11 Steps to Secure Your WordPress Site and Deter Those Nasty Hackers

** Note from Matt **

Recently, our site was hacked. We were being told by customers and readers that our site was redirecting them to “adult” sites. We were losing sales, we were losing visitors, and we just generally looked bad to any new visitors coming to our site…

We panicked a little and hunted for a solution to this. We couldn’t find any articles or information about this issue. Then, due to the amazing power of Facebook groups, a magician named Chris Moore popped up to save the day.

Chris quickly cleaned up our sites and put some security measures in place to prevent these types of issues from happening again in the future.

Seeing as we couldn’t find a solution to this problem through our own searches, we begged Chris to write an article for our readers on how to solve and prevent this issue.

So, without further ado, here’s Chris’s (insanely in-depth) solution. Make sure you follow along and implement everything he recommends on your site!

** Enter Chris Moore **

Your super awesome, highly targeted, and hyper-clicked ads are running on Facebook and Twitter. Tons of people are visiting your site. All seems to be going well. Except that conversions are kind of low. “Hmmm… My ads don’t normally have this lackluster response, what’s going on?”

And then it gets worse, now you have angry visitors beating down your inbox door with outrageous claims that your links are redirecting them to porn sites! “What? How did this happen? What’s going on? Did I get hacked?”

You fire up your browser, click on your link, and… nothing. It just goes right to your site. So you scratch your head thinking, “Oh well, maybe it was just a coincidence.”

But it wasn’t. Another email or Facebook message comes in, and then another… Now they’re saying it only happens on mobile devices. So you crack out your iPhone and sure enough, straight to porn! “Ah man… I’ve been hacked!”

So how did you get here?

Well, there are a ton of ways: being victim to SQL injections; using weak passwords, which lead to a brute force login; having themes or plugins with vulnerabilities (it even happens to experienced developers!); not updating the WordPress core (especially when security issues are patched); and being the target of a hacker who has your site on their mind (and honestly, there isn’t much you can do there, especially if they are really good).

But more important than knowing the causes and methods, the real question is this: how can you prevent this from happening in the future? That’s what this post hopes to enlighten you on.

The 11 Steps Along the Path to Security Bliss

Here are a series of steps that you should take to protect yourself from a future hacking or malware infestation. Please note that these are not all the steps you can take, but these are very good ones, and will have you headed in the right direction.

You should also take these steps before you contact your host, or a professional, to help you to clean up your sites from a prior hacking. If possible, you should aim to complete these steps in the course of one day. If that simply isn’t possible (due to the number of sites you have), consider hiring some help, or set yourself a schedule by which you can complete these steps as soon as humanly possible.

And of course, if any of these steps feel too daunting or intimidating, or you just want things to be cleaned up and locked down for you, please feel free to get in touch with me here: https://theopguru.com/malware-cleanup/. I would be happy to serve you further!

And with that, on to the 11 steps!

1.) Backup, Backup, and Backup Again

If you don’t already have a backup routine, let’s make sure you have one starting now. Some hosts are kind enough to do daily backups for you (such as SiteGround and a number of other hosts, sometimes depending on which plan you have), but even if they do, you should never rely on just that.

I personally like to have 3 main locations for my backups at all times: my host’s backup (which is already on my server); an Amazon s3 backup; and a DropBox backup. You can of course use any service you want (and there are many, both free and paid), but the bottom line is you need to have multiple backups, in multiple locations. Just trust me on this.

Additionally, you should download any cloud-based backups to your desktop computer at least once every week or two, just in case. Paranoid, you say? Possibly, but it’s always better to be safe than sorry. (Remember that paper you wrote back in high school, the night before it was due? You were right about to finish it, and then, at the worst possible moment, the power went out, and you hadn’t saved it yet! Well, that happened to me a few decades ago and from that day forward I was never the same! Let us learn from our mistakes (or mine, in this case)).

(We use BackupBuddy for backups at Learn To Blog)

2.) Clean Up Yo Mess!

