Connect
To Top

How to stop hacking and harden your WordPress site

If you host your own WordPress site it won’t be long until your site will be hacked which leads fun like your site being black listed on search engines blocking all incoming traffic. It is incredibly frustrating and it can be hard to quickly learn how to stop it from happening again.  I just went through all of this and wanted to share what I’ve learned in the hopes that it will help someone else stop this happening and easily get it under control.

1 .) STEPS TO TAKE BEFORE IT HAPPEN

Keep a current back up of your site, plug-ins and database

This was the biggest mistake I made because I figured everything was stored on my server and I didn’t need to worry about keeping a back up. I was wrong. Start by making sure that you have your database backed up because this is one piece of data that is truly unique and not replaceable. Going to WordPress.org under plug-in and searching for ‘WordPress Database Backup’ will give you a host of options for plug-ins to help you keep current on your back-ups.  I use WordPress Database Backup because it has the feature that it will automatically email you a back-up  at regular intervals and that way I don’t have to worry about remembering to do it manually. Then make sure you have a new and clean copy of the latest version of WordPress so you can easily replace all of those base files. You will also need to go through and make sure you have clean versions of your blog theme and all plug-in’s in your wp-content folder.

Understand file permissions and htaccess

The  other mistake I made was that I hadn’t gone in and correctly set-up the file permissions for my site and created htaccess files to limit access to those files. The htaccess files can be created with BulletProofSecity Pro which is described in the plug-ins section below. You can set the permissions using any FTP program and use the cheat sheet below for the code they need to be set to.

root directory – 0755
wp-includes/ – 0755
.htaccess – 0644
wp-admin/index.php – 0644
wp-admin/js/ – 0755
wp-content/themes/ – 0755
wp-content/plugins/ – 0755
wp-admin/ – 0755
wp-content/  – 0755

2 .) SECURITY PLUG-INS

There are host of different plug-in you can use to stop the hackers and  code injections.  Here are some of the ones I recommend.

BulletProof Security Pro

If you are just going to get one plug-in make it BulletProof Security Pro because it by far the best security plug-in out there. Also overlook the bad design on their site and spend the $49 to get the Pro version of the plug-in. It is worth it and you just have to buy it once and you can use it as many times as you want. Installing the plug-in correctly can be a little tricky because you have to do certain things in a certain order so I would recommend just watching this YouTube video that will walk you through how to get it up and runningDownload it here.

WordPress Firewall 2 & IP Filter

WordPress Firewall 2 is a plugin that investigates web requests with simple, WordPress-specific heuristics to identify and stop the most obvious attacks on your site. When it detects one of those attacks it will email you that it has been blocked so you know it is going on and the best part is that the email will contain the IP address of the attacker.  I copy that IP address and use it in the IP Filter plug-in where you can blacklist the IP addresses to keep them from access your site at all. It is a nice combination to stop repeat attacks and spammers who fill your comments section with junk comments.

Login LockDown

Login LockDown is a simple plug-in that records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Download it here.

3 .) GET OFF THE BLACK LIST

Once you have cleaned up the problem you are going to have to tell Google and Bing separately to re-evaluate your site to get the blacklisting removed.  You can contact Bing here, fill out the form selecting ‘my site has a malware warning’ from the drop down. It is a pain because you will have to wait for an email which you will have to click a link to confirm it is clean and then wait up to two weeks for them to review. You can contact Google here through their Web Master tools which you will need to set up if you haven’t used it in the past. Once you do click on ‘check site health’, select ‘malware detected?’ in the drop down and then click on ‘request a review’. Their process is much better and they will usually review your site in 12 to 24 hours.

So those are the basic steps to take to help get the problem under control and just because you fixed it once doesn’t mean it won’t happen again.  I constantly monitor my sites, seeing what files have been added or moved and blacklisting any sites that I even suspect of attacking my blog.

