targeted? #
Probably the least cared about entry point and the easiest to exploit.
WordPress hosting services put security as the main feature on their sales pitch. Unfortunately, there is an enormous difference between sweet talks and what is done in real world.
When a website gets hacked, hosting services usually blame the site owner for not securing it enough. And they even try to sell their “hack cleaning and fixing” services.
What if you did your fair share to secure your WP and still get hacked?
Well, they will still blame you for that too.
Shared hosting #
Shared hosting is the most vulnerable.
A shared hosting service provider will always favor the number of hosted sites on the same box over security.
You will most likely find oldish setups, archaic server architecture, and poorly protected and isolated individual plans.
The nasty thing about shared hosting is that hackers can discover other hosted websites within the same server.
If one of them is compromised, chances are that most of the other websites hosted on the same server might fall too, leading to a large-scale hack through cross-site contamination.
90% of websites I fix are hosted on shared hosting plans. And more than often, all websites within the same plan get contaminated too.
Unmanaged VPS #
New users to unmanaged VPS plans (like Digital Ocean or Vultr) tend to forget that their node or instances need to be manually secured.
They probably assume it’s done out of the box which is not the case.
Unmanaged VPS services are a good deal from the price/performance standpoint, but it’s still a naked server that needs to be set up and fully secured.
Following tutorials without knowing Linux security fundamentals might put your VPS in jeopardy, and the worst part is, you may not be realizing it until it’s too late.
Fortunately, there are tools like Runcloud, that will help you manage VPS without worrying about security. They sit on top of your VPS operating system and take care of issuing all technical commands and security fixes for you.
Managed hosting service #
By far the less risky of the lot.
They are still vulnerable to getting hacked depending on their architecture (shared or isolated).
But this time around, you won’t be blamed for it!
When using a managed WordPress hosting, security is usually the service provider’s problem.
So, it will be the service provider’s duty to keep your website safe and fix your website the worst happens.
How to stay safe? #
Protect your WordPress files from unauthorized access by setting the right permissions to your WP files (644), and folders (755).
Make sure that access to phpMyAdmin is only possible from within your hosting dashboard.
Avoid at all costs any hosting service pointing to an IP address or domain name on the define(‘DB_HOST’, ”); in your wp-config.php file.
The mention ‘localhost’ usually means the database is only accessible from inside the webserver.
Rely on your Cpanel (or equivalent) file manager.
If you need FTP access, you can activate it, use it, and make sure to deactivate it and delete your FTP credentials once done.
Ideally, use Dropbox to handle your files access (only possible if you use an unmanaged VPS).
If you use a VPS, and did the setup on your own, either dig deeper and learn how to secure Linux servers or hire someone to do it in your stead. It’s usually a one-time gig.
Always check reviews about the security of your hosting service. Spending few hours searching for information will prevent your getting disappointed, and might spare you from getting hacked
The ideal hosting service #
- Prevents external access to files and the database
- Isolate (jail) each website from everything else hosted on the same server
- Opt for a guaranteed security when available
WordPress Core #
Why WordPress Core an issue? #
The primary target for most hackers, but luckily, the easiest to lock.
Like any piece of software, WordPress is prone to vulnerabilities.
0-day exploits, which are vulnerabilities and exploits not publically reported, have significantly increased in recent years.
Hackers use these kinds of vulnerabilities to hit hard before any reaction from the WordPress maintainers.
A good example is the REST-
How to stay safe? #
One way: keep your WordPress ALWAYS updated.
WordPress releases periodic updates, and security is a prominent component on each one.
Make sure you have an auto-update feature on your website even if there risks to break your website.
You better have your website broken with an update than getting hacked.
Keeping an eye on WordPress news can help your website security too.