You will see a theme throughout this entire post, namely, we should try to keep our sites and servers as lean and clean as possible. Start by getting rid of all unnecessary clutter and stuff just lying around. For this step, I would like you to completely delete and remove any and all WordPress sites (the entire folders!) that you do not actually use or need. Just remove them completely. If you would like to keep them for the future, just go into your cPanel (specifically your host’s Control Panel > File Manger), then ZIP the folder associated with that site, download the ZIP, and then delete the original folder and the ZIP. This will save you from a lot of the work to follow below.

3.) Purge Unneeded Users and Demote Others

Delete all unused administrator level user accounts. This includes anyone with administrator privileges that doesn’t need them anymore: previous developers, former colleagues, etc. Also consider demoting anyone that doesn’t actually need administrator level access. Just go to WordPress > Users > Edit > Role, and then change the user role to either Editor, Author, or even Contributor (you can find out more about WordPress user capabilities and roles by clicking here).

4.) Delete the User with the Username “Admin”

“Admin” is the most common username, and it is also the most commonly attempted username in brute force login attempts. And although it isn’t difficult for someone to find out your username, why give it to them on a silver platter or expose yourself to the more bot-drive, automated attacks?

So, if you have a user with the username “admin”, login with another administrator account and delete that user. When you delete this user, it will ask you to assign all content to another user. Make sure to do so or you will lose all content created by that user! This is a very important step, so please don’t miss it! Again, make sure to assign the content created by that “admin” user to another user, or you will lose everything! Okay? Okay.

5.) Get Rid of Keepsakes

Human beings seem to have a tendency to hold on to things they don’t actually need. Well, with your WordPress site, this can be deadly (especially if you don’t have a backup). In this step, you should proactively delete any and all unused or deactivated plugins or themes on all of your sites. Get rid of the clutter. (Some choose to leave the Twenty Twelve theme as a backup theme, just in case, but that is up to you).

6.) Update, Update, and Update Again

This is probably the number one cause of your site getting hacked: not keeping up to date with WordPress, theme, and plugin updates. Almost every day new vulnerabilities are being discovered in WordPress themes and plugins (mainly plugins). Responsible and engaged developers are quick to patch these issues (sometimes even before the vulnerability is publicly known), and so we should be vigilant to update as soon as a new update arrives. I appreciate that sometimes updates can mess up your site (and I have dealt with this on my own sites at times), but please don’t let that stop you from updating, especially if the update concerns a security issue.

So, in this step, you should update all WordPress installations on your entire server, as well as all themes and plugins, to the latest versions. Yes, do this for every single WordPress site on your server. This step is absolutely essential, and as I said above, it’s probably the cause of most hacking and malware related issues in the first place!

7.) Change All Your WordPress Passwords

If your site was compromised, chances are that the hacker was able to get your password (either by a brute force attack, or after-the-fact, through other means). Regardless, it is a good habit to update your passwords every 3 – 6 months (I know, I know, it’s a hassle, but we want to be safe, right?).

So, in this step, change all the passwords for all of the remaining administrator or editor level users on all of your WordPress sites. Passwords, as a rule, should be “strong”, which means they should be unique, long, and obscure. Resist the urge to use short or duplicate passwords across your sites. Use programs like “1Password” or “LastPass” to manage all your passwords. You will thank me later for that suggestion. 🙂

8.) Limit the Doors of Entry

As you can see, there’s a theme developing here: if you don’t need it, get rid of it! In this step, I’m asking you to delete all FTP user accounts that are not needed. I personally only keep the main one and any accounts that are being used by a developer (which I will delete when the job is done).

However, when you do this, please make sure to keep the FTP content folders for any FTP users that you delete. The system should prompt you to keep the content and folders, so make sure you do so. I repeat, only delete the user itself, and not the content folders, or you will lose your content!

9.) Change Your Remaining FTP, cPanel, and Hosting Passwords

Now that you’ve gotten rid of the unnecessary clutter in your FTP accounts, you should change all the passwords for all the remaining FTP accounts, as well as the passwords for your main hosting account and cPanel. As mentioned above, passwords should always be unique, long, and obscure. Again, “1Password” and “LastPass” are your friends here.

