Important Security Update
No business is too small to be hacked. Having your WordPress site hacked is one of the most stressful experiences for any website owner. Securing your WordPress site should be at the very top of your priority list. While you cannot completely eliminate all security risks, you can certainly reduce it greatly.
In this post, I've shared some easily-executable tips that will greatly improve your WordPress site security.
Never Set File/Folder Permission to 777
Disable File Edit from WordPress Dashboard
Limit Login Attempts
Stop Brute Force Attack - Hide your WordPress Login Page
Secure your wp-config.php file
Protect your uploads folder
Two Factor Authentication
Do NOT use outdated Plugins / Themes
Use Strong Password
Passwords are a key component of any WordPress security strategy. Use a strong password to make it more difficult for attackers to gain access to your site. Do not use the same password in multiple places. Make your password hard to guess. Anything you can do to increase your site security, just do it. Don't wait.
Passwords are a key component of any WordPress security strategy. Use a strong password to make it more difficult for attackers to gain access to your site. Anything you can do to increase your site security, just do it. Don't wait.
Also, change your password regularly. It's one thing we all tend to put off but don't. In fact put it on your calendar so you won't forget about it.
WordPress Admin User Name
Do not use “admin” as your WordPress admin username. Easy target for hackers.
Just create another user in your WordPress admin panel, and assign administrator roles to it. Use a username that's hard for a hacker to guess. Login using this new admin account to make sure it works. Then delete the original admin user (with username "admin").
Here's a good article on the steps to change admin username.
Do not use default table prefix of “wp_” when you install WordPress. It’ll make your site more vulnerable to SQL injections.
Use a prefix that’s impossible to guess. It's one of the best ways to protect your wordpress database. It's a lot more work to change table prefix of an already established site but it's doable. If you want to do it, then be sure to take a full database backup first, and also if you're not familiar with database commands to update/alter table names, then do not do it yourself. If you mess things up, it'll be a lot of work to recover your site. Hire someone who is well familiar with the process to do it.
Take Regular Backups
If your website gets hacked or your database gets erased or corrupted or you accidentally delete files, you might end up losing all your work. While your hosting provider might offer backup services, take your own backups instead of just relying on your webhost. With a backup of your WordPress database and files, you can quickly restore things back to normal.
The Duplicator plugin has a free version that can be used for backups but does not allow scheduled backups (which is important when you run a membership site) and does not support automatic upload to S3, Dropbox etc. Both Duplicator Pro (paid version) and Backup Buddy allow you to schedule your backups and store them in Dropbox, Amazon S3, Rackspace Cloud, FTP etc.
There are a lot of great security plugins like Wordfence, iThemes Security, Sitelock, Sucuri etc that can lock things down and greatly help with WordPress site security. We use iThemes or Wordfence security to secure our sites.
All these security plugins are highly customizable and provide several options to lock down your site. You can fine tune the config settings to patch up and lock down 95% of all commonly known vulnerabilities, risks and security holes.
Also in your security plugin, look for one click hardening option such as protecting your uploads folder, disabling theme and plugin editors, and restricting access to the /wp-content/ and /wp-includes/ directories.
If you’re overwhelmed with all this and would like to hire someone to help out with fully securing your web site, the good news is that we also offer a full-fledged security package ourselves where we'll take care of everything for you. It's certainly a HUGE time and money saver.
So if you're worried your website security, need help to beef up security but don't want the hassle of figuring it out yourself, then checkout our WordPress Advanced Security And Performance (WASAP) package. We also offer a full-fledged security package where we'll take care of all your WordPress and DAP security needs for you. It'll be a HUGE time and money saver for you.
Malware Detection & Removal
If you website gets hacked, don't panic. It's not the end of the world. Yes, you'll will likely use time, money and you might lose some data as well, but take comfort in the fact that you'll recover from it. You're not alone in this. All is not lost. This happens to thousands of people everyday on every kind of platform.