Major vulnerabilities are often addressed through temporary patches while waiting for official fixes. Like what happened with the REST
- First time reported: 11th January 2017
- First time mediatized: 12th January 2017
- Official fix released: 26th January 2017
Which leave regular users a 15-day vulnerability timespan, where hackers can easily exploit it. The following places can help you keep up with the news:
Themes and plugins #
Why are themes and plugins the biggest threat #
WordPress core is not the only thing that you need to keep continually updated. Themes and plugins have the exact same need, with a bit more attention. As opposed to WordPress core, you get to pick your theme and plugins. This freedom can help you be more secure or make you extremely vulnerable.
What you need to check #
If you check Quora’s WordPress related topic, you’ll find questions mostly about free theme and plugins and premium assets alternatives.
When you’re dealing with WordPress, using free themes and plugins needs to be handled with caution because chances are high you’ll get your web property compromised.
The first issue is the upgradability.
Free assets often end up getting abandoned when the main author/developer doesn’t want to keep the asset updated anymore, and there is no one willing to take its place.
So, the likelihood of ending with a slow/never updated theme or plugin is quite high. Plus the risk that a malicious developer takes over and use the plugin to compromise websites where it’s used.
The second issue is risking uploading compromised assets without you knowing it.
When someone hears that a premium theme or plugin is available for free or a fraction of its real price, they jump on it without thinking about the consequences.
There is no such thing as a free premium theme or plugin, or someone “sharing” their license with others.
All you’ll find are nulled assets. Hackers buy the legit version, put a backdoor on it, and put it free for people to download.
Nulled assets will lead you to get hacked in one way or another. In fact, the highest hack rate with themes and plugins happen to be using nulled materials.
If you still want to live the free-way, stick to legit sources. Make sure to:
- Strictly limit your options to the official free themes and plugins found on the official WordPress official repositories. You can’t miss it. It’s the only thing that you can use to install themes and plugins from within the WordPress dashboard.
- Check if the asset was recently updated, and preferably only pick it if it’s frequently refreshed
How to stay safe? #
Keep one main theme and its child theme if in use and completely delete the rest.
Delete any inactive plugins. There is no need to keep anything else installed if it’s not meant to be used. Remember, installing and activating a plugin is quick enough to be done only when needed.
Favor paid assets. Besides better features and higher coding standards, premium themes and plugins have a steady flow of updates and upgrades, and they are the fastest to adapt and fix vulnerabilities when needed.
Avoid at all costs problematic assets. There are plugins with a tarnished hacking history that caused major outbreaks in the past, like Slider Revolution or NexGen Gallery. Always look for security breach history to make sure you are not using a hacking magnet asset.
Avoid at all costs nulled themes and plugins. The only way to get a paid asset is by going to the author website, or by going to known marketplaces, like:
- ThemeForest (themes)
- CodeCanyon (plugins)
- Elegant Themes (themes and plugins)
The average price is:
- $50 to $70 and up for themes
- $10/$15 and up for plugins
- $250 per year or lifetime access
Premium assets always come with:
- A key or
API code (for registration and activation) - An extensive documentation and tutorials
- A direct access to support platforms
- At least 6 months worth of support, updates, and upgrades
Anything claiming itself to be a premium asset without fitting the above-mentioned practices is probably a scam, stolen asset sold without their authors’ consent, and a highly risked trade in every way.
You might also end up getting your credit card information stolen and download an infected asset would it be free a paid.
Pay for genuine assets. There is always a refund grace time, so, you can basically test it up and reconsider if it’s not something you really want to use.
User login/access credentials #
Why that might be a problem? #
A hacker gains access to your WordPress login/password by guessing it or stealing it, or find database URL/login/password by having access to your wp-config.php file.
Brute force is your worst enemy #
The most used technique is called brute force. Hackers keep trying sets of logins/password until they get in. It’s a fully automated process that takes usually days or weeks to get done. It only costs the hacker one click and a long wait time period to find your login credentials if you’re not too careful.
