11 Steps to Secure Your WordPress Site and Deter Those Nasty Hackers

** Note from Matt **

Recently, our site was hacked. We were being told by customers and readers that our site was redirecting them to “adult” sites. We were losing sales, we were losing visitors, and we just generally looked bad to any new visitors coming to our site…

We panicked a little and hunted for a solution to this. We couldn’t find any articles or information about this issue. Then, due to the amazing power of Facebook groups, a magician named Chris Moore popped up to save the day.

Chris quickly cleaned up our sites and put some security measures in place to prevent these types of issues from happening again in the future.

Seeing as we couldn’t find a solution to this problem through our own searches, we begged Chris to write an article for our readers on how to solve and prevent this issue.

So, without further ado, here’s Chris’s (insanely in-depth) solution. Make sure you follow along and implement everything he recommends on your site!

** Enter Chris Moore **

Your super awesome, highly targeted, and hyper-clicked ads are running on Facebook and Twitter. Tons of people are visiting your site. All seems to be going well. Except that conversions are kind of low. “Hmmm… My ads don’t normally have this lackluster response, what’s going on?”

And then it gets worse, now you have angry visitors beating down your inbox door with outrageous claims that your links are redirecting them to porn sites! “What? How did this happen? What’s going on? Did I get hacked?”

You fire up your browser, click on your link, and… nothing. It just goes right to your site. So you scratch your head thinking, “Oh well, maybe it was just a coincidence.”

But it wasn’t. Another email or Facebook message comes in, and then another… Now they’re saying it only happens on mobile devices. So you crack out your iPhone and sure enough, straight to porn! “Ah man… I’ve been hacked!”

So how did you get here?

Well, there are a ton of ways: being victim to SQL injections; using weak passwords, which lead to a brute force login; having themes or plugins with vulnerabilities (it even happens to experienced developers!); not updating the WordPress core (especially when security issues are patched); and being the target of a hacker who has your site on their mind (and honestly, there isn’t much you can do there, especially if they are really good).

But more important than knowing the causes and methods, the real question is this: how can you prevent this from happening in the future? That’s what this post hopes to enlighten you on.

The 11 Steps Along the Path to Security Bliss

Here are a series of steps that you should take to protect yourself from a future hacking or malware infestation. Please note that these are not all the steps you can take, but these are very good ones, and will have you headed in the right direction.

You should also take these steps before you contact your host, or a professional, to help you to clean up your sites from a prior hacking. If possible, you should aim to complete these steps in the course of one day. If that simply isn’t possible (due to the number of sites you have), consider hiring some help, or set yourself a schedule by which you can complete these steps as soon as humanly possible.

And of course, if any of these steps feel too daunting or intimidating, or you just want things to be cleaned up and locked down for you, please feel free to get in touch with me here: https://theopguru.com/malware-cleanup/. I would be happy to serve you further!

And with that, on to the 11 steps!

1.) Backup, Backup, and Backup Again

If you don’t already have a backup routine, let’s make sure you have one starting now. Some hosts are kind enough to do daily backups for you (such as SiteGround and a number of other hosts, sometimes depending on which plan you have), but even if they do, you should never rely on just that.

I personally like to have 3 main locations for my backups at all times: my host’s backup (which is already on my server); an Amazon s3 backup; and a DropBox backup. You can of course use any service you want (and there are many, both free and paid), but the bottom line is you need to have multiple backups, in multiple locations. Just trust me on this.

Additionally, you should download any cloud-based backups to your desktop computer at least once every week or two, just in case. Paranoid, you say? Possibly, but it’s always better to be safe than sorry. (Remember that paper you wrote back in high school, the night before it was due? You were right about to finish it, and then, at the worst possible moment, the power went out, and you hadn’t saved it yet! Well, that happened to me a few decades ago and from that day forward I was never the same! Let us learn from our mistakes (or mine, in this case)).

(We use BackupBuddy for backups at Learn To Blog)

2.) Clean Up Yo Mess!

