How to test if your Wordpress Site is secure?

Try to search for plugin!!! There is free plugins to test your WP site and tell you which files are infected by any malware. Also DO NOT upload nulled or other suspicious plugins! Use ones from WordPress site or buy from original source, other way your blog could be hacked easy!

go to your admin > plugins > add new | Search for this two plugins to fix your problems:
1. Anti-Malware by ELI
2. Exploit Scanner

It should help you

I would say the first step is to be careful what plugins you install. They have to come from trustworthy sources. I'm going to take the recommendations given by Zicer, probably unless there are other suggestions.

Hello,

Sorry to hear about your sites…

Unfortunately, in your case the problem is your misunderstanding of what security is.
Installing a security plug-in is a good start, but not enough…

Security is a complex set of secure configurations, techniques and practices…

To answer your question: yes there are services that allow you to scan your website for security holes/vulnerabilities. Try researching this forum or Internet for “website security scan”. There are many free and not tools/services.

Now… to achieve security, you must periodically scan your sites and correct identified problems.

So11

Don't use Admin as the username... Install wordpress manually..

I would suggest you to going through the thread

http://www.warriorforum.com/website-...+security+tips

I use bullet proof security pro, just make sure all the settings are set I mean ALL and you should not have a problem. I use everything except the auto-restore/quarantine options. I had the issue where I thought I had it all correct and and green but then the status changed.. it was due to me not having all settings in place and in my case the "file locking" feature had to be on certain wordpress core files.

I would if possible, start over, don't install anything but wordpress and then bullet proof security pro right from the start don't mess with anything else until this plugin is fully setup.. Check settings over and over.. the plugin can be rough to setup at first.. and yes make sure you do not have an "admin" user name called admin OR any other username on user1 default.. meaning whatever the first user is delete it.. well first add your second admin don't use "admin" as name though (if first user was something else) and then delete first user.

This is because when hackers use automated software tools it always tries the first wordpress user ID so by using a different ID number "2" you are a little safer.. they always go after "admin" user ID 1 and try to brute force the login so have a complex password as well.

how secure is your password for /wp-admin?

I use the plugin "Limit Login Attempts"

It will lockout anyone who uses an incorrect password multiple times, then will record their IP address.

Never had a problem.

Don't use common names like "Admin" for administrator. Secondly, create an additional account and make posts in your blog using that. Don't install plugins without prior knowledge, install plugins from trusted websites only. If you think that your website is being hacked by brute-force attacks, then create complex passwords (by mixing small and capital letters, numbers etc). Don't access your control panel/dashboard from in-secure computers. Sometimes, infected files may also take the malware to the website, if they are uploaded to it. So upload files to the website only from your personal computer or any other trusted computer.

I had the same problem as you last week. I got my sites hacked by various arabs and turks. (TimThumb Vunerability).

Get Better WP Security. It is much better than the others.

Funny thing, I`ve just finished answering a very similar question on Quora (so seems like WP hacks are the latest trend...)

First of, as far as I know, WP Security is probably the best security plugin today.
Having said that, its far from perfect.

This is why:

A. WP Security will blacklist bot and user IPs and this is not an effective way to protect yourself.
Keep in mind, IP are very easily spoofed an average attacker will never use his/hers true IP for the attack.
Also, "Good" bot will use strange IP ranges so there is a good chance for false-positives (i.e. Goolgebot will use Chinesse IPs)

The smart way to do this, is by using a combo of behavior monitoring + signature recognition + challenges (JS,Coockie or even CAPTCHA).

This is how we do it here (in Incapsula) and from personal experience I can say that this multi-layer approach will drastically minimize false-positives.
This approach will also provide better protection against new and yet unknown threats, as it will look for suspicious patterns instead of trusing generalized rules.


B. It will not provide injection (and other Illegal Resource Access) protection.
Yes, vulnerability scans are a good place to start, but they are never as good as proactive protection and even when they detect something, you'll still need to spend time and effort (and have decent understanding of PHP/WP coding) to close the gap.

I don't want to make it too long, so I`ll stop here.

I will say again that "WP Security" is a great plugin, but it will only go so far and for more advance features I would recommend looking into 3rd party security services.

PM me if you need any help.

GL