Other ways methods to get your credentials #
There are countless ways to steal your login information, including:
- Arbitrary file download targeting wp-config.php files (Slider Revolution, NexGen Gallery)
- Unprotected file permissions
- FTP access
- Hosting platform access
- Password theft (virus or malware on computers, bogus VPN access)
And many other ways.
I’ve been freelancing for almost 20 years. And as part of my activity, I maintain WP websites on demand.
When I get a request, I ask for the admin credentials to the website, the hosting platform and anything related to the task so I can fix, install and set up, or maintain something WordPress-related.
To date, I’ve never had been informed at any point that the accesses I received will be destroyed or changed once I’m done.
This means that most people don’t have a credential safety protocol when a 3rd party gets involved.
Consequently, the credentials will stay active even if the 3rd party’s intervention is done. Making it possible to have re-access to the website without the owner’s consent or notification.
I’ve seen this relaxed credentials sharing policy turn quite bad when a malicious service provider takes advantage of that.
Spying or stealing information, adding remarketing pixels, holding websites hostage, have people’s credentials circulating on hacking-related closed groups is not something anyone wants to go through.
How to stay safe? #
- Enable brute force protection wherever it’s possible by changing the regular login/admin URL, disabling XML-RPC and the REST
API if it’s none is used. - 2-factor authentication, using either email, cell-phone, or any way to verify you are the one accessing your website.
- Make service providers sign a non-disclosure contract, and make it clear that once the job is done, all credentials shared will be either destroyed or changed.
WordPress security protocol & gear #
Why do you need one? #
As you have learned so far, WordPress security has some many facets.
To date, no one-do-it-all tool can handle them all at once.
My advised security protocol is a stronghold against known and expectable hacks.
I make sure to update it periodically to cover any new threat and add any new security protocol if relevant.
Fundamental security #
Make sure to implement basic security fixes for any WordPress installation such as:
- Always keep WP core, theme, and plugins up to date
- Keep an eye on your server’s security
- Set the files permissions correctly
Have a reliable backup system #
No matter how we protect our websites, there is always a new threat that might overcome all our security protocols.
While there are countless of plugins and services doing that for WordPress, I always found All-in-One WP Migration delivering a solid performance and a cost-effective.
While the core plugin is free for migration, to get the scheduled backups and the cloud storage pairing, a one-time $79 for unlimited websites use is required per cloud storage service.
The available cloud storage options are as follow:
- Dropbox ($79)
- Google Drive ($79)
- Amazon S3 ($79)
- OneDrive ($79)
- Box ($79)
- Mega (coming soon)
- Amazon Glacier (coming soon)
I’ve been using it for a couple of years now, and I’m pretty happy with it.
Go to All-in-One WP MigrationGet one of the cloud storage extensions (one-time $79)
Use DNS as a shield (Cloudflare) #
Part of the protection job is to cut the threat before it becomes one.
Cloudflare is a free DNS manager that comes with some threats monitoring and protecting feature.
It helps lighten the load from known threats sources. The setup is fairly easy too.
Use a security plugin if needed (Wordfence) #
Wordfence is a very important part of my security protocol because it’s the only plugin that covers multiple aspects of WordPress security at once.
The free version offers:
- A feature-rich firewall
- Live traffic monitoring
- Blocks brute force attacks (disables the XMLRPC, limits login attempts, and bans obstructive IPs)
- A great scanning tool with the ability to compare, repair and delete compromised files
They do have a paid version, starting from $99 per year. It has more advanced features, like:
- Real-time threat defense, which means, when a 0-day exploit is found, it’s quickly fixed and deployed to premium users
- Country blocking feature
- Remote scans
Amongst other features.
Wordfence can be a pain on some occasions, though. Their firewall might consider your patterns of behaviors as suspicious and kick you out of your own website.
Recovering from that is quite easy and without an email, link to confirm you are the admin of the website. But I some occasion, it might involve manually removing Wordfence from using FTP or your hosting file manager, installing an additional plugin called “Wordfence Assistant“, and use it to clear Wordfence’s banned IPs so you can reuse your website once again.
