Advice on how to avoid having Word Press hacked?

40 replies
  • WEB DESIGN
  • |
Hi, I just set up a Word Press blog and understand hacking is a very real threat. Given that I would like advice on two things:

(1) what plugin or other steps I need to reduce the hacking threat?

(2) How to back the site up on a regular basis in case it is hacked?

Thanks for your help.

Ed
#advice #avoid #hacked #press #word
  • Profile picture of the author Istvan Horvath
    First of all: hacking is NOT such a common threat as you may think... unless users make a lot of mistakes.

    Don't have the "admin" username for your admin login; don't have the wp_ table prefix for your DB table (which will happen with any Fantastico install); have strong and not-easy-to-guess passwords; make sure there is no keylogger/malware on your computer.

    Other than that... see the Codex:
    Hardening WordPress « WordPress Codex
    Signature

    {{ DiscussionBoard.errors[5501641].message }}
    • Profile picture of the author tomfinster
      Originally Posted by Istvan Horvath View Post

      make sure there is no keylogger/malware on your computer.
      Hey Istvan, how do I make sure there is no keylogger/malware on my computer.

      In Many Thanks,
      Tom
      Signature

      Some Of The Top Affiliate Courses In The Industry!

      {{ DiscussionBoard.errors[7670641].message }}
      • Profile picture of the author Istvan Horvath
        Originally Posted by tomfinster View Post

        Hey Istvan, how do I make sure there is no keylogger/malware on my computer.

        In Many Thanks,
        Tom
        There are many programs, even free, that will check your computer for malicious scripts. Opinions will vary which one is the best...
        Signature

        {{ DiscussionBoard.errors[7670889].message }}
        • Profile picture of the author KylePeters
          Originally Posted by Istvan Horvath View Post

          There are many programs, even free, that will check your computer for malicious scripts. Opinions will vary which one is the best...
          Which one do you use?
          Signature
          Some cool Graphic web design services and training courses!
          {{ DiscussionBoard.errors[7670990].message }}
  • Profile picture of the author Martin Lee Jr
    A couple of good plugins are:

    Bullet Proof Security - although it has it problems with certain wordpress themes

    Login lockdown is really good, and I have never had a problem with it
    Signature
    How Can I help...
    {{ DiscussionBoard.errors[5501707].message }}
    • Profile picture of the author nelram
      Originally Posted by mlj2577 View Post

      A couple of good plugins are:

      Login lockdown is really good, and I have never had a problem with it
      Ditto on this. Login lockdown is a good one.
      Signature
      Ask me about our business startup special!
      2 - 18x24 full color vehicle magnets
      and
      1000 Full color double sided business cards
      FOR ONLY $125.00
      {{ DiscussionBoard.errors[5503626].message }}
  • Profile picture of the author ldiaz117
    Secure Wordpress plugin and I have used Logon Lockdown too
    {{ DiscussionBoard.errors[5501719].message }}
  • Profile picture of the author jb3715
    I usually use one click install with Hostgator. Is having the wp_ table prefix a big issue if I change all the other things? Like no admin user, strong password and login lockdown?

    One click install is just so easy and now I hate manually installing WP.
    {{ DiscussionBoard.errors[5501921].message }}
  • Profile picture of the author timbarker
    Banned
    WordPress › BulletProof Security « WordPress Plugins works great in protection WP sites. I use this on most of my clients websites and I don't receive any threats.
    {{ DiscussionBoard.errors[5502007].message }}
  • Profile picture of the author aaaa33030
    Well with my wordpress blogs, hacking is not possible unless I allow new users to register

    After I disabled user registration the hacking stopped
    {{ DiscussionBoard.errors[5502208].message }}
  • {{ DiscussionBoard.errors[5502393].message }}
  • Profile picture of the author Kezz
    Security is extremely important as hacking can and does happen quite regularly, and you are more of a target as you become more well know. Even the UFC site just got hacked a couple of days back.

    No matter how low the chances are of being hacked, if you protect yourself you can reduce them a great deal more.

    Especially if you run a site with members, it is your responsibility to protect their information with the strictest security regime you can put together.

    Here's what to do:


    Install manually, not through Fantastico. If you have cPanel it's still very quick and easy.