You will see a theme throughout this entire post, namely, we should try to keep our sites and servers as lean and clean as possible. Start by getting rid of all unnecessary clutter and stuff just lying around. For this step, I would like you to completely delete and remove any and all WordPress sites (the entire folders!) that you do not actually use or need. Just remove them completely. If you would like to keep them for the future, just go into your cPanel (specifically your host’s Control Panel > File Manger), then ZIP the folder associated with that site, download the ZIP, and then delete the original folder and the ZIP. This will save you from a lot of the work to follow below.

3.) Purge Unneeded Users and Demote Others

Delete all unused administrator level user accounts. This includes anyone with administrator privileges that doesn’t need them anymore: previous developers, former colleagues, etc. Also consider demoting anyone that doesn’t actually need administrator level access. Just go to WordPress > Users > Edit > Role, and then change the user role to either Editor, Author, or even Contributor (you can find out more about WordPress user capabilities and roles by clicking here).

4.) Delete the User with the Username “Admin”

“Admin” is the most common username, and it is also the most commonly attempted username in brute force login attempts. And although it isn’t difficult for someone to find out your username, why give it to them on a silver platter or expose yourself to the more bot-drive, automated attacks?

So, if you have a user with the username “admin”, login with another administrator account and delete that user. When you delete this user, it will ask you to assign all content to another user. Make sure to do so or you will lose all content created by that user! This is a very important step, so please don’t miss it! Again, make sure to assign the content created by that “admin” user to another user, or you will lose everything! Okay? Okay.

5.) Get Rid of Keepsakes

Human beings seem to have a tendency to hold on to things they don’t actually need. Well, with your WordPress site, this can be deadly (especially if you don’t have a backup). In this step, you should proactively delete any and all unused or deactivated plugins or themes on all of your sites. Get rid of the clutter. (Some choose to leave the Twenty Twelve theme as a backup theme, just in case, but that is up to you).

6.) Update, Update, and Update Again

This is probably the number one cause of your site getting hacked: not keeping up to date with WordPress, theme, and plugin updates. Almost every day new vulnerabilities are being discovered in WordPress themes and plugins (mainly plugins). Responsible and engaged developers are quick to patch these issues (sometimes even before the vulnerability is publicly known), and so we should be vigilant to update as soon as a new update arrives. I appreciate that sometimes updates can mess up your site (and I have dealt with this on my own sites at times), but please don’t let that stop you from updating, especially if the update concerns a security issue.

So, in this step, you should update all WordPress installations on your entire server, as well as all themes and plugins, to the latest versions. Yes, do this for every single WordPress site on your server. This step is absolutely essential, and as I said above, it’s probably the cause of most hacking and malware related issues in the first place!

7.) Change All Your WordPress Passwords

If your site was compromised, chances are that the hacker was able to get your password (either by a brute force attack, or after-the-fact, through other means). Regardless, it is a good habit to update your passwords every 3 – 6 months (I know, I know, it’s a hassle, but we want to be safe, right?).

So, in this step, change all the passwords for all of the remaining administrator or editor level users on all of your WordPress sites. Passwords, as a rule, should be “strong”, which means they should be unique, long, and obscure. Resist the urge to use short or duplicate passwords across your sites. Use programs like “1Password” or “LastPass” to manage all your passwords. You will thank me later for that suggestion. 🙂

8.) Limit the Doors of Entry

As you can see, there’s a theme developing here: if you don’t need it, get rid of it! In this step, I’m asking you to delete all FTP user accounts that are not needed. I personally only keep the main one and any accounts that are being used by a developer (which I will delete when the job is done).

However, when you do this, please make sure to keep the FTP content folders for any FTP users that you delete. The system should prompt you to keep the content and folders, so make sure you do so. I repeat, only delete the user itself, and not the content folders, or you will lose your content!