Block Bad Queries #
BBQ gives a hassle-free protection against malicious URL requests and scripts injections attempts.
Consider it as an extension to the Wordfence firewall.
The free version works under the hood and doesn’t have any controls or customization options while the paid version has an admin panel with customization options, blocking stats, the ability to set redirections, and other protective features.
Blackhole #
Blackhole is a subtle plugin that allows you to dismiss any unusual crawling activity from bad bots.
The same rule applies. The free version works under the hood while the paid version gives you more control over the plugin’s settings.
The Ultimate Tweaker #
UT is a lightweight plugin to obfuscate information and secure some aspects of your WordPress site, like:
- Remove the generator tags for WordPress, WooCommerce, Visual Composer, and the RSD tag
- Adding nosniff and xss protection headers
- Prevent your website from being embed inside an iframe
- Disable selection and right-click
Minimizing the share information will make it harder for hackers to attempt any nasty thing against your site.
Swift Security Bundle or Hide My WP #
Both are equally good to take the obfuscation process a step further by totally misleading anyone meaning harm that your site is a WP website!
They do have security features comparable to Wordfence, but I find the Wordfence ones more reliable and effective.
Other plugins #
Disable REST
WPS Hide Login changes the default login URL. It’s handy when you are the only one with direct access to your website (can be dismissed if using Swift Security or Hide my WP).
Miniorange 2-Factor Authentication implements the 2-step secured login using Google’s Authenticator.
Some plugins require technical skills to set them properly. If you don’t think you have the required knowledge to do so, either:
- Get a managed hosting service
- Hire cheap labor to take care of it periodically for you
- Or get my security pack
Additional resources to check:
Your website was hacked? #
$#it happens! #
It sucks when you realize that your WordPress site was hacked.
If it can do you any good, know that it’s a predictable outcome, especially if you were careless about security.
WordPress’ large adoption (33% of all websites, and 60% of all CMSs) makes it a high potential target for hackers waiting for your first mistake to take over your website.
And the math is real… 80% of hacked websites uses WordPress (Hacked Website Report 2018).
Yeah, you didn’t sign up for that when you started using this platform… but WordPress is indeed the reason why you got hacked, but you too have a fair share of why you got hacked
Anyway, let’s blame WordPress and the bad guys for now to cheer you up…
Here is what you need to know to get back to track…
Hack signs #
Your hosting company disables your website #
Hosting companies may spot infections and take them off your site without your consent. Companies like Godaddy, Bluehost, 1&1 run random and frequent scans on shared hostings plans. Because of the linked structure of those kinds of hosting environments, they can’t afford large-scale infections and therefore disable automatically anything suspicious about your website’s files or behavior.
Google says you are a threat #
Google indexes millions of websites. When their algorithm observes any suspect behaviors, it sends warning messages through their Google Search Console, but most importantly, they show two additional lines on your search results saying:
- This website may harm your computer.
- This site may be hacked.
SEARCH RESULTS ###
Unfortunately, most people learn that their web property was hacked that way.
Web browsers will start warning users #
At this point, it will directly start to hurt your business and reputation. Standard web browsers like Google Chrome will show a full red or white page with a clear warning that your website is a threat to the visitors’ security. ### WARNING PICTURE ### The warning screen is not straightforward about how to regain access to the website. Not only your reputation is harmed, but you also lose most of your traffic. When you see this kind of warnings, the malicious script is now a contamination agent that might pass the infection to other computers and possibly infect other sites within the same server.
Search results unrelated to your content #
Things start to get nasty at this stage. Search engines started indexing the injected/unwanted content. Usually, search engines will index anything from your website after building trust. Hackers take advantage of this automatic behavior to get their content to show on search results. That alone will profoundly harm your business reputation. Even if the infection if fully cleared, search results will still show the unwanted content. A manual process needs to take place to ask search engines to remove unwanted and compromised web pages permanently. This bad links removal process is done per individual link basis. If you have a handful of pages indexed that would be relatively easy, but when you have hundreds or thousands of pages, it will take time and a lot of money to get rid of those. I have seen businesses drop a domain name because of that.
