How to protect your WordPress site from hackers in 9 steps
When it comes to website management, prevention is better than cure. Rather than expend time worrying HOW the hack occurred, proceed with preventive measures, and elimination of any traces that might be left behind.
HACKING PREVENTION / RECOVERY CHECKLIST:
Note: its helpful to run two browser windows so I can monitor the cPanel changes on the live website site so you know if anything breaks as you work through.
1 – Start in the Hosting Account Control Panel
Change the account password: In your cPanel, Plesk, SPanel, Hsphere control panel,
- Change the account password which prevents further illegal cPanel access:
- Your password should be 18 characters secure, as generated by the cPanel tool.
FTP Users: there should (usually) only be ONE. Check for and delete any unknown FTP users.
WP Database: in Control Panel, go to MySQL databases and change the WordPress database password. Edit the /wp-config.php file and replace the old password. This stops the bad guy getting straight back in if it was a database access hack.
Security Headers: add security headers into the .htaccess file before the # BEGIN WordPress line. This limits the sorcery that can be performed by an external threat.
- be sure to monitor the impact of this change on the live site as in rare cases, it may create a conflict.
Copy and paste the code below:
Really Simple SSL Headers
Header always set Strict-Transport-Security: “max-age=31536000” env=HTTPS
Header always set X-Content-Type-Options “nosniff”
Header always set X-XSS-Protection “1; mode=block”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
Header set Content-Security-Policy: upgrade-insecure-requests
End Really Simple SSL Headers
SALTS: replace the “salts” in /wp-config.php to forcibly “log-off” anyone still logged in.
To get a fresh set, go to:
Bad Files: delete any “dodgy” php files you can see in the root directory. Note that WP core files are usually prefixed with “wp” and should not be touched. Look at file dates and if there are file names with odd names and dates different to WordPress core files, regard those with suspicion… We will assess those with Wordfence in later stage…
Be careful: – the one file you must not delete is /wp-config.php
PHP: should be running the current mainstream version – PHP 7.4 – which is more secure and faster.
NOTE: As a general rule when creating a new hosting account, I never use the default 8 character cPanel user name based on the domain name. Doing so gives the attacker 50% of what he/she need to gain access, and they then only need the password…
cPanel password hacking tools: are readily available, yet so many people never think to protect their hosting account with a secure password.
2 – Reinstall WordPress
As soon as you can, get into WordPress Admin and run:
Reinstall: run the WordPress “Upgrade/Reinstall” because that deletes and replaces ALL the /wp-admin/ and /wp-includes/ contents. This immediately removes any dodgy code/files inserted by an intruder.
Apply Updates: update all plugins and themes to ensure security patches are applied, and all files are replaced. Set all plugins to “auto-update” – this is an important WordPress security procedure.
3 – Check WordPress "Administrator" Users
Administrator Users: look for dodgy Admin users, delete any you don’t know (allocate content – if any – to a known good user so you don’t delete your posts and page accidentally)
If you’ve previously added external users for 3rd party support, reset those to “Subscriber” for now. The fewer administrator users you have, the fewer chances to a hacker to crack a weak password and access your site as an Administrator.
Review/change the User’s “Nicknames” so that the actual User Names are never displayed in meta on posts etc. Doing all of this will help protect your WordPress site from hackers.
4 – Change all WordPress administrator passwords
Make sure these are all WordPress-generated SECURE passwords!!! No silly word/name/date combinations as these are easily hacked by a determined adversary.
5 – Block XML RPC
This is one of the ‘vulnerabilities’ most people are blissfully unaware of. It does serve a legitimate purpose for users doing remote publishing etc, but the majority of WP sites will never need it. Block it, because it is threat!
Block XML-RPC fully: I use the Disable XML-RPC-API by Neatma – it also allows restriction of the REST API.
6 – Restrict REST API to logged-in Users
Block REST API: for non-logged in users – plugin is: Disable WP REST API by Jeff Star
7 – Implement Security Plugin/s
If you’ve been hacked, use Wordfence.
Wordfence: its a great security plugin but the settings are extremely complex and very difficult for most people to configure correctly. For that reason, even with Wordfence installed, the “default” settings don’t provide full protection. Nor do are the Scans rigorous enough to detect issues in themes and plugins, images or files outside WordPress etc.
To help you with that, the following Import Code – will configure Wordfence to the same levels I use myself and immediately secures multiple danger points.
Go to Wordfence | Tools | Import/Export Options
Copy and paste the code at the end of this page into the Wordfence “Import” box
Scan: get a Wordfence full scan scan going asap and use the buttons provided to:
— delete any files marked as non-WordPress
— replace those that are modified
If you are in “Prevention” mode…
Use Block Bad Queries as your web application firewall.
Use Limit Login Attempts as your Brute Force Login attack protection. Reduce login attempts to 3, with a 90 minutes lock out for exceeding 3. Set Blocking after 4 attempts to 9999 hours…
8 – Implement 2 Factor Authentication (2FA)
Add an additional safety factor to prevent unauthorised access. You can do this by either:
Wordfence 2FA settings, if you use Wordfence…
With the WP 2FA plugin which works in conjunction with Authenticator app on your phone. When an administrator logs in, a 6-digit code is sent via SMS to the phone that’s configured on your account.
9 – Get your website onto Cloudflare
A Cloudflare Free plan provides significant additional security layers. AND makes your New Zealand website load faster – particularly if you’ve got it hosted in the US, Aussie, Singapore or Europe etc.
Configuration is moderately complex:
- Create a Cloudflare account for your Domain. This imports your current DNS settings…
- You will be given the Name Server records to change on your domain registration account. Do that after configuring your Cloudflare account settings for your website .
Configure the account on Cloudflare account.
- You could use the WP Cloudflare Super Page Cache or the official Cloudflare plugin… these will configure many of the settings from within the plugin but neither are perfect at it.
- I think its best to do it manually…
Manual Cloudflare Settings:
#1 – Page Rules – these are essential because it controls what’s indexed on your site. See section** at end of the page.
#3 – Scrape Shield – activate to stop people hot-linking to your images
Enabling Cloudflare: going live
Go to your Domain Registration account.
Edit the Domain Name Server records: replace your current DNS with the new one provided in your Cloudflare account.
Wordfence Import Code *
The following code will configure the Brute Force Login settings, password strength and Scans etc to an adequately rigorous level.
After importing it, go to General Wordfence Options and change the “Where to email Alerts” address.
Cloudflare page Rules **
Getting these configured makes a huge difference to what is indexed. Preventing indexing of /wp-admin/ is essential.
Example page rules:
- Use the full path to the wp-login.php file and /wp-admin/ directory…
- The order in which the rules are loaded is critical!
- As are the settings within each rule…
At the end of the above exercise, you’ve made significant changes that will boost security and help protect your WordPress site from hackers.
If all of this seems daunting, help is at hand. I’m happy to install / configure all of the above for you…
References: WordPress Security