How to secure WordPress websites against hacks – and recover from them!
WordPress website security is an SEO issue. Securing WordPress is a mission-critical business risk management task. Get hacked and have malware or phishing content and your rankings, traffic and enquiries will evaporate faster than a glass of Jim Beam in the hot summer sun…
When it comes to WordPress website security, prevention is always better than cure. If you’ve been hacked, the first priority is undoing the damage and securing the premises. Rather than spend ages trying to determine HOW the hacker gained access and did whatever was done, you’re best to immediately implement the appropriate remedial and preventive measures AND eliminate any malicious code of files that were inserted.
In almost every instance, doing what’s recommended below will sequentially shut down all the most likely loopholes one by one and prevent future incidents.
10 Steps in Securing WordPress
YOUR HACKING PREVENTION / RECOVERY CHECKLIST:
1 – Hardening the Hosting Account Control Panel
Note: it is usually helpful to run two open browser windows. That way, you can monitor the impact of cPanel changes on the live site as you proceed through the checklist. If a change inadvertently “breaks” the site, it’s easy to reverse the change immediately, and move to the next step.
A big part of securing WordPress is to harden the hosting account because that’s where many attacks are directed. Once a hacker has access to the control panel, they can control the website.
Change the hosting account account password: In your cPanel, Plesk, SPanel, Hsphere control panel,
- Change your hosting account password to prevent ongoing illegal control panel access.
- Hosting accounts are a primary target for hackers and many hosting companies have low-strength passwords by default. Many / most accounts also have ridiculously easy passwords set by the account owners!
- The password should be 18 characters secure, as generated by the cPanel tool or a password generator. If you can remember it, then it’s definitely NOT a secure password!!!
FTP Users: there should (usually) only be ONE. In some cases, there may be the default FTP user plus another system user with permission to generate log files, depending on the hosting provider. Check for and delete any unknown FTP users.
WordPress Database: in the Control Panel, go to MySQL databases and change the WordPress database password to 18 characters secure. Edit the /wp-config.php file and replace the old password. This stops the bad guy from getting straight back in if it was a database access hack.
Add security headers into the .htaccess file before the # BEGIN WordPress line. This limits the sorcery that can be performed by an external bad actor.
- be sure to monitor the impact of this change on the live site as in rare cases, it may create a conflict.
Copy and paste the settings below:
# Begin SSL Headers
Header set Content-Security-Policy: upgrade-insecure-requests
Header always set X-XSS-Protection “0”
Header always set X-Content-Type-Options “nosniff”
Header always set Referrer-Policy “strict-origin-when-cross-origin”
Header always set X-Frame-Options: “SAMEORIGIN”
Header always set Permissions-Policy: “”
Header always set Expect-CT “max-age=7776000, enforce”
Header always set Referrer-Policy: “no-referrer-when-downgrade”
Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”
# End SSL Headers
Check your Security Headers status at Security Headers.com/
Remove any obviously “dodgy” php files you can see in the root directory – place them in a temporary /quarantine/ directory.
Note that WP core files are usually prefixed with “wp” and these should be left alone for now. Look at creation dates on any suspicious files, and for file names with odd/gibberish names different to WordPress core files. Definitely regard those with suspicion…
Note: we will assess suspicious files with Wordfence security in a later step, by running a scan that includes files outside of WordPress…
Be cautious: – the one file you must not delete is /wp-config.php
PHP: should be running the current version release if possible – PHP 8.1 – which is both more secure and faster. Note that some older plugins and themes might not respond favourably to 8.1 as they may have deprecated functions/code from earlier PHP versions.
ModSecurity: cPanel has a security module called mod_security. To check if your hosting company has it activated on your website, use the cPanel “search” tool. If it’s installed, it should show in the search list.
NOTE: As a general rule when creating a new hosting account, I would never use the default 8-character cPanel user name based on the domain name. Doing so gives the attacker half of what they need to gain entry, with only the password required to get in…
cPanel password hacking tools: These are readily available, yet so many people never think to protect their hosting account with a secure password.
2 – Change WordPress Salts
WordPress security keys are an encryption tool that protects login information by making it harder to decode. These keys act just like real keys and are used to lock and unlock encrypted information such as passwords, effectively securing WordPress.
You can regenerate the WordPress Security Keys manually or by using a plugin. If you suspect or know that your website was breached, then you need to regenerate both the WordPress security keys and change your Admin user password/s.
SALTS: replace the “salts” in /wp-config.php to forcibly “log-off” anyone still logged in.
Manually: to get a fresh set of salts, go to:
Copy the Salts, and paste them into the “Salts” section in the /wp-config.php file.
You can manually copy and paste new security keys as mentioned above, OR:
Use a security plugin such as Sucuri for renewal: perhaps easier for non-tech-savvy users. One of the easiest ways to quickly regenerate your WordPress security keys is using Sucuri, a top-notch plugin that protects your WordPress website against common threats.
3 – Reinstall WordPress
As soon as you can, get into WordPress Admin | Updates and run:
Reinstall: run the WordPress “Reinstall version 6.x.x” because that deletes and replaces ALL core files including the /wp-admin/ and /wp-includes/ contents. This immediately removes any dodgy code/files inserted by an intruder into those areas.
Apply Updates: update all plugins and themes to ensure security patches are applied, and all files are replaced.
Set all plugins to “auto-update” – this is an important WordPress security procedure.
4 – Check your WordPress "Administrator" Users
Administrator Users: look for dodgy Admin users, delete any you don’t know (allocate content – if any – to a known good user so you don’t delete your posts and page accidentally)
If you’ve previously added external users for 3rd party support, reset those to “Subscriber” for now. The fewer administrator users you have, the fewer chances for a hacker to crack a weak password and access your site as an Administrator.