    WordPress file upload (the quick & easy way):

    1. Upload the WordPress zip to your domain root folder using cPanel's File Manager
    2. Use the extract function to unzip it right there.
    3. Go into the "wordpress" folder it unzips to.
    4. Click the "select all" button.
    5. Click the "move" button.
    6. Deleting /wordpress from the end of the address in the "move" dialog
    7. Click "Move File(s)" to move all the WordPress files into your main domain folder.


    Database setup (the quick & easy way):

    1. Now setup your database using the MySQL Database Wizard in cPanel. Follow the prompts and it does everything for you.
    2. Create a database name that's quite random.
    3. Create a user name that's also quite random
    4. Use the password generator to create a strong password. Copy and paste it into a notepad doc
    5. At the "Add user to the database" step it will display both database name and user name. Copy and paste those into the notepad doc too.
    6. Click "All privileges" to give your user full access to the database you created.
    7. Click "Next Step".


    Actual WordPress install (also the quick & easy way):

    1. Now go to www.yourdomain.com/wp-admin in your browser.
    2. This will trigger the installation process - you will see a screen telling you there's no config file. Click the button to create a new one.
    3. You'll now see the first installation screen. Copy & paste the database name, database user name and password you have in your notepad doc from before.
    4. Change the default wp_ prefix to some other random thing like: koe_
    5. Proceed to the site info setup page and fill in all the fields. Use some WordPress username other than admin, and other than just your name - make it difficult to guess. Also use a strong password that's difficult to guess.
    6. Proceed and WordPress will now automatically complete the installation.

    ***All up the above is a very secure foundation and will take you about 10 minutes or less to complete.***


    Security plugins

    Install the following plugins and follow the configuration guides for each one:

    Secure WordPress
    WordPress › Secure WordPress « WordPress Plugins
    Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.
    BulletProof Security
    WordPress › BulletProof Security « WordPress Plugins
    WordPress Website Security Protection: BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection...
    Semisecure Login Reimagined
    WordPress › Semisecure Login Reimagined « WordPress Plugins
    Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in.
    Bad Behaviour
    WordPress › Bad Behavior « WordPress Plugins
    Welcome to a whole new way of keeping your blog, forum, guestbook, wiki or content management system free of link spam. Bad Behavior is a PHP-based solution for blocking link spam and the robots which deliver it.
    Thousands of sites large and small, like SourceForge, GNOME, the U.S. Department of Education, and many more, trust Bad Behavior to help reduce incoming link spam and malicious activity.
    Regular Backups

    And beyond all the above, make regular backups so that in case something does happen you can roll back.

    Your host will most likely make their own backups that you can get them to roll back to for you, but you should also make your own.

    There are automated ways to do this but I'm yet to find a method that beats just going through cPanel.

    1. Go to your cPanel File Manager and into the root folder of your site. Click "Select all" then click "Compress" to zip up all the files. Download the zip.

    2. Go to phpMyAdmin through cPanel and click your database name in the list on the left. Click the "Export" tab. Click "Go" and save the database backup file.


    Not quite sure what compelled me to write up the whole process, but I hope it helps some folks out.
    {{ DiscussionBoard.errors[5503329].message }}
    • Profile picture of the author edd666666
      Wow Keez, that was really a lot of work there, and it was great, thanks, Ed
      Signature
      “Over 1,000 People Have Used My Unique Pitch System To Achieve Their Publicity Goals... And I’ll Work Personally With You Too, One-On-One To Help You Get On TV!” CLICK HERE
      {{ DiscussionBoard.errors[5503565].message }}
    • Profile picture of the author Balvanedaj
      Hi Kezz, - I'm new to Wordpress and I'm looking to transfer my .com blog to .org on GatorHost. Your post seems to be quite insightful, but I'm wondering if there is a beginning to end instructions you can point me to (from downloading WP3.3.1 to launching your site).

      Also, is your blog on WP Plugins current or are there any other plugins you would remove or add to your list.

      Thanks.
      {{ DiscussionBoard.errors[5507664].message }}
  • Profile picture of the author sf_Imtiaz
    It's good to have complicated password to avoid brute force attacks but even the most difficult passwords can be sniffed out if they are not encrypted, especially if you use public wifi often.

    There are some plugins that allow you to encrypt the password, I use WordPress › Chap Secure Login « WordPress Plugins on couple of blogs.