Site security is all about reducing risks. You cannot eliminate it a 100% but you can take steps to reduce the possibility of your website getting hacked, and if does, have a plan in place to recover it quickly.
This is why it's so very important to take regular backup of your site (files and database). This way, if your site gets hacked, you can easily restore it to a clean version.
In the event that your site gets hacked, here are some simple steps to get it back up and running:
1. Contact your Hosting Provider
Contact your hosting provider right away. If it's a shared webhosting platform, it might have also affected other websites that are sharing the same server. Your webhosting provider can confirm if your site has been hacked or if it's just a server or software issue.
2. Take a backup
Unfortunately most people do not realize the importance of regular site backups until their website gets hacked.
Don't make that mistake. Imagine having to setup everything from scratch! You don't want to be in that boat!
But say that you're in that boat. Your site gets hacked and you don't have a backup. Before you do anything else, first take a full backup of your site. Yes, you'll end up with a backup of the infected site, but at least you'll have a backup rather than no backup! In most cases, you can use a security plugin or tool (like Wordfence Security, Sucuri, Sitelock etc) to detect malware and clean the infected files. It might not be easy to find and clean all the infected files but in most cases (depends on the extent of damage done by the hackers), you'll be able to do it. And even if you can't do it yourself, you can always hire a WordPress security specialist to help you out.
If you still have access to your WordPress admin (after your site has been hacked) , you can use a backup plugin (like Updraft) to take a backup. If not, you'll have to do it manually (using FTP). You can request your webhosting support to help with the backup. Another reason why it's so important to host your membership site on a webhosting platform that offers great tech support and that's one of the reasons, we love and use LiquidWeb for hosting our websites.
3. Change Password
Login to your WordPress admin dashboard and change your wordpress admin password. If you're not able to login to your WordPress admin, you can use phpmyadmin on your webhost cpanel to update your password.
Here's a good article on how you can use phpmyadmin to update your WordPress admin password.
4. Run Malware Scan
There are great FREE tools and plugins which will allow you to check the integrity of all WordPress files and database.
- Wordfence Security
Wordfence is WordPress security plugin that can verify and repair your WordPress core, theme and plugin files.
It can scan your website core files, theme files, and plugin files, against known threats. It also provides a log of changes to your website and offers many options for hardening your website and making it more secure.
You can also get Wordfence to scan files outside of your WordPress folder.
And the great thing about Wordfence is that it provides enterprise-class WordPress security for FREE. You can download their WordPress plugin for free. They also offer a premium (paid) version with access to premium support and support for Country Blocking, Scheduled Scans, Password Auditing etc.
- Sucuri Security
Sucuri offers a free WordPress Security plugin. You can use it to audit all your website activities such as file changes, file uploads etc and it can also check if your core WordPress files are intact. You can use it (in addition to Wordfence Security) to detect malware.
If your website was hacked, and you've already done a scan and cleanup using Wordfence, then the chances are the free version of Sucuri plugin might not report anything new but it's good to run the scan anyway just to double check and make sure no new files are detected.
Securi also offers remote malware scanning with it's free Sucuri SiteCheck Scanner. Enter a URL (ex. yoursite.com) and the Sucuri SiteCheck scanner will check the website for known malware, blacklisting status, website errors, and out-of-date software.
If you want to use Sucuri to completely secure your website, supplement the free Sucuri plugin with their paid services for Website Firewall, Malware Removal etc.
Get WordPress Advanced Security Package!
If you're worried your website security, need help to beef up security and don't want the hassle of figuring it out yourself, then our WordPress Advanced Security & Performance is just for YOU!
Go ahead and purchase our WordPress Advanced Security And Performance (WASAP) Package and you won't regret it.
We'll install the right security plugins and customize and fine tune the various configuration options in these plugins to make sure that 95% of all commonly known vulnerabilities, risks and security holes are completely patched and locked down!
Join my Free, Private Facebook group for Membership-Site users. I'll be happy to answer any questions or concerns you may have about your WordPress or DAP site security.