How to avoid Wordpress site from being hacked

32 replies
  • WEB DESIGN
  • |
Hi, All of my websites which were hosted on Hostgator were hacked recently. I want to know, what software should I use to avoid them from being hacked. I'm using Cloudflare but it made my website down. Can anyone suggest alternatives to Cloudflare or Sitelock?
#avoid #hacked #site #wordpress
  • Profile picture of the author QueenMelanie
    here is a good list of WP security plugins 6 Best WordPress Security Plugins .

    changing your admin login URL and adding a pincode to login helps too!
    {{ DiscussionBoard.errors[9869602].message }}
  • Profile picture of the author spearce000
    Sending you a PM.
    {{ DiscussionBoard.errors[9870003].message }}
  • Profile picture of the author Rob Whisonant
    Learn a little html and quit using wordpress.

    Re's
    Rob Whisonant
    {{ DiscussionBoard.errors[9870158].message }}
    • Profile picture of the author vikash_kumar
      Originally Posted by Rob Whisonant View Post

      Learn a little html and quit using wordpress.

      Re's
      Rob Whisonant
      I completely disagree with this idea... Its like..."If there is cold in a city...so don't ever go there... even if that city is beautiful and everybody is already enjoying and going there..."

      I think, your question is correctly framed... you just need to know the elements which are required to be secured to make any software secure..Be it WordPress or even if a HTML site...

      There are plenty of content available on internet to learn to make a WordPress site more secure... However, There are no website in the world which is totally safe and secure... and will never be... You should always be prepared for worse and my tip will be to always take a regular and frequent backup of your website...Preferably an off-site backup (Not on the same server where the site is...)

      Best Regards,
      Vikash
      {{ DiscussionBoard.errors[9870293].message }}
      • Profile picture of the author Rob Whisonant
        Originally Posted by vikash_kumar View Post

        I completely disagree with this idea... Its like..."If there is cold in a city...so don't ever go there... even if that city is beautiful and everybody is already enjoying and going there..."

        I think, your question is correctly framed... you just need to know the elements which are required to be secured to make any software secure..Be it WordPress or even if a HTML site...

        There are plenty of content available on internet to learn to make a WordPress site more secure... However, There are no website in the world which is totally safe and secure... and will never be... You should always be prepared for worse and my tip will be to always take a regular and frequent backup of your website...Preferably an off-site backup (Not on the same server where the site is...)

        Best Regards,
        Vikash
        No problem. We will agree to disagree on this. Personally I think Wordpress is a total piece of [fill in the blank]. Learning html gives you better control over what you want to do and what you want your site to look like. Plus learning html is easy.

        99% of the time when you hear.... MY SITE GOT HACKED.... It is Wordpress. So yes, I stay out of the bad dangerous parts of town and spend my time on the pretty and safe side of town. Why take chances when you don't have to?

        But, yes, let's agree to disagree on this issue.

        Re's
        Rob Whisonant
        {{ DiscussionBoard.errors[9870553].message }}
        • Profile picture of the author jay761
          I would visit Strong Random Password Generator to generate a strong password. I would tick numbers and symbols I heard WordPress gets hacked using the dictionary method meaning that if you use real words a program guesses it? I'm not really an expert on security it is just what I have heard.
          {{ DiscussionBoard.errors[9870581].message }}
        • Profile picture of the author Jw0847
          Originally Posted by Rob Whisonant View Post

          No problem. We will agree to disagree on this. Personally I think Wordpress is a total piece of [fill in the blank]. Learning html gives you better control over what you want to do and what you want your site to look like. Plus learning html is easy.

          99% of the time when you hear.... MY SITE GOT HACKED.... It is Wordpress. So yes, I stay out of the bad dangerous parts of town and spend my time on the pretty and safe side of town. Why take chances when you don't have to?

          But, yes, let's agree to disagree on this issue.

          Re's
          Rob Whisonant
          I had many HTML sites hacked even when using complex passwords for FTP and cpanel. They injected redirect code into the HTML files. I added HTACCESS code providing security. This hack can effect Wordpress too. It happens and is a pain. Just ask Sony.
          {{ DiscussionBoard.errors[9871154].message }}
          • Profile picture of the author Rob Whisonant
            Originally Posted by Jw0847 View Post

            I had many HTML sites hacked even when using complex passwords for FTP and cpanel. They injected redirect code into the HTML files. I added HTACCESS code providing security. This hack can effect Wordpress too. It happens and is a pain. Just ask Sony.
            Completely different hacking method. The vast majority of hacking is through wordpress and it's plugins.