Questionable content will show up #
At this stage, the hack is fully functional and becomes explicit. It will add unwanted content to your WordPress front end. It could be posts, pages, or anything reachable through URL. These types of contents are commonly enabled through hacks:
- Controversial medicines and pills (Viagra and similar).
- Porn and sexual content, implicit and explicit.
- Risky money transactions’ websites, it could be a store, a gambling website, a dating website, or anything similar.
- Chinese merchandise.
- Torrents, illegal downloads websites.
The content is either posted as regular pages/posts on your database or injected dynamically from a 3rd party server. Be very careful, because the additional content usually shows up when you are not logged in. That’s why in most cases, victims of hacks spend a long time before seeing any explicit signs and only understand the situation when someone visiting the website sees the abnormal content and bother to report it. On that subject, I cleaned up a WordPress blog that had 100k pages from a Chinese online store. And I’m not exaggerating. It was a hundred of thousands of products worth of pages (yes, +100k page) with a fully operational checkout system.
Strange codes and files #
As you probably know by now, hacking, spamming and all the nasty things that could happen to your WordPress website live through codes. Sometimes, you’ll find the code on core files like the wp-config.php. Other times you’ll find distinctive files full of scrambled codes. Hackers try to hide that by creating files in places that you will unlikely check, and even if you do, they use names and file extensions close to what you can find on a regular WordPress website. It could be a .php files into your wp-content/uploads folder for example. Codes are always obfuscated using the eval() function. So, whatever code fragments starting with “eval(base64_decode” with a long unreadable content is 99.99% a malicious code. The number of those codes and files will vary depending on the type and the extent of the infection.
Errors and messy style #
Hacks are codes injected into your WordPress installation. Each visit to your website helps the malicious code execute itself and perform its duty. Like any program, it is likely to conflict with the regular functions of your WordPress website resulting of:
- Blank, broken and incomplete pages.
- PHP warning messages.
- Commands not executing as they should. Creating, editing and deleting posts, for example, might give you an unsuspected outcome.
Anything unusual compared to your regular use is to be suspected.
Slow website / response time #
Speed is one of the red flags you get on successful hacks aftermath. So hackers will use your website server to perform DDoS attacks. This has an impact on your server’s resources and bandwidth. The slowness is very hard to spot on shared hosting plans. Knowing that most shared hosting servers are overcrowded, you naturally assume that the server is saturated and therefore, you are unlikely to investigate the cause of any delay in using WordPress features or any drastic drop of speed. Some hosting services may notify you if they find an abnormal use of the CPU or the bandwidth.
Fixing hacked WordPress websites #
Is there a specific protocol? #
Regaining access, cleaning up, and fixing hacked WordPress doesn’t have a particular protocol.
It is more of a case by case recovery process depending on the observed signs, the type of the hack, the stage reached and its spread.
In most cases, it can’t be done by a regular user. It doesn’t hurt to try, though.
Consider hiring experienced individuals or services for efficiency.
Experience helps a lot to interpret signs, know where to look for compromised files, fix them without breaking the website, and lock the threat source to prevent future hacks.
A typical process should involve the following:
Open your website in a private window without logging in #
Most hacks will only show for non-logged in used.
It’s a smart way to operate under the radar and delay the site’s owner reaction. It’s all about buying time to either get the data the hacker is looking for or make the infection spread and be more difficult to deal with.
Checking explicit hacks live helps to find what type of hacking you are dealing with, and eventually, helps you locate where the compromised files are and how to fix and protect your WordPress website from that specific hack.
A full scan, both automatic and manual #
Scanning tools help identify what type of infection and locate files with malicious codes.
