To Top

How to stop hacking and harden your WordPress site

If you host your own WordPress site it won’t be long until your site will be hacked which leads fun like your site being black listed on search engines blocking all incoming traffic. This is why a lot of sites that use WordPress, will now use companies like removemalware to help keep their site safe. It is incredibly frustrating and it can be hard to quickly learn how to stop it from happening again. I just went through all of this and wanted to share what I’ve learned in the hopes that it will help someone else stop this happening and easily get it under control.


Keep a current back up of your site, plug-ins and database

This was the biggest mistake I made because I figured everything was stored on my server and I didn’t need to worry about keeping a back up. I was wrong. Start by making sure that you have your database backed up because this is one piece of data that is truly unique and not replaceable. Going to under plug-in and searching for ‘WordPress Database Backup’ will give you a host of options for plug-ins to help you keep current on your back-ups. I use WordPress Database Backup because it has the feature that it will automatically email you a back-up at regular intervals and that way I don’t have to worry about remembering to do it manually. Then make sure you have a new and clean copy of the latest version of WordPress so you can easily replace all of those base files. You will also need to go through and make sure you have clean versions of your blog theme and all plug-in’s in your wp-content folder.

Understand file permissions and htaccess

The other mistake I made was that I hadn’t gone in and correctly set-up the file permissions for my site and created htaccess files to limit access to those files. The htaccess files can be created with BulletProofSecity Pro which is described in the plug-ins section below. You can set the permissions using any FTP program and use the cheat sheet below for the code they need to be set to.

root directory – 0755
wp-includes/ – 0755
.htaccess – 0644
wp-admin/index.php – 0644
wp-admin/js/ – 0755
wp-content/themes/ – 0755
wp-content/plugins/ – 0755
wp-admin/ – 0755
wp-content/ – 0755


There are host of different plug-in you can use to stop the hackers and code injections. Here are some of the ones I recommend.

BulletProof Security Pro

If you are just going to get one plug-in make it BulletProof Security Pro because it by far the best security plug-in out there. Also overlook the bad design on their site and spend the $49 to get the Pro version of the plug-in. It is worth it and you just have to buy it once and you can use it as many times as you want. Installing the plug-in correctly can be a little tricky because you have to do certain things in a certain order so I would recommend just watching this YouTube video that will walk you through how to get it up and running. Download it here.

WordPress Firewall 2 & IP Filter

WordPress Firewall 2 is a plugin that investigates web requests with simple, WordPress-specific heuristics to identify and stop the most obvious attacks on your site. When it detects one of those attacks it will email you that it has been blocked so you know it is going on and the best part is that the email will contain the IP address of the attacker. I copy that IP address and use it in the IP Filter plug-in where you can blacklist the IP addresses to keep them from access your site at all. It is a nice combination to stop repeat attacks and spammers who fill your comments section with junk comments.

Login LockDown

Login LockDown is a simple plug-in that records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Download it here.


Once you have cleaned up the problem you are going to have to tell Google and Bing separately to re-evaluate your site to get the blacklisting removed. You can contact Bing here, fill out the form selecting ‘my site has a malware warning’ from the drop down. It is a pain because you will have to wait for an email which you will have to click a link to confirm it is clean and then wait up to two weeks for them to review. You can contact Google here through their Web Master tools which you will need to set up if you haven’t used it in the past. Once you do click on ‘check site health’, select ‘malware detected?’ in the drop down and then click on ‘request a review’. Their process is much better and they will usually review your site in 12 to 24 hours.

So those are the basic steps to take to help get the problem under control and just because you fixed it once doesn’t mean it won’t happen again. I constantly monitor my sites, seeing what files have been added or moved and blacklisting any sites that I even suspect of attacking my blog.

You must be logged in to post a comment Login

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More in Great resource