9.) Change Your Remaining FTP, cPanel, and Hosting Passwords

Now that you’ve gotten rid of the unnecessary clutter in your FTP accounts, you should change all the passwords for all the remaining FTP accounts, as well as the passwords for your main hosting account and cPanel. As mentioned above, passwords should always be unique, long, and obscure. Again, “1Password” and “LastPass” are your friends here.

10.) Ensure that File and Folder Permissions are Correct

If your host is worth being hosted with, they will do this for you. I have seen cases (a few, unfortunately), where the host will tell you you have to do this yourself. But since this is a really simple thing to do, I can’t image that a good host would push this task back on you. If that does happen though, even after you call and tell them you can’t figure it out, I would seriously consider changing hosts. But hopefully they will cooperate with you on this.

So, in this step, please call your host (or submit a support ticket) and ask them to verify the permissions for all files and folders on your server. Files should be set to 644 permissions and folders should be set to 755 permissions. This is the WordPress default and standard. You would be surprised how many insecure and crazy permissions I have seen while cleaning up hacked sites. Just double-check and be on the safe side.

11.) Install the Free WordFence Security Plugin

This step is probably one of the most critical in this entire series of steps, and that’s why I’ve saved it for last. WordFence Security is a godsend and a truly wonderful tool. Yes, there are many security plugins out there, and some may actually do more and have a fancier interface, but WordFence is not only free and effective, it is also fairly easy to use. Bottom line is, it gets the job done. Install it now.

Once you’ve installed it, please take the following steps (and this is the whole point of installing WordFence right here):

Go to WordFence > Options and set all your settings like the following screenshots (feel free to customize, but I would select all of the scan settings for sure though):

WordFence Basic Options
WordFence Basic Options
WordFence Alerts
WordFence Alerts
WordFence Scan Settings
WordFence Scan Settings
WordFence Login Security Settings
WordFence Login Security Settings
WordFence "Other" Options
WordFence “Other” Options

Once you have mimicked those settings, go to WordFence > Scan > Start a WordFence Scan.

The scan will take some time, but will yield some very useful information. Once you get the report, you may want to click on “Restore the original version of this file” for any warning that WordFence gives you, or you may just want to delete the plugin/theme in question altogether and reinstall it. It is entirely up to you and depends on your site and setup. Good thing you have backups though, right?

12.) 3 Powerful .htaccess Rules (for Advanced Users)

Yeah, I know, there are only supposed to be 11 steps, but I felt it would be a disservice to not include these powerful .htaccess rules that will further lock down your site from attacks. If you don’t feel comfortable doing this, please don’t. Reach out for help from a professional instead. If you do feel comfortable though, then dive on in, because these 3 rules alone will do wonders for your WordPress site’s security.

In the root folder of every WordPress installation you have, you should find an .htaccess file. If you don’t see it, it’s probably because your FTP client or cPanel settings aren’t configured to show “hidden” files. Ask your host about this. Once you find the .htaccess file, open it, and add the following lines to it (at the very bottom or very top should be fine):

# protect wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

Those lines of code will protect your “wp-config.php” file, which is one of the most commonly hacked files that we see in the WordPress world.

# disable directory browsing
Options All -Indexes

That code disables the ability to browse website directories directly, which hackers may use to find exploits to help them get into your system. Can they still find other ways of getting information? Of course they can, but again, why make it easier for them to do so?

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

This last bit of somewhat complex code helps to prevent database script injections. Every little thing we can do helps.

If any of these three code snippets mess up your site in any way, just simply go back to your .htaccess file and delete the code. Chances are that you put it in the wrong place, or that your theme or plugins don’t want to play along. That’s okay, but definitely give these snippets a try nonetheless!

If any of this is over your head, or if your site was already hacked, please feel free to get in touch with me here: https://theopguru.com/malware-cleanup/. I usually get sites cleaned up within 24 hours of being contacted, and you get some free tips, tricks, and consulting along the way.

Let the Comments Begin!

If you have any questions or comments, please do leave them below. I know that this is a hot topic, and people have tons of opinions on security. Please realize that this post does not mention everything, and does not claim to be the ultimate solution to WordPress security. It is simply a step in the right direction and will help greatly. With that in mind, comment away!