You must be logged in to post a comment Login

Leave a Reply

More in Great resource

Creative Director, Designer, Brand Builder, Speaker, Podcaster, Crazy One. As a designer, I have 20+ years experience creating the strategy, concepts, and designs for award-winning integrated global advertising campaigns, building multiple global Fortune 500 brands and creating innovative digital experiences. As a leader, I have 15+ years transforming agency and client-side teams using a mix of creativity, business strategy, process and political skill to create innovative, world-class work and cultures that change industries and companies. My clients have included American Airlines, W Hotels, Disney, Citi, ExxonMobil, Acura, Old Navy, Nationwide Insurance, Verizon, Subaru and many others. My work has received over 150 international awards, my app designs have been named as one of the World’s 100 Greatest Apps, Apple has featured my work in 9 keynotes, 4 TV commercials and more.

Follow Me On Instagram

 I think the @supremenewyork X @mtanyctransit mash up is pretty genius. Finally got my hands on one today but after seeing the prices on eBay I may flip it before long. #supreme #supremenewyork #mta  A pile of pugs and a @steelers blanket - what else do you need on a day off? #pug #pugs #pugsofinstagram #steelers #yinz #burghproud #herewegosteelers  FYI - it's pronounced 'art' not 'toy'. These @huckgee pieces are hand made and can take up to a year to produce. #huckgee #robotech #mech #robot #urbanvinyl  Happy Valentines Day to @thechiclibrary - love of my life fierce and true. #chic #nyfw #fashion #love  Because of Snowmaggeddon in NYC I'm having to do my meetings from home today and apparently everyone thinks they are a Creative Director in this house. #pug #pugsofinstagram #design #creativedirector #puglife #designer #dogismycopilot
 Thanks to @the_villainess for an amazing work in progress shot of the soon to be crown jewel of our collection - a huge (8' wide) commission from @tristaneaton based on the lives of @thechiclibrary and I. Can't thank him enough knowing how busy he is and I'm SO F*CKING EXCITED!!! #streetart #streetartist #streetartnyc #streetartofficial #tristaneaton #tristaneatonart #tristaneatonmural  @visionaireworld X @louisvuitton from back in the day when Kidrobot actually made art toys #louisvuitton #lv #kidrobot #visionaire #visionaireworld #monogram #louisvuittonmonogram #murakami #takashimurakami  Got a vintage @huckgee Skullleader as a new addition to the collection #urbanvinyl #huckgee #mech #robotech #robot  @thechiclibrary in full effect at New York Fashion week for the photographers tonight in @ika_editions @blackscale and @tomford #nyfw #newyorkfashionweek  Forgot to mention I got to see @huckgee new Skullhead mech work in progress which I think is one of the best pieces he has ever done. I already put in dibs on at least one. #huckgee #huckgeeskullhead #urbanvinyl
 Extremely honored to have been chosen by @ghoshal and @erondu to join 25 design leaders from AirBnB, Uber, Facebook, Slack, Google Ventures, IDEO and more for High Resolution, a 25 episode video series on design. Look for my episode focusing on creativity and leadership coming soon. @highrespodcast #creativity #leadership #design #podcast  Spent the morning with @the_chris_buck new book Uneasy which is a fantastic look at the work of one of the most creative people I know. Get your copy at chrisbuckuneasy.com #chrisbuck #photography #photographer #portraitphotography #portrait #portraits  Some days I feel like I should wear this @huckgee armor to work. #huckgee #urbanvinyl #mech #armor #toy #kidrobot #dunny  If you listen to The #CrazyOne podcast you have @lukewessman to thank for it. He gave me the push to finally launch it and it was one of the best decisions I've ever made. He is a constant inspiration, someone who makes me want to be a better man and I always feel lucky to count him as one of my friends. Thanks for the support brother. #crazyones #lukewessman #tattooartist #lag #crazyone  @nychos under scaffolding in Haight Ashbury #streetart #streetartist #nychos #streetartofficial #streetartsf

Copyright © 2015 Stephen Gates