    It's important to note that the first time you login after installing this plugin, you'll need to copy and paste you password, you can't login by typing it in because wordpress won't accept encrypted password at first attempt, that's only for the first time you login after installing the plugin, later you can type your password as usual.
    {{ DiscussionBoard.errors[5503451].message }}
  • Profile picture of the author lint631
    @ Keez thanks for the tips! The problem is I already installed my WP site from CPanel.
    {{ DiscussionBoard.errors[5503638].message }}
    • Profile picture of the author Kezz
      Originally Posted by lint631 View Post

      @ Keez thanks for the tips! The problem is I already installed my WP site from CPanel.
      Even though you can't easily go back and change the database details and so on, you can still do the other steps.

      You can still create a new user account with a difficult to guess username and strong password, set it to Administrator, log in under the new account then delete the old one.

      And you can still install all the plugins I listed and get them configured.

      Those two things will still go a long way toward making your site more secure.
      {{ DiscussionBoard.errors[5503713].message }}
      • Profile picture of the author lint631
        Originally Posted by Kezz View Post

        Even though you can't easily go back and change the database details and so on, you can still do the other steps.

        You can still create a new user account with a difficult to guess username and strong password, set it to Administrator, log in under the new account then delete the old one.

        And you can still install all the plugins I listed and get them configured.

        Those two things will still go a long way toward making your site more secure.
        Cool will do those steps. It's funny, I never even thought to not use the CP installation of WP.
        {{ DiscussionBoard.errors[5507126].message }}
  • Profile picture of the author iqbal
    first advice is do not use any plugin
    2nd is use stonger admin user name and password.
    {{ DiscussionBoard.errors[5503690].message }}
  • Profile picture of the author kret0s
    Can users with the "Subscriber" role "hack" your WP site ?

    I'd assume its possible since they have access to a limited Dashboard.



    However, I removed the dashboard completely for Subscriber users..

    Hope I'm safe
    Signature
    The Green Magazine Blog Community
    An Eco Friendly Blog by KnowYourEarth
    Spreading Global Green Awareness & Education
    {{ DiscussionBoard.errors[5503701].message }}
  • Profile picture of the author sodevious
    Make sure to keep your WP installation and all plugins updated! My host offers daily backups though, that helps too!
    {{ DiscussionBoard.errors[5503739].message }}
  • Profile picture of the author NicheSavvy
    Wow!

    Ya'll have given excellent information about securing WP!

    Thanks to everyone for sharing!

    I purchased WP super sweep, did all it said (as best as I could) and killed the installation!

    Thankfully, I had a clone and easily replaced it. I didn't feel like trying it again, but I didn't know what else to do.

    Now I'll follow these steps.

    Appreciate your expertise!

    Karen
    Signature

    Huzzah!
    Karen

    Get Tips & Cool Tools for your IM Business success @ www.eBizHelp.info

    {{ DiscussionBoard.errors[5506859].message }}
  • Profile picture of the author Kezz
    Hey Balvanedaj,

    I don't know if any start to finish site launch instructions off the top of my head, but the installation process I outlined above should at least get you started.

    Yes, there are a few other steps I take and plugins I install with each site.

    After installation there are some default WP settings I change:

    • Settings > General: Insert a tagline
    • Settings > Writing: Change size of post box to 30 lines (I find the default too cramped)
    • Settings > Reading: Set the number of posts per page (I find 10 too much so I usually drop it.)
    • Settings > Discussion: Set whether or not you'll allow comments and what the requirements for approval are
    • Settings > Media: Update the thumbnail size if one is going to be automatically used in your theme of choice
    • Settings > Privacy: Double check to ensure your site is open to search engine crawlers
    • Settings > Permalinks: Change to custom structure /%category%/%postname%/

    After these changes are made I install whichever theme I plan on using.

    Then I come to plugin installation. I have a standard list I install every time, and to speed things up I install via Plugin Central.

    So I go to the plugins admin page and search the repository for "Plugin Central" and install & activate it.

    I then go to Plugins > Plugin Central and paste in the following list of plugin file URLs to install:

    Code:
    http://downloads.wordpress.org/plugin/secure-wordpress.zip
    http://downloads.wordpress.org/plugin/bulletproof-security.0.46.8.zip
    http://downloads.wordpress.org/plugin/semisecure-login-reimagined.zip
    http://downloads.wordpress.org/plugin/bad-behavior.2.1.16.zip
    http://downloads.wordpress.org/plugin/vipers-video-quicktags.zip
    http://downloads.wordpress.org/plugin/tinymce-advanced.3.4.5.zip
    http://downloads.wordpress.org/plugin/google-sitemap-generator.3.2.6.zip
    http://downloads.wordpress.org/plugin/all-in-one-seo-pack.zip
    http://downloads.wordpress.org/plugin/si-contact-form.zip
    http://downloads.wordpress.org/plugin/robots-meta.3.3.1.zip
    http://downloads.wordpress.org/plugin/pc-robotstxt.zip
    http://downloads.wordpress.org/plugin/quick-cache.111203.zip
    Plugin Central will automatically download and install each one.