Review/change the Admin User “Nicknames” so that the actual User Names are never displayed in meta on posts etc. Doing all of this will help protect your WordPress site from hackers because a hacker can’t determine the correct user names. When Wordfence Security is properly configured, anyone trying to access an “invalid user name” is immediately locked out.
5 – Change all WordPress administrator passwords
Make sure these are all WordPress-generated SECURE passwords!!! No silly word/name/date combinations as these are easily hacked by a determined adversary.
6 – Blocking XML RPC
This is one of the ‘vulnerabilities’ most people are blissfully unaware of. It does serve a legitimate purpose for users doing remote publishing etc., but the majority of WP sites will never need it. Block this because it is a real threat and a key to securing WordPress!
Block XML-RPC fully: I use the Disable XML-RPC-API by Neatma.
7 – Restrict REST API to logged-in Users
Block REST API: for non-logged-in users – plugin is: Disable WP REST API by Jeff Star
8 – Implement Security Plugin/s
Wordfence: it’s a great security plugin but the settings are extremely complex and very difficult for most people to configure correctly. For that reason, even with Wordfence installed, the “default” settings don’t necessarily provide tight enough protection for my liking. The default Scan settings are also not rigorous enough to detect issues in themes and plugins, images or files outside WordPress etc. This is one of the best WordPress website security plugins available.
If you’ve been hacked, use Wordfence.
To help you with that, the Import Code is listed later on the page… This will configure Wordfence to the same levels I use myself and immediately secures multiple danger points, and customises scans etc.
Go to Wordfence | Tools | Import/Export Options
Copy and paste the code at the end of this page into the Wordfence “Import” box
Scan: get a Wordfence full scan scan going ASAP and use the buttons provided to:
— delete any files marked as non-WordPress
— replace those that are modified
If you are in “Prevention” mode…
You could use the lightweight Block Bad Queries plugin as your web application firewall.
Use Limit Login Attempts as your Brute Force Login attack protection. Reduce login attempts to 3, with a 90-minute lockout for exceeding 3. Set Blocking after 4 attempts to 9999 hours…
9 – Implement 2 Factor Authentication (2FA)
If you’ve BEEN hacked, then definitely add an additional safety layer to prevent unauthorised access. In future, even if an administrator account is cracked, the 2FA mechanism prevents intruder access.
You can do this by either:
Wordfence 2FA settings, if you use Wordfence…
WordPress website security is greatly enhanced with the WP 2FA plugin which works in conjunction with the Authenticator app on your phone. When an administrator logs in, a 6-digit code is sent via SMS to the phone that’s configured on your account.
Use that code to gain access to your site’s admin area.
10 – Get your website onto Cloudflare
A free Cloudflare plan delivers multiple configurable/optional security layers including DDoS protection. They offer a free 15-year SSL certificate for your origin server, and you also get enhanced firewall protection including GeoIP-based country blocking, Bot Fight Mode and more.
As well as this help in securing WordPress, Cloudflare also makes your New Zealand website load faster – particularly if you’ve got it hosted in the US, Aussie, Singapore, Europe etc.
Configuration is moderately complex:
- Create a Cloudflare account for your Domain. This imports your current DNS settings… these need to be checked against the hosting account cPanel records to ensure everything that’s needed is cloned to Cloudflare. Sometimes, that doesn’t work perfectly, perhaps due to server restrictions…
- You will be given the Name Server records to change on your domain registration account. Do that after configuring your Cloudflare account settings for your website.
Configure the account on Cloudflare.
- You could use the WP Cloudflare Super Page Cache or the official Cloudflare plugin… these will configure many of the settings from within the plugin but neither are perfect at it.
- I think it’s best to do it manually…
If you use a WooCommerce shopping cart, then it’s pretty much necessary to use the Cloudflare plugin with the $5 per month WordPress APO activated OR the WP Cloudflare Super Page Cache. This prevents caching and distribution of cart, account and checkout data across users.
Manual Cloudflare Settings:
#1 – Page Rules – these are critical because to control what’s indexed on your site. You want to bypass caching of the login page and WP Admin but cache the content… See section Cloudflare Page Rules** below…
#3 – Scrape Shield – activate to stop people hot-linking to your images
Enabling Cloudflare: going live
Log into your Domain Registrar account:
Edit the Domain Name Server records: replace your current DNS with the new one provided in your Cloudflare account.
Wordfence Import Code *
The following code will configure the Brute Force Login settings, password strength and Scans etc to an adequately rigorous level, securing WordPress against all but the most talented and dedicated attackers. Who, quite frankly, are busy on much higher-value targets than the average kiddy hacker learning the trade. The law of diminishing returns kicks into effect at some point – if a hacker encounters a small business site with extremely robust security, its likely more cost-effective to move on to a softer target. There are literally millions of websites – the majority are inadequately protected.
Wordfence | Tools | Import:
After copying and importing the code above: go to General Wordfence Options and change the “Where to email Alerts” address to your own, so you receive any alerts that are generated.
Cloudflare Page Rules **
Getting the Cloudflare page rules configured and loading in the correct order determines what is indexed. Preventing indexing of /wp-admin/ is essential.
Example page rules:
- Use the full path to the wp-login.php file and /wp-admin/ directory…
- The order in which the rules are loaded is critical!
- As are the settings within each rule…
At the end of the above 10 Steps, you’ve made significant WordPress website security changes that will help in securing WordPress websites from hackers for a long time to come.
If all of this seems somewhat challenging – I’m happy to install/configure all of the above for you on an hourly rate basis… or as part of a website maintenance package.
Page last updated on Thursday, October 12, 2023 by the author Ben Kemp