            I agree that all sites can be hacked. So by not using Wordpress you eliminate the vast majority of your vulnerability. To me that is a good thing.

            Re's
            Rob Whisonant
            {{ DiscussionBoard.errors[9871317].message }}
    • Profile picture of the author Peter Lessard
      Originally Posted by Rob Whisonant View Post

      Learn a little html and quit using wordpress.

      Re's
      Rob Whisonant
      LOL a little bit of html?

      For the average person WordPress is a god send, they can add all kinds of functionality by simply installing a plugin and there is absolutely no way the average person could ever build such functions in with "a little bit of html".

      I am saying this as a coder so I get what you're saying but this is not a path for the average person on here that is pumping out sites daily and needs to constantly add features etc... It's like telling someone don't bring your car to a mechanic just learn a little bit about engines. You and me are those kinds of guys, hell I can fix a car, built a site and do the plumbing in my house but it's simply wrong to assume people are like you.

      Sites are being hacked because they are not up to date.
      If people can't even update their plugins imagine the likely hood of them learning and programming in html ;-)
      Signature
      Ready to generate the next million in sales? The Next Million Agency
      {{ DiscussionBoard.errors[9870590].message }}
      • Profile picture of the author Winning34
        Originally Posted by Peter Lessard View Post

        LOL a little bit of html?

        For the average person WordPress is a god send, they can add all kinds of functionality by simply installing a plugin and there is absolutely no way the average person could ever build such functions in with "a little bit of html".

        I am saying this as a coder so I get what you're saying but this is not a path for the average person on here that is pumping out sites daily and needs to constantly add features etc... It's like telling someone don't bring your car to a mechanic just learn a little bit about engines. You and me are those kinds of guys, hell I can fix a car, built a site and do the plumbing in my house but it's simply wrong to assume people are like you.

        Sites are being hacked because they are not up to date.
        If people can't even update their plugins imagine the likely hood of them learning and programming in html ;-)
        I agree. I have a degree in computing and quite a bit of experience but even with that, I don't want to spend 12 months reinventing the wheel to make a responsive site that looks nice and can be updated easily from anywhere in the world.
        {{ DiscussionBoard.errors[9871071].message }}
        • Profile picture of the author Rob Whisonant
          Originally Posted by Winning34 View Post

          I agree. I have a degree in computing and quite a bit of experience but even with that, I don't want to spend 12 months reinventing the wheel to make a responsive site that looks nice and can be updated easily from anywhere in the world.
          Look into twitter bootstrap. Really easy to pick a template you like and edit it. Can be done very fast and is fully responsive. And no wordpress hackers paradise needed.

          Re's
          Rob Whisonant
          {{ DiscussionBoard.errors[9871313].message }}
      • Profile picture of the author Rob Whisonant
        Originally Posted by Peter Lessard View Post

        LOL a little bit of html?

        For the average person WordPress is a god send, they can add all kinds of functionality by simply installing a plugin and there is absolutely no way the average person could ever build such functions in with "a little bit of html".

        I am saying this as a coder so I get what you're saying but this is not a path for the average person on here that is pumping out sites daily and needs to constantly add features etc... It's like telling someone don't bring your car to a mechanic just learn a little bit about engines. You and me are those kinds of guys, hell I can fix a car, built a site and do the plumbing in my house but it's simply wrong to assume people are like you.

        Sites are being hacked because they are not up to date.
        If people can't even update their plugins imagine the likely hood of them learning and programming in html ;-)
        And that is the problem. The average... the majority... of wordpress users never update anything. Most don't even know that you have to constantly update wordpress and it's plugins. So they constantly get hacked.

        Many of these wordpress sites getting hacked are simple squeeze pages and sales pages. Wordpress is overkill where learning a little html could save them tons of headaches.

        Also several WYSIWYG html editors are available that make html coding even easier.

        I guess you can tell I am not a fan of using wordpress except when it's really the best solution. aka... Searchable blogs etc.

        Re's
        Rob Whisonant
        {{ DiscussionBoard.errors[9871306].message }}
    • Profile picture of the author itunesguy
      Originally Posted by Rob Whisonant View Post

      Learn a little html and quit using wordpress.

      Re's
      Rob Whisonant
      One of the worst pieces of advice that I have ever read here. After years of using html for one site, Wordpress has been a real godsend for me and allowed me to create many more far superior sites in 1/100th the time of my first extensive html site.