Blog Security 101 – Part 2

The first part of this article covered some of the basics when it comes to WordPress security. This installment will focus on some of the basic steps you can take to address some of the vulnerabilities that are common to web applications and those that are unique to WordPress itself.

A Foundation in Good Security

Before we start with installing plugins or changing file and folder permissions we need to start with you and your computer.

Think about it, you are the Admin of your blog; you have control over everything and you use your computer to access that blog. If these two things are not secured then it doesn’t matter what else you do as far as security is concerned, your blog will be easy to compromise.

Is your computer malware free?

Before you install WordPress onto your server, before you create the database before you do anything related to your blog make sure that you computer is free of viruses, worms, Trojan Horses, spyware, etc. Malware that resides on your computer has the ability to log every action you take and report it back to another computer. If it sees you login to your bank, it can capture your account and password information; likewise if it sees you login to www.yourblogname.com/wp-admin it can capture your username and password. If the bad guys have this information then they own your site. Make sure that you update your anti-virus software and run it frequently. If you already have a blog set up, take this precaution anyways. If you find malware on your computer clean it off and change your password immediately. Check to see if there have been any additional admin accounts created as well; if they are not ones you recognize then you should think about deleting them.

Speaking of passwords…

Are you one of those people who use a strong password? That’s good, as long as you use different strong passwords for all of your different accounts. People who use the same password over multiple accounts run the risk of that password being compromised somewhere. If an attacker has that and it works on all of your accounts then they have access to everything. Instead of just password complexity, think password diversity. If you have trouble remembering all of those passwords then use a piece of software known as a password safe to store them in.

Stay up to date

One final word on security fundamentals; stay up to date. It was mentioned that your anti-virus software should be up to date at all times. This is so it can identify all of the latest malware that is out there. Likewise, your WordPress installation should be up to date and all of your plugins should be as well. These updates usually address any known vulnerabilities in the code itself.

The Plugins

One of the easiest ways to add functionality to any blog is by using a plugin. Plugins, however, can be a way for you to better secure your blog but they can also be a way for someone to breach it as well.

Plugins contain code, and it is that very code that may be vulnerable to an attack so it is important that you keep your plugins updated but that you also remove any plugins you are not using on your blog. While you are at it, remove any themes that are not being used as well as these may contain vulnerabilities also. For this reason you should only install themes and plugins that come from reliable, trusted sources.

As previously stated, plugins can also be used to help secure your blog. At a minimum, you should install plugins to handle the following:

  • System hardening
  • System scanning
  • File monitoring
  • Firewall tasks
  • Backup and recovery

One plugin, Better WP Security, takes care of most in the aforementioned list. It will help hide essential information from potential attackers by taking steps like changing the URLs for the dashboard, renaming the admin account, changing the database table prefixes and much more. It will also protect the application itself by forcing strong passwords, limiting file editing and scanning a site to find vulnerabilities among other things. Other features included in this plugin are the ability to monitor the file system for changes, schedule backups of your database and look out for automated attacks from bots.

The drawback to this plugin? It isn’t fully functional for blogs that have WordPress installed on Windows IIS server; it will only work to its fullest on Apache, LiteSpeed or NGINX web servers (NGINX servers will require you to manually edit your virtual host configuration). If you are unsure which operating system your server runs, check with your hosting provider to make sure.

If Better WP Security isn’t the plugin you want to go with, there are others that can handle different aspects of security for your blog. One of the most highly regarded plugins is Acunetix WP Security. Created by a leader in the web application security space, this plugin will do many of the same things that Better WP Security does to obscure information from attackers, harden the system and backup your blog. What it does not do is monitor files to see if anything has been changed and it does not have the same ability to thwart attacks from bots and other agents. There are some other features that it does not have that can be found in Better WP Security, however Acunetix does work on Windows IIS web servers as well as Apache, LiteSpeed and NGINX. It will also scan your blog and provide a security overview report with information any vulnerability it finds. This alone makes WP Security worth a look as Acunetix sells professional vulnerability scanning tools to many leading security firms.

