Connect
To Top

How to stop hacking and harden your WordPress site

If you host your own WordPress site it won’t be long until your site will be hacked which leads fun like your site being black listed on search engines blocking all incoming traffic. It is incredibly frustrating and it can be hard to quickly learn how to stop it from happening again.  I just went through all of this and wanted to share what I’ve learned in the hopes that it will help someone else stop this happening and easily get it under control.

1 .) STEPS TO TAKE BEFORE IT HAPPEN

Keep a current back up of your site, plug-ins and database

This was the biggest mistake I made because I figured everything was stored on my server and I didn’t need to worry about keeping a back up. I was wrong. Start by making sure that you have your database backed up because this is one piece of data that is truly unique and not replaceable. Going to WordPress.org under plug-in and searching for ‘WordPress Database Backup’ will give you a host of options for plug-ins to help you keep current on your back-ups.  I use WordPress Database Backup because it has the feature that it will automatically email you a back-up  at regular intervals and that way I don’t have to worry about remembering to do it manually. Then make sure you have a new and clean copy of the latest version of WordPress so you can easily replace all of those base files. You will also need to go through and make sure you have clean versions of your blog theme and all plug-in’s in your wp-content folder.

Understand file permissions and htaccess

The  other mistake I made was that I hadn’t gone in and correctly set-up the file permissions for my site and created htaccess files to limit access to those files. The htaccess files can be created with BulletProofSecity Pro which is described in the plug-ins section below. You can set the permissions using any FTP program and use the cheat sheet below for the code they need to be set to.

root directory – 0755
wp-includes/ – 0755
.htaccess – 0644
wp-admin/index.php – 0644
wp-admin/js/ – 0755
wp-content/themes/ – 0755
wp-content/plugins/ – 0755
wp-admin/ – 0755
wp-content/  – 0755

2 .) SECURITY PLUG-INS

There are host of different plug-in you can use to stop the hackers and  code injections.  Here are some of the ones I recommend.

BulletProof Security Pro

If you are just going to get one plug-in make it BulletProof Security Pro because it by far the best security plug-in out there. Also overlook the bad design on their site and spend the $49 to get the Pro version of the plug-in. It is worth it and you just have to buy it once and you can use it as many times as you want. Installing the plug-in correctly can be a little tricky because you have to do certain things in a certain order so I would recommend just watching this YouTube video that will walk you through how to get it up and runningDownload it here.

WordPress Firewall 2 & IP Filter

WordPress Firewall 2 is a plugin that investigates web requests with simple, WordPress-specific heuristics to identify and stop the most obvious attacks on your site. When it detects one of those attacks it will email you that it has been blocked so you know it is going on and the best part is that the email will contain the IP address of the attacker.  I copy that IP address and use it in the IP Filter plug-in where you can blacklist the IP addresses to keep them from access your site at all. It is a nice combination to stop repeat attacks and spammers who fill your comments section with junk comments.

Login LockDown

Login LockDown is a simple plug-in that records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Download it here.

3 .) GET OFF THE BLACK LIST

Once you have cleaned up the problem you are going to have to tell Google and Bing separately to re-evaluate your site to get the blacklisting removed.  You can contact Bing here, fill out the form selecting ‘my site has a malware warning’ from the drop down. It is a pain because you will have to wait for an email which you will have to click a link to confirm it is clean and then wait up to two weeks for them to review. You can contact Google here through their Web Master tools which you will need to set up if you haven’t used it in the past. Once you do click on ‘check site health’, select ‘malware detected?’ in the drop down and then click on ‘request a review’. Their process is much better and they will usually review your site in 12 to 24 hours.

So those are the basic steps to take to help get the problem under control and just because you fixed it once doesn’t mean it won’t happen again.  I constantly monitor my sites, seeing what files have been added or moved and blacklisting any sites that I even suspect of attacking my blog.