    I then also manually install UP Smart Update Pinger as it is not a repository plugin. That can be found here: Ultimate Plugins Smart Update Pinger [Ultimate Plugins]

    So in that list I have the security plugins I already mentioned above. I also have:
    • Vipers Video Quicktags - easy video posting
    • TinyMCE Advanced - more powerful post editing
    • Google Sitemap Generator - automatic Google friendly XML sitemap generation
    • All In One SEO - my favorite SEO plugin
    • Fast Secure Contact Form - quickest easiest way to post a contact form with spam blocking
    • Robots Meta - for easy robots meta tag control
    • PC Robots - automatic management of robots.txt file, including blocking a legion of known spambots
    • Quick Cache - my preferred caching plugin due to very easy setup, easy access "clear cache" button, multi site compatibility and s2Member compatibility

    Once all the plugins are installed I then process any updates that are available on any of them. I then bulk activate all the plugins at once.

    Then there is some config to go through for a few of the plugins.

    Akismet
    Enter your WordPress API Key, gotten from API Keys — WordPress.com

    All In One SEO
    Set to "enable" and fill in Home Title, Home Description and Home Keywords.

    Bad Behavior
    Uncheck "display statistics in blog footer". Get an "http:BL Access Key" from the site they refer you to and add it to your settings.

    Robots Meta
    Check whichever boxes suit your site. If in doubt, check everything.

    Tiny MCE Advanced
    Check "Stop removing the <p> and <br /> tags", and I also like to add the blockquote (") button to the toolbar.

    UP Smart Update Pinger
    Copy & paste this list of ping sites
    http://rpc.pingomatic.com
    http://www.blogpeople.net/servlet/weblogUpdates
    http://ping.myblog.jp
    http://ping.bloggers.jp/rpc/

    Secure WordPress
    Check the extra boxes that are available to tick if so desired. I always do.

    BPS Security
    There's a few steps to configuring this so you'll have to look very closely at the instructions provided. But in a nutshell:
    1. Backup your .htaccess file
    2. Create the two new ones it makes for you
    3. Activate the four "Bulletproof Security Mode" options they make available
    4. Do another backup of all the new .htaccess files
    Quick Cache
    Set caching to "On". Remember that with caching on some changes you make to your site won't appear right away. If it ever seems like something you're trying to change isn't working, clear the cache.

    This is the process I've refined down to as a result of a number of years researching and trialing best practices. My sites always rank well and run very smoothly.

    Cheers,

    - Kezz
    {{ DiscussionBoard.errors[5508788].message }}
    • Profile picture of the author edd666666
      Semisecure Login Reimagined is triggering a fatal shutdown, anyone else having this issue? Thanks, Ed
      Signature
      “Over 1,000 People Have Used My Unique Pitch System To Achieve Their Publicity Goals... And I’ll Work Personally With You Too, One-On-One To Help You Get On TV!” CLICK HERE
      {{ DiscussionBoard.errors[5508886].message }}
  • Profile picture of the author Kezz
    Not me, I'm using it on all my sites at present and its working beautifully.

    I'd suggest checking to ensure you meet the requirements to run it, i.e. "This plugin requires PHP to be compiled with openssl support, which is a pretty standard option for most hosts."

    And also double check it is installed correctly.
    {{ DiscussionBoard.errors[5508932].message }}
    • Profile picture of the author edd666666
      Keez thanks for all this. What do you think about requiring visitors to register and log in before commenting? Thanks, Ed
      Signature
      “Over 1,000 People Have Used My Unique Pitch System To Achieve Their Publicity Goals... And I’ll Work Personally With You Too, One-On-One To Help You Get On TV!” CLICK HERE
      {{ DiscussionBoard.errors[5513435].message }}
      • Profile picture of the author Istvan Horvath
        Originally Posted by edd666666 View Post

        Keez thanks for all this. What do you think about requiring visitors to register and log in before commenting? Thanks, Ed
        That's a PITA. Don't do it... people don't tolerate it well.
        Signature

        {{ DiscussionBoard.errors[5514057].message }}
  • Profile picture of the author Leopard
    Hi KEZZ Excuse me for my ignorance, where do I find the "Plugin Central"??