Wordfence and Sucuri are equally good for that purpose. I have a personal preference for Wordfence as they have a fair per year paid plan.
Don’t fully rely on tools only.
Hacking is getting more and more sophisticated. Sometimes the scanning tools won’t reveal any clue or detect any hack sign. A manual check is then necessary to try and find the compromised files and where the malicious codes was injected.
If you are comfortable with Linux and use a VPS to host your WordPress website, the following bash script will save you a huge amount of time by scanning all files for malicious codes in a snap.
#!/bin/bash
find . -name "*.php" -exec grep "base64" '{}' ; -print &> b64-detections.txt
find . -name "*.php" -exec grep "eval" '{}' ; -print &> eval-detections.txt
If you are using Windows, you can upload a full copy of your website through FTP on your computer, and use a file editor like Sublime Text to perform the search.
At this stage, you have a full list of your compromised files that need cleaning.
Looking for the source of the infection to lock it up at once #
It is useless to clean up a website without fixing the breach that caused the hack initially. And that is another task that involves experience and full knowledge of WordPress.
There isn’t a specific way to find the infecting agent.
It can be:
- A file that gives access to your website if requested in a certain way (that’s how vulnerable plugins and themes work)
- A fragment of code that infects files and eventually recreated a new set of compromised files on each website visit
- A subtle backdoor used to reenter your website and reapply the hacking
If you still have any infecting agent, you will be hacked again and again until you get rid of it.
Identifying, cleaning and eventually deleting the corrupted files #
This is where qualified professionals become handy.
The malware compromises several types of files. Some can be fully deleted; others will need to be carefully cleaned up.
Deleting a core file, a theme’s file or a plugin’s file might break the website.
PRO TIP: When a theme or plugin asset is compromised, the safest way to clean it up is to fully delete the folder and replace it with a fresher copy.
Removing unknown users and resetting passwords #
Hackers usually leave an admin user as an option to regain control of the website once cleaned.
Looking for fake accounts and unwanted admins is a must-do in all cleanups.
Same goes for resetting all users passwords.
Once a hacker have access to the database, it’s fairly easy to change passwords of some users in order to use as a fallback entry point.
Plugins like MASS Users Password Reset comes handy to reset users passwords in bulk.
Post hack recovery #
Finding and fixing the hack is not the end of the job. There are a couple of additional tasks to be done after that.
Fix your reputation #
As we seen on the hack signs above, hacks will eventually tarnish your reputation towards browsers, search engines, and your visitors.
Removing spammy links from search engines is the worst part, especially when it involves cleaning hundreds or thousands of undesirable URLs.
It’s a long and laborious process.
For that to happen, you need to:
- Scrap and filter all indexed pages to get a list of undesirable URLs.
- You need to add your website to Google Search console.
- Follow Google’s official guide to remove URLs from search results permanently.
The process needs to be done manually and has a limit of 500 entries per day.
Rebuilding trust from your visitors is another story.
Try to be as honest as possible and reassure your audience that all protective measures are enabled, and your website is unlikely to fall to hacks any soon. A couple of freebies and discount do help considerably.
Need professional help to handle your WordPress website security? Check out my WP security services!
Hope that this guide helps you on your hack fixing crusade.
Make WordPress hack-proof #
So, you fully recovered from the hack and sealed the breach. It’s time now to secure your WordPress files and environment fully.
Generally speaking, this is what needs to be done to help your WordPress resist future hacks:
- Fully update WordPress. Core files, themes, and plugins.
- Get rid of any non-maintained theme or plugin.
- Get rid of any unofficial theme or plugin or downloaded paid plugins for free also referred to as nulled.
- Use a monitoring tool like Wordfence to keep an eye on your website.
But it’s just superficial. You need a more in-depth security to make your WordPress almost hackproof.
Check out my full guide to fully secure your site on the lights of the latest practices and information available to date.
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write.
API is the acronym for Application Programming Interface, a software intermediary that allows two applications to talk to each other.