Advice on how to avoid having Word Press hacked?

First of all: hacking is NOT such a common threat as you may think... unless users make a lot of mistakes.

Don't have the "admin" username for your admin login; don't have the wp_ table prefix for your DB table (which will happen with any Fantastico install); have strong and not-easy-to-guess passwords; make sure there is no keylogger/malware on your computer.

Other than that... see the Codex:
Hardening WordPress « WordPress Codex

A couple of good plugins are:

Bullet Proof Security - although it has it problems with certain wordpress themes

Login lockdown is really good, and I have never had a problem with it

Secure Wordpress plugin and I have used Logon Lockdown too

I usually use one click install with Hostgator. Is having the wp_ table prefix a big issue if I change all the other things? Like no admin user, strong password and login lockdown?

One click install is just so easy and now I hate manually installing WP.

WordPress › BulletProof Security « WordPress Plugins works great in protection WP sites. I use this on most of my clients websites and I don't receive any threats.

Well with my wordpress blogs, hacking is not possible unless I allow new users to register

After I disabled user registration the hacking stopped

I used to install wp-db-backup
WordPress Database Backup – Austin Matzko's Blog

it will send all your wp content to your email once a week (if you set so)

Security is extremely important as hacking can and does happen quite regularly, and you are more of a target as you become more well know. Even the UFC site just got hacked a couple of days back.

No matter how low the chances are of being hacked, if you protect yourself you can reduce them a great deal more.

Especially if you run a site with members, it is your responsibility to protect their information with the strictest security regime you can put together.

Here's what to do:


Install manually, not through Fantastico. If you have cPanel it's still very quick and easy.

WordPress file upload (the quick & easy way):

1. Upload the WordPress zip to your domain root folder using cPanel's File Manager
2. Use the extract function to unzip it right there.
3. Go into the "wordpress" folder it unzips to.
4. Click the "select all" button.
5. Click the "move" button.
6. Deleting /wordpress from the end of the address in the "move" dialog
7. Click "Move File(s)" to move all the WordPress files into your main domain folder.


Database setup (the quick & easy way):

1. Now setup your database using the MySQL Database Wizard in cPanel. Follow the prompts and it does everything for you.
2. Create a database name that's quite random.
3. Create a user name that's also quite random
4. Use the password generator to create a strong password. Copy and paste it into a notepad doc
5. At the "Add user to the database" step it will display both database name and user name. Copy and paste those into the notepad doc too.
6. Click "All privileges" to give your user full access to the database you created.
7. Click "Next Step".


Actual WordPress install (also the quick & easy way):

1. Now go to www.yourdomain.com/wp-admin in your browser.
2. This will trigger the installation process - you will see a screen telling you there's no config file. Click the button to create a new one.
3. You'll now see the first installation screen. Copy & paste the database name, database user name and password you have in your notepad doc from before.
4. Change the default wp_ prefix to some other random thing like: koe_
5. Proceed to the site info setup page and fill in all the fields. Use some WordPress username other than admin, and other than just your name - make it difficult to guess. Also use a strong password that's difficult to guess.
6. Proceed and WordPress will now automatically complete the installation.

***All up the above is a very secure foundation and will take you about 10 minutes or less to complete.***


Security plugins

Install the following plugins and follow the configuration guides for each one:

Secure WordPress
WordPress › Secure WordPress « WordPress Plugins
BulletProof Security
WordPress › BulletProof Security « WordPress Plugins
Semisecure Login Reimagined
WordPress › Semisecure Login Reimagined « WordPress Plugins
Bad Behaviour
WordPress › Bad Behavior « WordPress Plugins
Regular Backups

And beyond all the above, make regular backups so that in case something does happen you can roll back.

Your host will most likely make their own backups that you can get them to roll back to for you, but you should also make your own.

There are automated ways to do this but I'm yet to find a method that beats just going through cPanel.

1. Go to your cPanel File Manager and into the root folder of your site. Click "Select all" then click "Compress" to zip up all the files. Download the zip.

2. Go to phpMyAdmin through cPanel and click your database name in the list on the left. Click the "Export" tab. Click "Go" and save the database backup file.


Not quite sure what compelled me to write up the whole process, but I hope it helps some folks out.

It's good to have complicated password to avoid brute force attacks but even the most difficult passwords can be sniffed out if they are not encrypted, especially if you use public wifi often.

There are some plugins that allow you to encrypt the password, I use WordPress › Chap Secure Login « WordPress Plugins on couple of blogs.

It's important to note that the first time you login after installing this plugin, you'll need to copy and paste you password, you can't login by typing it in because wordpress won't accept encrypted password at first attempt, that's only for the first time you login after installing the plugin, later you can type your password as usual.

@ Keez thanks for the tips! The problem is I already installed my WP site from CPanel.

first advice is do not use any plugin
2nd is use stonger admin user name and password.

Can users with the "Subscriber" role "hack" your WP site ?

I'd assume its possible since they have access to a limited Dashboard.



However, I removed the dashboard completely for Subscriber users..

Hope I'm safe

Make sure to keep your WP installation and all plugins updated! My host offers daily backups though, that helps too!

Wow!

Ya'll have given excellent information about securing WP!

Thanks to everyone for sharing!

I purchased WP super sweep, did all it said (as best as I could) and killed the installation!

Thankfully, I had a clone and easily replaced it. I didn't feel like trying it again, but I didn't know what else to do.

Now I'll follow these steps.

Appreciate your expertise!

Karen

Hey Balvanedaj,

I don't know if any start to finish site launch instructions off the top of my head, but the installation process I outlined above should at least get you started.