    Thanks in advance
    {{ DiscussionBoard.errors[5664902].message }}
  • {{ DiscussionBoard.errors[5664995].message }}
  • Profile picture of the author kl2000
    I just read an article on this. One step you can take is to not use "Admin" as your username. Also make sure to use a strong password.
    {{ DiscussionBoard.errors[5672657].message }}
  • Profile picture of the author Leopard
    THANK YOU Istvan, I much appreciate your answer

    BTW do you have any idea if is there a king of a Wordpress security checklist? c

    THANKS in advance!!
    {{ DiscussionBoard.errors[5795592].message }}
  • Profile picture of the author how2no
    Kezz ... Thanx!

    You succinctly explained a process I've been trying to understand.

    Excellent step-by-step instructions.

    Thank you! Thank you! Thank you!
    Signature
    Visit ... The Insider's Circle
    34 Free Reports. Tons of Downloads.
    {{ DiscussionBoard.errors[5849521].message }}
    • Profile picture of the author coachkat
      3 main security plugins, nothing complicated and 2 of these are mentioned all ready:

      1. Bulletproof Security (must access settings to activate)
      2. Login Lockdown
      3. WordPress Firewall 2

      I have had my wordpress hacked twice about 3 years ago even with complicated usernames and passwords, then I got these and no problems ever since!
      Signature
      Katheryn L. Olsen aka "Coach Kat"
      Self-Mastery Coach For Entrepreneurs
      Transformational Public Speaker
      http://www.SuccessOrSabotage.com
      {{ DiscussionBoard.errors[5853379].message }}
  • Profile picture of the author pauljohnny
    One advice I can give is to NEVER use nulled plugin, theme or any other script in your site. If you do, you're opening doors to criminal minds...
    {{ DiscussionBoard.errors[5855500].message }}
  • Profile picture of the author hellow0rld
    Honestly the main thing you need to do is keep the version up to date. You should also never use a generic password. I've had wp hacked on a couple f occasions for different sites. 1 bot/hack created a user account which was able to create an admin account. It then hid itself as a user inside wp. I had to delete it from phpmyadmin. 2. I didn't keep the version up to date, script injection created a folder on server with redirects. I just deleted the folder and updated, was fine since then, although worrying at the time. thankfully was off peak.
    {{ DiscussionBoard.errors[5856303].message }}
  • Profile picture of the author Farish
    Do not use pirated plugins, period. If you are not a programmer, there is no way of you knowing what the hell they did to it. It is as easy for them to clean out activations etc as it is for them to put in their own backdoors.
    {{ DiscussionBoard.errors[5858196].message }}
  • Profile picture of the author CMSBunny
    I wrote an article on Wordpress hacking. This may be of some help; cmshelplive.com/blog/item/97-wordpress-website-hacked.
    {{ DiscussionBoard.errors[5866860].message }}
  • Profile picture of the author omurphy22
    The best place to go is to check the wordpress codex on hardening wordpress.

    As for plugins, I would recommend the WordPress › WP Security Scan « WordPress Plugins.

    Most webhosts (like HostGator, Bluehost etc.) back up your site at least daily, so you don't have to worry about that too much for a small site anyway.

    My biggest piece of advice would be to remove any identifying 'powered by wordpress' text and to be very careful about what plugins you install. Plugins can make your site vulnerable to hacks, so only install those which are absolutely necessary and are well maintained.
    Signature

    Long time internet addict, relatively recent SEO and internet marketer working on a variety personal projects, like my best seiko watches website, as well as jobs with clients. I'm always looking to expand my knowledge.

    {{ DiscussionBoard.errors[5869452].message }}
  • Profile picture of the author Michael71
    I prefer the Wordfence plugin some nice .htaccess code I am always adding myself.
    Signature

    HTML/CSS/jQuery/ZURB Foundation/Twitter Bootstrap/Wordpress/Frontend Performance Optimizing
    ---
    Need HTML/CSS help? Skype: microcosmic - Test Your Responsive Design - InternetCookies.eu

    {{ DiscussionBoard.errors[7671006].message }}

Trending Topics