      No hackings so far, but I will look into these security plugins now.

      I do backup my posts and pages once a month.
      {{ DiscussionBoard.errors[9871056].message }}
      • Profile picture of the author Rob Whisonant
        Originally Posted by itunesguy View Post

        One of the worst pieces of advice that I have ever read here. After years of using html for one site, Wordpress has been a real godsend for me and allowed me to create many more far superior sites in 1/100th the time of my first extensive html site.

        No hackings so far, but I will look into these security plugins now.

        I do backup my posts and pages once a month.
        Now that was funny. Thank you.

        Re's
        Rob Whisonant
        {{ DiscussionBoard.errors[9871309].message }}
  • Profile picture of the author jfalxr
    There's a WP security plugin develop by Leo BCBiz called WP Shieldmate Plugin
    -> WP ShieldMate - WPThemePlugin Customers

    It puts a password to your WP login page and you can use as many passwords as you like..

    You can check live demo in my website here -> http://privatebonusclub.com/wp-admin

    Hope it helps,
    Jeffry
    {{ DiscussionBoard.errors[9870316].message }}
  • Profile picture of the author nizamkhan
    Originally Posted by Azlan.MY View Post

    Hi, All of my websites which were hosted on Hostgator were hacked recently. I want to know, what software should I use to avoid them from being hacked. I'm using Cloudflare but it made my website down. Can anyone suggest alternatives to Cloudflare or Sitelock?

    I use and recommend iThemes Security wordpress plugin. It's an excellent plugin with advance security features.

    If you need a premium security service, you can check out Sucuri.


    - Nizam
    {{ DiscussionBoard.errors[9870320].message }}
  • Profile picture of the author Peter Lessard
    You likely had an outdated plugin, theme or version of wordpress.

    1. Install the free version of the sucuri wordpress security plugin.

    2. Update everything. (theme, wp, plugins)

    3. Go to the Sucuri dashboard and check under files to see if it is showing some files as modified or added. If yes use the Sucuri tool to remove them. For example if they hack is placing index.html files or anything that does not belong Sucuri will find it.

    4. Go to hardening in the Sucuri dashboard and harden your install.

    5. In the future keep everything up to date.

    P.S If your waiting for Hostgator to fix this good luck, expect about 2 weeks!
    Signature
    Ready to generate the next million in sales? The Next Million Agency
    {{ DiscussionBoard.errors[9870576].message }}
  • Profile picture of the author MrFume
    Look, you just need one plugin and to configure it a little-it is called 'wordFence' it has a paid level but the free plugin works like a beauty - may sound simplistic but I run dozens of WP sites, have done for years and no hacking not even once with this measure. Just do it.
    Signature

    The whole basis of what we do as human beings is based on Communication, nothing would be possible otherwise. I work with communication, publishing on the Web, digital media.
    Digital Media for a Noisy World

    {{ DiscussionBoard.errors[9871019].message }}
    • Profile picture of the author xlfutur1
      Originally Posted by MrFume View Post

      Look, you just need one plugin and to configure it a little-it is called 'wordFence' it has a paid level but the free plugin works like a beauty - may sound simplistic but I run dozens of WP sites, have done for years and no hacking not even once with this measure. Just do it.
      I agree. Wordfence is one of the the best free plugins for security. I've been using it for awhile now and its amazing how many hackers it thwarts.
      {{ DiscussionBoard.errors[9871602].message }}
  • Profile picture of the author mrdeflation
    why not use a dedicated wordpress host like wpengine, pagely, etc??
    Signature

    {{ DiscussionBoard.errors[9871066].message }}
  • Profile picture of the author brotherZ
    To prevent your Wordpress site or any sites that run a popular script from being hacked, you have to keep up with the security updates. If you are running outdated scripts, you're more likely to be hacked.
    So, it's simple. Make sure your script is always up to date.
    {{ DiscussionBoard.errors[9871073].message }}
  • Profile picture of the author vishwa
    I am using "Wordfence" Security plugin for my WordPress plugin. It is one of the best security plugin and provides full proof security.
    Signature

    Blogging Tips & tricks@ Bloggingpond.com

    {{ DiscussionBoard.errors[9871077].message }}
  • Profile picture of the author rotface
    If you have to use Wordpress.