Your blog should also run a web application firewall in front of it to protect against any outside attacks. Plugins like NinjaFirewall for WordPress will protect against threats like cross-site scripting, brute-force scanners and shell scripts. If will also sanitize input to guard against attacks like SQL injections and block attackers from scanning your site for vulnerabilities. These tools are so important that the credit card companies strongly suggest they be used on any e-commerce site. This one is for free and provides a solid barrier of protection for your blog.

There is one other plugin that needs to be mentioned as it takes the place of all three of the ones mentioned here and that is the Sucuri WordPress plugin. Not only is it the most comprehensive security plugin you will find, customers also have access to a great support team if they run into any configuration or management problems. Unlike the others, Sucuri does come with a yearly subscription fee but if your blog is part of your business it might just be worth the $90.

Using the .htaccess file

Many security checklists will tell you to change file and folder permissions and this is a good thing because it helps prevent access to your site. That isn’t covered here too much because the plugins that were mentioned will take care of this. If you want to do this yourself then you can do this using any FTP program and following the guidelines under the File Permissions section here http://codex.wordpress.org/Hardening_WordPress.

While file permissions will not be looked at, making some changes to the .htaccess file will be. This file defines access control to certain areas of your web site, and in this instance your WordPress site.

In order to edit the .htaccess file you will need to use an FTP program. Most web hosting companies offer this as part of their management console so this will do for making changes to the file.

Once opened you should see something that looks like this:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

We are going to add some things after the # END WordPress so that when you update WordPress your changes will not be overwritten.

The first file to protect is wp-config.php that stores information about the database and the site itself. To the .htaccess file add:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Once saved, this will deny outside access to wp-config.php.

You can also add a snippet of code to this file to protect the .htaccess file as well. Using:

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

will do just that.

Securing a WordPress site means being constantly vigilant. The methods attackers use to compromise sites is always evolving. They discover new vulnerabilities every day so staying on top of things is paramount.

While no site will ever be 100% secure against attack, these tools will certainly help keep most of the bad guys out and will alert you to any that do make their way past your defenses.

Blog Security 101 – Part 1

Blog and lock

There is no doubt that WordPress is the most popular web application for building a presence on the Internet. Currently, there are over 74 million web sites using WordPress and that number makes up a staggering 18.9 percent of all web sites on the Internet. But being so popular has a price; when the bad guys know that so many people use your software it becomes a target. Add to the mix the fact that your application is so easy to use that people without a great deal of technical knowledge can operate it and you start to make malicious hackers salivate; just ask Microsoft.

According to research conducted by the security firm Sophos, 73 percent of WordPress installations are found to be vulnerable to attack. This means that the application has not been hardened by the site’s owner to the point where an attacker could not break into the site by exploiting any known vulnerabilities.

If those facts have you worried take a deep breath and relax. We’re going to show you some ways that you can better secure your blog against malicious hackers and make it difficult enough that most attackers will move on to an easier target and leave your site alone.

The very basics

If we are going to look at security from the ground up it is important to understand some of the terminology that is thrown around. The word hacker is used outside of the security industry to describe the bad guys who are trying to compromise your blog. The pros, on the other hand, opt for the terms threat actor, criminal or attacker; most of them despise the term cybercriminal. A breach is when a threat actor successfully breaks into your system, in this case your blog, and this is done by exploiting a vulnerability.

Most of the time, we think of the attacker as someone who is trying to break into our site so they can steal financial information like credit card numbers or usernames and passwords. These are common targets of the threat actor, but they are not the only reasons why they might target your blog.

Blogs are targeted by some attackers to help other sites rank better in the search engine results. A blog is breached and the attacker injects links to another web site in the comment section or even in the posts themselves. These links might not be easy to spot since they can easily code out the text-decoration and change the color of the anchor text. These links can harm the reputation of breached site since they often point to low-quality sites, web sites that promote illegal or illicit activities or sites that host malware. Which brings us to another reason why WordPress sites are often targeted.