10.) Ensure that File and Folder Permissions are Correct

If your host is worth being hosted with, they will do this for you. I have seen cases (a few, unfortunately), where the host will tell you you have to do this yourself. But since this is a really simple thing to do, I can’t image that a good host would push this task back on you. If that does happen though, even after you call and tell them you can’t figure it out, I would seriously consider changing hosts. But hopefully they will cooperate with you on this.

So, in this step, please call your host (or submit a support ticket) and ask them to verify the permissions for all files and folders on your server. Files should be set to 644 permissions and folders should be set to 755 permissions. This is the WordPress default and standard. You would be surprised how many insecure and crazy permissions I have seen while cleaning up hacked sites. Just double-check and be on the safe side.

11.) Install the Free WordFence Security Plugin

This step is probably one of the most critical in this entire series of steps, and that’s why I’ve saved it for last. WordFence Security is a godsend and a truly wonderful tool. Yes, there are many security plugins out there, and some may actually do more and have a fancier interface, but WordFence is not only free and effective, it is also fairly easy to use. Bottom line is, it gets the job done. Install it now.

Once you’ve installed it, please take the following steps (and this is the whole point of installing WordFence right here):

Go to WordFence > Options and set all your settings like the following screenshots (feel free to customize, but I would select all of the scan settings for sure though):

WordFence Basic Options
WordFence Basic Options
WordFence Alerts
WordFence Alerts
WordFence Scan Settings
WordFence Scan Settings
WordFence Login Security Settings
WordFence Login Security Settings
WordFence "Other" Options
WordFence “Other” Options

Once you have mimicked those settings, go to WordFence > Scan > Start a WordFence Scan.

The scan will take some time, but will yield some very useful information. Once you get the report, you may want to click on “Restore the original version of this file” for any warning that WordFence gives you, or you may just want to delete the plugin/theme in question altogether and reinstall it. It is entirely up to you and depends on your site and setup. Good thing you have backups though, right?

12.) 3 Powerful .htaccess Rules (for Advanced Users)

Yeah, I know, there are only supposed to be 11 steps, but I felt it would be a disservice to not include these powerful .htaccess rules that will further lock down your site from attacks. If you don’t feel comfortable doing this, please don’t. Reach out for help from a professional instead. If you do feel comfortable though, then dive on in, because these 3 rules alone will do wonders for your WordPress site’s security.

In the root folder of every WordPress installation you have, you should find an .htaccess file. If you don’t see it, it’s probably because your FTP client or cPanel settings aren’t configured to show “hidden” files. Ask your host about this. Once you find the .htaccess file, open it, and add the following lines to it (at the very bottom or very top should be fine):

# protect wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

Those lines of code will protect your “wp-config.php” file, which is one of the most commonly hacked files that we see in the WordPress world.

# disable directory browsing
Options All -Indexes

That code disables the ability to browse website directories directly, which hackers may use to find exploits to help them get into your system. Can they still find other ways of getting information? Of course they can, but again, why make it easier for them to do so?

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

This last bit of somewhat complex code helps to prevent database script injections. Every little thing we can do helps.

If any of these three code snippets mess up your site in any way, just simply go back to your .htaccess file and delete the code. Chances are that you put it in the wrong place, or that your theme or plugins don’t want to play along. That’s okay, but definitely give these snippets a try nonetheless!

If any of this is over your head, or if your site was already hacked, please feel free to get in touch with me here: https://theopguru.com/malware-cleanup/. I usually get sites cleaned up within 24 hours of being contacted, and you get some free tips, tricks, and consulting along the way.

Let the Comments Begin!

If you have any questions or comments, please do leave them below. I know that this is a hot topic, and people have tons of opinions on security. Please realize that this post does not mention everything, and does not claim to be the ultimate solution to WordPress security. It is simply a step in the right direction and will help greatly. With that in mind, comment away!