    1. Install security plugin.
    2. Set up cloudflare.
    3. DO NOT USE "admin" as the username.
    4. https://identitysafe.norton.com/password-generator/

    Wordpress is bloated and slow. Only use it if you have to.
    {{ DiscussionBoard.errors[9871431].message }}
  • Profile picture of the author DJL
    Probably no site can be made 100% secure against hacking.
    Here's what I do:
    1. Use strong user names and passwords.
    2. Define .htaccess rules that permit only my IP address access to the wp-admin folder.
    3. Install Wordfence plugin.
    4. Backup database and files immediately after deployment.
    5. Check every site every day for any needed updates.
    6. Backup after every update.
    7. Store backups offline on secure media.
    None of my sites has ever been hacked, but I feel sure that I could undo the damage in a matter of minutes if it were.
    Signature

    None are more hopelessly enslaved than those who falsely believe they are free.
    --Johann Wolfgang von Goethe, Elective Affinities (1809)

    {{ DiscussionBoard.errors[9871940].message }}
  • Profile picture of the author usmantech
    Here is a little checklist that is very effective:

    Always keep your wordpress core and plugins updated. Install Wordfence security plugin and Wordpress Firewall 2 plugin. Choose good and reliable hosting. Do not use admin as username and the password should be hard to guess.
    {{ DiscussionBoard.errors[9871964].message }}
  • Profile picture of the author sukritinfotech
    Backup this is the first and most important step. If u plan any change make sure your backup entire in DB.
    Update WordPress Version after backing up your blog is to update it to the latest version.
    Change your Login/Password the default wordpress login is “admin” and most hackers know that.

    Install WP Security Scan this plugin is the real deal. It’s simple and automates stuff.

    {{ DiscussionBoard.errors[9872075].message }}
  • Profile picture of the author turborunner
    check out my videos, there's one specifically on how to keep your site safe from hackers
    Signature
    ---->>FREE 60 Wordpress Video Tutorials<<---
    Never be stuck again setting up or customizing your site
    Click Below Now
    http://brainboxbooks.com/list1/
    {{ DiscussionBoard.errors[9872251].message }}
  • Profile picture of the author jkruger
    Always update everything!

    Install Wordfence.

    Seems simple, but our clients forget....often...
    Signature

    send a pen glitter bomb with our exclusive glitter deployment system - www.sendapen.com

    {{ DiscussionBoard.errors[9872649].message }}
  • Profile picture of the author kpmedia
    Were these all addon domains? That's always a security risk.

    Although Hostgator is a terrible host, that can happen anywhere. One site gets hacked, they all get hacked. By using "reseller" (multi-account) hosting, where every site has a dedicated cPanel account, you reduce the risk. If one site gets hacked, ONLY that one site gets hacked -- not all of them.

    WordPress plugins often DO NOT help with security. I can put "security" in a name, but it doesn't mean anything. You can't truly secure an ecosystem from within the ecosystem itself. It needs external (not plugin!) methods for security to exist.
    {{ DiscussionBoard.errors[9876437].message }}
  • Profile picture of the author joshzyerburg
    I'd start by getting my website out of Hostgator, shared webhosting is terrible, it's enough for a hacker get his website on the same server to have a chance at doing some terrible things (especially stealing PHP sessions).
    {{ DiscussionBoard.errors[9876701].message }}
  • Profile picture of the author nuggetsol
    There are several things I have done to keep my site safe and secure.

    1. Change your admin username. People tend to be lazy and keep the admin username as "admin". Instead delete/move this admin account to another admin username account.

    2. Install and activate - Akismet plugin -
    Akismet is quite possibly the best way in the world to protect your blog from comment and trackback spam

    3. Install
    Ban Hammer plugin, Stop Spammer Registrations Plugin - prevents spammers from mail.ru are registering to your blog while allowing your blog to keep registration open.

    4. BulletProof Security Plugin - BulletProof Security protects your website against 100,000's of different hacking attempts/attacks

    5. Vaultpress plugin -
    Protect your content, themes, plugins, and settings with realtime backup and automated security scanning.

    6. Sucuri plugin -
    The Sucuri WordPress Security plugin is a security toolset for security integrity monitoring, malware detection and security hardening.

    7. Make sure your forms have some kind of captcha OR something to prevent automated form submissions.

    8. Lastly, have forms and senstitive info on your site delivered via https.

    The above should help you to get started. Hope this helps.
    {{ DiscussionBoard.errors[9876827].message }}
  • Profile picture of the author Noel2010
    This is a very serious issue and I appreciate the different view points and suggestions.

    I want to keep using Wordpress.
    {{ DiscussionBoard.errors[9876978].message }}

Trending Topics