WordPress Security

Tara Prasad Swain WordPress

WordPress website security is a major concern these days. Thousands of WordPress sites are compromised daily. That impacts the SEO, ranking of the sites, unnecessary bandwidth and reputation of the website. And the shocking truth is that website owners notice that when the site is visually disturbed or when unusual things happen like popup / external links or when spam pages are indexed in Google or when Google displays “Hacked Site” label.

Now the obvious question is why your site was hacked and for what purpose, well there can be many possible reasons. The hacker might wanted to improved his ranking by using your site or to use your hosting to host files to save his bandwidth or to advertise his products on your popular site or to steal money by tweaking your payment gateway settings or to pull your customers or to access your customer’s personal / payment / credit card related data.

There are certain things you can do to your WordPress site to improve the security before it’s too late.

Keep WordPress themes, plugins updated and configure automatic update

Remove unused themes and plugins, try to use trusted third-party plugins, update your themes and plugins periodically.

To configure automatic update please visit
https://codex.wordpress.org/Configuring_Automatic_Background_Updates

Change WordPress default user, page and post

Delete the default “admin” user, create new user instead.Delete the default page and post. Disable comments when comments are not required in pages and posts. That can be disabled under settings => discussion.

File / Directory Permissions

Change all file permission to 644 and all directories to 755. Make sure there is no file or directory with 777 permission.

Execute below commands to do using command line.

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

.HTACCESS control

Disable directory indexing, disable server signature. Protect wp-includes and wp-admin

Options –Indexes

ServerSignature Off

# Block the include-only files.

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress

Secure the .htaccess, wp-config.php

# Secure .htaccess

<files .htaccess>
order allow,deny
deny from all
</files>

<files wp-config.php>
order allow,deny
deny from all
</files>

Disable File Editing in wp-config.php

# Disable Editing in Dashboard

define('DISALLOW_FILE_EDIT', true);

For more information please check below link
https://codex.wordpress.org/Hardening_WordPress

Install some trusted security plugin and Use captcha

Try to use some trusted security plugin. Use some captcha in all forms those are accessible by anyone. That will block robots and allow humans to your site.

Periodically Backup

Backups are very important to recover the site quickly. Configure weekly or daily auto backup in your host. Or take manual backup.

Things to be done if the site is hacked

If you have latest backup, you can quickly recover the entire site.

Take a full back up of hacked site including database and logs to investigate further to find the root cause of hacking.

Put a maintenance mode page. Do not confuse between coming soon and maintenance mode.

Make sure your site header status is 503, which is to notify search engines that your site is temporarily down.

Do not update WordPress, because that only replaces existing files and do not remove any infected file.

Download a fresh copy of WordPress and put required theme and plugins. So the WordPress core is recovered. Make sure you did not copy the existing theme and plugins from hacked site. Take the original theme and plugins again. And make the child theme changes again.

Manually check all the tables with custom query to find any external link, spam characters, style and script tags in the content. Clean each table manually.

Now your site is recovered but still not secured. That’s most likely to be hacked again in future as the root cause is still unknown.

So check the hacked site backup to investigate the cause. That might be any third party plugin or your theme or hosting issues or old version of unused plugins or old version of WordPress. Check the logs and fix as soon as possible before another hack attempt is made.

Now check Google Webmaster Tool and verify your site.

Remove existing the sitemap put by hacker and submit a fresh copy of sitemap. Submit your site to Google for re-consideration.

Check indexed pages of you site by searching “site:yourdomain.com” in Google.

Remove the hacker’s indexed pages by using URL Removal tool.

Make sure all the indexed hacker’s pages must return 404 header status.

It will take months to remove, depending on the number of spam pages indexed.

Hope this helped you.

Share this Post