You must be logged in to post a comment Login

Leave a Reply

More in Great resource

Creative Director, Designer, Brand Builder, Speaker, Podcaster, Crazy One. As a designer, I have 20+ years experience creating the strategy, concepts, and designs for award-winning integrated global advertising campaigns, building multiple global Fortune 500 brands and creating innovative digital experiences. As a leader, I have 15+ years transforming agency and client-side teams using a mix of creativity, business strategy, process and political skill to create innovative, world-class work and cultures that change industries and companies. My clients have included American Airlines, W Hotels, Disney, Citi, ExxonMobil, Acura, Old Navy, Nationwide Insurance, Verizon, Subaru and many others. My work has received over 150 international awards, my app designs have been named as one of the World’s 100 Greatest Apps, Apple has featured my work in 9 keynotes, 4 TV commercials and more.

Follow Me On Instagram

 Nice collaboration between @joeiurato and @rubin415 at @wellingcourtmuralproject #wellingtoncourtmurals #wellingtoncourtmuralproject #streetartnyc #streetartofficial #streetartist #streetart  Kraken mural from @beaustanton at @thebushwickcollective #streetartnyc #streetartofficial #streetartist #streetart #thebushwickcollective #bushwickstreetart #bushwickcollective  You can't miss the color and patterns of @davidjunelouf #bushwickcollective #bushwickstreetart #streetartnyc #streetartofficial #streetartist #streetart  I need to start collecting @findac because I LOVE his work every time I see it. #bushwickstreetart #streetartist #streetartofficial #streetartnyc #streetart #findac #bushwickstreetart #bushwickcollective  One more flashback to the @dface_official egg original hiding spot in the Lower East Side #dface #bigegghunt #bigegghuntny #streetart #streetartist #streetartofficial #streetartnyc
 Love this piece from Kaffeine at @thebushwickcollective #streetartnyc #streetartofficial #streetartist #streetart #thebushwickcollective #bushwickstreetart #bushwickcollective  Colorful piece from @joeiurato #streetartnyc #streetartofficial #streetartist #streetart #bushwickstreetart #bushwickcollective #thebushwickcollective #joeiurato  Also loved the work I found from @li_hill #streetart #streetartist #streetartofficial #streetartnyc #bushwickstreetart #bushwickcollective  Spent the morning @thebushwickcollective seeing what was new and good. The massive @dface_official was an easy place to start. #dface #streerart #streetartist #streetartnyc #bushwickstreetart #bushwickcollective  Flashback to the @dface_official #bigegghunt egg on display at Rockefeller Center in NYC. #dface #bigegghuntny #streetart #streetartist #streetartofficial #streetartnyc #easter #easteregg
 One more part of the Kraken mural from @beaustanton at @thebushwickcollective #streetartnyc #streetartofficial #streetartist #streetart #thebushwickcollective #bushwickstreetart #bushwickcollective  Also went to Queens today to check out the @wellingcourtmuralproject which is small but has some great work from artists like @eelcovirus #streetart #streetartist #streetartofficial #streetartnyc #wellingtoncourtmuralproject #wellingtoncourtmurals  One of my two favorite new artists I saw today was @owendippie with his 'Radiant Madonna' with the Virgin Mary holding holding a Keith Haring child suggesting Hering is god. #bushwickcollective #streetartnyc #streetartofficial #streetartist #streetart #owendippie #owendippieart  Thanks to @invaderwashere for the postcard set from his show at @museeenherbe - I think this was literally the only thing I didn't have from the show. #invader #invaderwalls #spaceinvader #spaceinvaderparis #streerart #streetartist #streetartofficial  Happy Easter with our @dface_official egg from the NYC #bigegghunt - it's always great to see all the posts and love this piece gets today. #dface #streetart #streetartist #streetartofficial #streetartnyc #easter #easteregg #bigegghuntnyc #bigegghuntny

Follow me on Twitter

Copyright © 2015 Stephen Gates