How to Protect WordPress
So you’ve cleaned up your site and reset your passwords so it’s a bit more secure than it was before. But there’s more you can do to prevent future hacks and avoid the same thing happening again. If you’re in a worst-case scenario where a hacker gained access to your website, it isn’t the end of the world.
If your site is hosted with us, we have a hack-free guarantee, which means we will work through your site and remove the hack. If you’re with another hosting provider, you’ll need to involve them, but you need to do everything yourself.
You have lots of options in dealing with hacking situation. The steps you need to take will depend on the way in which your site has been hacked, and you may not need to work through all of these.
- Stay calm and don’t panic
- Turn on the maintenance mode
- Scan your WordPress site
- Scan your device
- Find the hack
- Remove extra users
- Remove unwanted files
- Keep your site up to date
- Reset all password
- Security plugin
- SSL certificate
- Reinstall plugins, themes and WordPress core
- Clean out your database
- Hire professional security service
Becoming stressed or mad about your situation won’t help. This takes your much-needed concentration away from getting your website back on track. Always remember to put your energy into finding solutions instead.
Stay calm and don’t panic. So, yes, take a step back and compose yourself. Doing so will allow you to more effectively take control of the situation and allow you to recover your online presence. If you can’t think straight, simply put your site in maintenance mode and leave it for a few hours until you’re feeling calmer.
You don’t want visitors finding your site in its compromised state, so put it into maintenance mode. First thing you need to do is install and activate the “WP Maintenance Mode” plugin. Upon activation, you need to go to “Settings > WP Maintenance Mode” to configure the plugin settings.
If you can’t log in to your WordPress site right now, this won’t be possible. However, you may log into your ftp site to create a page named “index.html” by default most hosting will load index.html first as priority then index.php. Open a plain-text or HTML editor and insert below code:
<!DOCTYPE> <html> <head> <title>Under Construction</title> </head> <body> <center> <p><img src="https://www.jonloh.com/wp-content/uploads/2020/10/how-to-protect-wordpress.jpg"> </center> </body> </html>
Upload the ‘index.html’ to your document root for the domain. Once you’ve done that, you can relax a little knowing that people can’t see what’s going on.
When scanning your website you have a few different ways to do this, you can use external remote scanners or application level scanners. Each are designed to look and report on different things. No one solution is the best approach, but together you improve your odds greatly.
Application Based Scanners (Plugins):
Remote Based Scanners (Crawlers):
There are also a number of other related security plugins available in the WordPress repository. To save yourself the hassle, you can contact me. If you are a our client, this is included in your plan! If you wants to do it yourself, read on to learn more on how to protect WordPress.
In addition to scanning your website, you should start scanning your local devices. For instances, the source of the attack or infection begins on your local devices such as desktop, notebook, tablet and etc. Attackers are running trojans locally that allow them to sniff login access information to things like FTP and WordPress admin that allow them to log in as the site owner.
Make sure you run a full anti-virus and malware scan on your local device. My opinion it’s best you install a new anti-virus software to scan and remove what-ever virus in stored. Reason due to some viruses are good at detecting anti-virus software and hiding from them.
# 5: Find the hack
First, check whether you can log in using your WordPress dashboard. Look whether your web address redirects you to another website and look for illegal links such as pharma site. Another thing to check is whether Google already considers your website as unsecured.
If any admin accounts or any other accounts have been added to your WordPress site that you don’t recognize, just remove them without thinking twice. Go to the users panel in your WordPress to view all the list of users. Remove all other users there which you had no idea, click the checkbox next to them, then select delete via the drop down list.
To find out if there are any files in your WordPress installation that shouldn’t be, you’ll need to refer back step number 3 as above. These scanner will scan your site and tell you if there are any files that shouldn’t be there. Then you need to remove those so called unwanted files and get rid of them. If you’re on our hosting plan, you don’t need to install additional security plugins. All you need is just contact us and we will fix your site.
It’s very important to keep your site up to date. Each of your theme, plugins or WordPress itself are updated, you should run update oftenly. You can enable automatic updates by enabling the enable auto-updates of your plugin panel. Or you may use the wp-cli (as our hosting includes it) to update all of the themes, plugins and WordPress core automatically daily.
However, you may do it manually too. Go to “Dashboard > Updates” in your site and update everything that’s out of date.
Remember, you need to reset all the passwords for your site after you had double confirm that the site is clean. Again remember to use complex, alpha numeric, symbols, long and unique passwords. You may need to consider to change the database user account and password as well. When you changed them, do not forget edit them to your “wp-config.php” file.
You can also add two-factor authentication to your site to make it harder for hackers to create an account.
Firewall or a service like Cloudflare or Wordfence will let you configure a firewall for your site. This will add an extra barrier for hackers and reduce the chances of hacks and DDoS attacks on your site.
If you install a security plugin such as Wordfence on your site, it will notify you of any suspicious activity. This also include unauthorized logins, updates and addition files that is not belongs there.
SSL certificate will add a layer of security to your site and is free. Our hosting provided it without any extra costs. If your hosting provider doesn’t provide free SSL, you can use the “SSL Zen” plugin to add free Let’s Encrypt SSL.
# 13: Backups
If you back your site up regularly, this is the best time hassle free option. It’s much easier for you to restore it before it got hacked. Remember, restoring an old backup of your website reverts it on that day entirely. It means that the content you published and other changes you made after it been hacked will disappear. When you choose this option, remember that restoring the old version still makes it vulnerable to future attacks.
Once you restore your website with this method, put more effort into your security. You may refer to step number 3, 8, 9, 10, 11 and 12. By doing so to avoid future hacking attacks.
If your site still has problems, then you need to reinstall all plugins and themes. Deactivate and delete them from your themes and plugins pages, and reinstall them.
And, if above steps all fails. You need to reinstall WordPress itself. If the files in the WordPress core have been compromised, you’ll need to replace them with a clean WordPress installation.
If this doesn’t fix the problem, check WordPress support pages for all of your themes and plugins. It may be that other users are experiencing problems, in which case you should uninstall that theme or plugin until the vulnerability has been fixed.
When your database had been hacked, you need to clean it as well. It’s a good idea to clean out your database as a clean database will have less outdated data and take up less space, making your site loading time faster. The “WP-Optimize” plugin will let you clean your database and optimize it. Or you may manually do it via your hosting panel “phpmyadmin” page.
# 16: Hire Professionals Security Service
If the attack on your website is so bad, hiring a professional is your best choice. Cleaning it as soon as possible is in your best interests since a vulnerable website only gets harder to recover the longer you wait. The faster you fix the issues, the safer your website becomes.
Alternatively, our hosting plans come with security features including DDoS, brute-force attack and a hack-free guarantee, meaning that if your site is hacked, we will clean it up for you. If you switch to us, we’ll migrate your site for you for free and clean it up if it’s hacked in the future.