Yes, there are a few other steps I take and plugins I install with each site.

After installation there are some default WP settings I change:

• Settings > General: Insert a tagline
• Settings > Writing: Change size of post box to 30 lines (I find the default too cramped)
• Settings > Reading: Set the number of posts per page (I find 10 too much so I usually drop it.)
• Settings > Discussion: Set whether or not you'll allow comments and what the requirements for approval are
• Settings > Media: Update the thumbnail size if one is going to be automatically used in your theme of choice
• Settings > Privacy: Double check to ensure your site is open to search engine crawlers
• Settings > Permalinks: Change to custom structure /%category%/%postname%/

After these changes are made I install whichever theme I plan on using.

Then I come to plugin installation. I have a standard list I install every time, and to speed things up I install via Plugin Central.

So I go to the plugins admin page and search the repository for "Plugin Central" and install & activate it.

I then go to Plugins > Plugin Central and paste in the following list of plugin file URLs to install:

Plugin Central will automatically download and install each one.

I then also manually install UP Smart Update Pinger as it is not a repository plugin. That can be found here: Ultimate Plugins Smart Update Pinger [Ultimate Plugins]

So in that list I have the security plugins I already mentioned above. I also have:

• Vipers Video Quicktags - easy video posting
• TinyMCE Advanced - more powerful post editing
• Google Sitemap Generator - automatic Google friendly XML sitemap generation
• All In One SEO - my favorite SEO plugin
• Fast Secure Contact Form - quickest easiest way to post a contact form with spam blocking
• Robots Meta - for easy robots meta tag control
• PC Robots - automatic management of robots.txt file, including blocking a legion of known spambots
• Quick Cache - my preferred caching plugin due to very easy setup, easy access "clear cache" button, multi site compatibility and s2Member compatibility

Once all the plugins are installed I then process any updates that are available on any of them. I then bulk activate all the plugins at once.

Then there is some config to go through for a few of the plugins.

Akismet
Enter your WordPress API Key, gotten from API Keys — WordPress.com

All In One SEO
Set to "enable" and fill in Home Title, Home Description and Home Keywords.

Bad Behavior
Uncheck "display statistics in blog footer". Get an "http:BL Access Key" from the site they refer you to and add it to your settings.

Robots Meta
Check whichever boxes suit your site. If in doubt, check everything.

Tiny MCE Advanced
Check "Stop removing the <p> and <br /> tags", and I also like to add the blockquote (") button to the toolbar.

UP Smart Update Pinger
Copy & paste this list of ping sites
http://rpc.pingomatic.com
http://www.blogpeople.net/servlet/weblogUpdates
http://ping.myblog.jp
http://ping.bloggers.jp/rpc/

Secure WordPress
Check the extra boxes that are available to tick if so desired. I always do.

BPS Security
There's a few steps to configuring this so you'll have to look very closely at the instructions provided. But in a nutshell:

1. Backup your .htaccess file
2. Create the two new ones it makes for you
3. Activate the four "Bulletproof Security Mode" options they make available
4. Do another backup of all the new .htaccess files

Quick Cache
Set caching to "On". Remember that with caching on some changes you make to your site won't appear right away. If it ever seems like something you're trying to change isn't working, clear the cache.

This is the process I've refined down to as a result of a number of years researching and trialing best practices. My sites always rank well and run very smoothly.

Cheers,

- Kezz

Not me, I'm using it on all my sites at present and its working beautifully.

I'd suggest checking to ensure you meet the requirements to run it, i.e. "This plugin requires PHP to be compiled with openssl support, which is a pretty standard option for most hosts."

And also double check it is installed correctly.

Hi KEZZ Excuse me for my ignorance, where do I find the "Plugin Central"??

Thanks in advance

Let me google that for you

I just read an article on this. One step you can take is to not use "Admin" as your username. Also make sure to use a strong password.

THANK YOU Istvan, I much appreciate your answer

BTW do you have any idea if is there a king of a Wordpress security checklist? c

THANKS in advance!!

Kezz ... Thanx!

You succinctly explained a process I've been trying to understand.

Excellent step-by-step instructions.

Thank you! Thank you! Thank you!

One advice I can give is to NEVER use nulled plugin, theme or any other script in your site. If you do, you're opening doors to criminal minds...

Honestly the main thing you need to do is keep the version up to date. You should also never use a generic password. I've had wp hacked on a couple f occasions for different sites. 1 bot/hack created a user account which was able to create an admin account. It then hid itself as a user inside wp. I had to delete it from phpmyadmin. 2. I didn't keep the version up to date, script injection created a folder on server with redirects. I just deleted the folder and updated, was fine since then, although worrying at the time. thankfully was off peak.

Do not use pirated plugins, period. If you are not a programmer, there is no way of you knowing what the hell they did to it. It is as easy for them to clean out activations etc as it is for them to put in their own backdoors.

I wrote an article on Wordpress hacking. This may be of some help; cmshelplive.com/blog/item/97-wordpress-website-hacked.

The best place to go is to check the wordpress codex on hardening wordpress.

As for plugins, I would recommend the WordPress › WP Security Scan « WordPress Plugins.

Most webhosts (like HostGator, Bluehost etc.) back up your site at least daily, so you don't have to worry about that too much for a small site anyway.

My biggest piece of advice would be to remove any identifying 'powered by wordpress' text and to be very careful about what plugins you install. Plugins can make your site vulnerable to hacks, so only install those which are absolutely necessary and are well maintained.

I prefer the Wordfence plugin some nice .htaccess code I am always adding myself.