One of the most common reasons why a site might be attacked is so that the criminal behind the attack can upload malware to the targeted site. When this happens the malware can be used to exploit vulnerabilities in the web browsers of the site’s visitors. Malware is then loaded onto the visitor’s computer just because they went to a blog, and it might even be a blog that they trust. Sites that are guilty of this are flagged by search engines like Google and are usually removed from the results costing the site a great deal of traffic and causing a great deal of damage to that site’s reputation.

The last type of attack we will mention here is known as a Denial of Service attack. This occurs when the attacker knocks a site offline so that legitimate visitors cannot access it. Usually this is done by flooding the server with enough traffic and requests that the web server that hosts the site just gives up. Attackers use other people’s computers to do this; the ones that have been infected by malware and taken over or they use other technologies. These attacks can come at the hands of a hacktivist, or someone who is trying to take the site down for political or social means; a competing business or web site; and sometimes these attacks come from a young threat actor who is trying to hone their skills.

How they get in

We mentioned vulnerabilities earlier as the way attackers breach a blog. These vulnerabilities can come from a number of places:

  • The WordPress code itself
  • A plugin
  • A template
  • Brute force attacks
  • The user

WordPress itself is a software application and at times, people find holes in the code. Many times, it is the wp-config file or the wp-includes folder that are targeted. When these holes are found, the people who maintain WordPress work to patch it so that the hole is no longer a vulnerability. This is one reason why WordPress is updated and the most important reason to make sure that you are always running the most current version of WordPress on your site.

Plugins present the same problem; they consist of code and can have holes in them that allow attackers in. For this reason, you should be careful about what plugins you install on your site and you should make certain to remove any plugins that are not being used. Plugins have also been known to have exploits written into them with the purpose of giving attackers access to any site installs and activates them. This is not a common scenario, but it has happened. The best way to avoid this is to install plugins from the WordPress Plugin Directory. This is much safer than downloading the plugin from another site to install as WordPress monitors the plugins in their directory.

Likewise, templates have been known to house security holes as well. Those inactive themes that are sitting in the themes directory and haven’t been updated since you installed them could be just the thing an attacker is looking for. There have also been themes that contained malicious code in them that can be used for nefarious things.

Brute force attacks are another common method used to breach WordPress blogs. An automated system seeks out blogs running the WordPress application and then goes to work trying to guess the password for the admin username. Since most blogs keep the admin account active, and with administrative rights, the attack need only guess the password. This isn’t too hard for a program that can guess hundreds of thousands of passwords a minute when you consider most passwords are ridiculously simple.

The final vulnerability we will look at here is the user. It was mentioned previously that there are sites out there that exploit holes in a web browser and install malware on the computer of a person who visited that site. Malware can also be installed through phishing attacks that contain malicious attachments and even through older methods like file sharing. Malware can do a number of bad things on a computer, and one of these things is they can capture keystrokes on a computer. Translate this into the attacker can see that a person is logging into a WordPress site and can steal the URL, the username and the password. This is just one more reason why you should run up-to-date anti-virus software on your computer especially if you use that computer to access your blog.

Fighting back

A majority of attacks against WordPress sites happen because they are considered low hanging fruit by the attacker; meaning they are easy to breach. Many of these attacks are so simple for the bad guys that they are automated and the attacker never has to do more than let a few programs run to compromise thousands of WordPress sites.

While no WordPress site, or any other computer system, will ever be 100 percent secured against attacks you can make it more difficult for any attacker who targets your site. If you have done a good enough job at hardening your site, they might move on to an easier target. If they are intent on breaching your site, and they are able to successfully do so, you goal will be to identify the breach and clean up your site as soon as possible.

To help you better secure your blog, we have part two of this series coming soon. In the follow up post we will look at plugins, code hacks and other things you can do that will harden your blog against a majority of the common attacks out there.