10 Ways To Prevent Your WordPress Website From Being Hacked

UPDATE YOUR WORDPRESS VERSION

Doing this will not stop you being hacked or fix your site if it is already hacked but still it is essential! You should always ensure your WordPress is at the latest and greatest version. The WordPress team work hard to creates patches to help fix security holes so benefit from their hard work. Check the official WordPress site for the latest version here. The easiest way to check if you are using the latest version is to login to your WordPress admin account and go to the updates panel. As mentioned even if you are updated your site can still be vulnerable to a hacker but still this helps a LOT so why not make it harder for the hackers and keep fully updated.

CHECK IF YOUR WORDPRESS IS ALREADY HACKED

When fixing websites we find often they have files placed on them by hackers over the last few years without the site owner ever knowing they were hacked. It depends on the type of hack but often hackers go to great lengths to ensure the website owner does not know they are hacked. This means the hacker keeps control of their site (for his/her malicious purposes) for longer. So contact us and get you to check to see if you site is hacked. If you don’t remove ALL the hacks on your site already, any future security is pretty much worthless.

CHANGE THE ADMIN USER LOGIN NAME

The default WordPress login is ‘admin’ so hackers focus on that username when attempting to guess your password. The best thing to do is delete the default admin account and create a new custom login. Also so many owners create and admin account that is based on the name of their domain name. Don’t do this as it is to easy to guess. A standard hack attempt is to use tools to brute force (dictionary based attacks) the password on your site so make your admin login name a real tough one guess. For creating a hard to guess password use tools such as the Norton password generator

CONSTANTLY UPDATE ALL YOUR WORDPRESS THEMES AND PLUGINS

Yes Update ! we cannot stress it enough. To prevent your wordpress website from being hacked – Update Update Update!. Update all your WordPress plugins and themes continually. Thousands of websites are hacked daily due to them using outdated plugins and themes installed on them. It is incredibly important to update your site as soon as a new plugin or theme becomes available. Most hacking these days is performed as an entirely automated process, with bots searching Google using ‘Google Dorks’ finding vulnerable sites and probing them for exploitation opportunities. It is not good enough to update once a month or even once a week because bots are very likely to find a vulnerability before you patch it. Unless you are running a website firewall like ourSharkGate – WordPress protection from hackers (which protects your site 24/7 and our team keep you safe), you need to update as soon as immediately updates are released. The moment new vulnerabilities are found hacker bots are already searching for websites with them. This is why you will see security bloggers mentioning that if you have not updated a certain plugin (revolution slider, gravity forms,etc) within hours from a vulnerability release date your site has a good chance of being hacked. If your follow@OneHourSiteFix on Twitter we will help keep you notified about important updates and security warnings.

CHANGE FROM THE DEFAULT DATABASE TABLES PREFIX

The default table prefix for WordPress is wp_ and of course the hackers know that. When this knowledge the hackers then know all the table names of the most important tables in your WordPress installation . This makes SQL Injection attacks so much easier. So change this wp_ to something else of your own choosing (not your domain name!). see this link for some good instructions on how to make this change.

SECURING YOUR WORDPRESS FILE PERMISSIONS

So why is this important clients ask ? well say for example you set the index.php file on your site with permissions that anyone in the world can update it. A hacker could then update this file and redirect every visitor that comes to your site to their own malicious site. Okay we could do a full post just on this topic (we will make sure we do soon) and it is a key one in how to ‘prevent your wordpress website from being hacked’ so here is some quick notes and guidance on locking down the access to files and directories on your WordPress installation.

A good rule of thumb is … All files should be 664. All folders should be 775. wp-config.php should be 660 or even better move it out of your WordPress public_html directory. Okay that is just the real basics and we would recommend you fully read up here before adjusting your file permissions, as if don’t do it correctly you could put your whole site offline from visitors.

SECURING YOUR WEB SERVER CONFIGURATION

Doesn’t my hosting company handle this clients ask ? No ! They want to make it as easy as possible for you to make your website and want as few support tickets as possible. Unfortunately this mix means they also leave your site’s server configuration in an open state the hackers love. You need to take responsibility and make a few changes to secure up these vulnerabilities. Here are a few rules we recommend you look into and add for your particular web server:

Find out what Web server you are using and learn about your web servers configuration files. Apache web servers use the .htaccess file, Nginx servers use nginx.conf, and Microsoft IIS servers use web.config. Most often found in the root web directory that you have access to (and the hackers do if they are not secured), these files are very powerful. These files allows you to execute server rules, including directives that improve your website security.
Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution. When cleaning sites we often see in the logs that hackers have been freely checking the websites wp-content/uploads directories trawling for all sorts of files that the owners would not want them to have
Restrict PHP execution in directories that hold images or allow uploads.

If you place your site behind our SharkGate – WordPress Protection the hackers then have to get through our ‘Hacker proof gateways’ to reach your site so this part of ‘prevent your wordpress website from being hacked’ is automatically handled for you by us. Nice hey!

DON’T FALL FOR THAT UNLIMITED HOSTING

Yes we understand the temptation and it is cheaper on your pocket choosing the ‘unlimited’ hosting plans with your hosting company and putting all your websites on a single server. Unfortunately this is like finding a candy store for the hackers. In terms of security it is a way to make your life a nightmare. As security experts would say it ‘creates a very large attack surface’. This basically means it offers hacker many more ways to break in to your sites. If the hacker can then get into one of the sites he can take over all of your sites on that same server.

For example, on a unlimited server package server you have might placed 10 or your websites. Say one of those sites you don’t really ever check or keep updated. The hacker can use this weakest link to break into that one sites and have full and complete access to take over your other 9 websites. With their tools they usually have a lot more access than you have with your WordPress admin console.

When we protect a site with our SharkGate WordPress Protection we will recommend we apply the same protection to all the sites you have on your server. Stopping the hacker using any of your sites to infect the others

THINKING YOU ARE PROTECTED BY DAILY WEBSITE SCANS

We have so many hacked sites that come to us that have previously purchased a ‘daily website Scan service’ from another company. The companies that sell these services are naughty in that they use a lot of marketing terms like “websites security” , “prevent your wordpress website from being hacked”, “secure your site” when actually these scanning services offer your site no protection from hackers. They just let you know if you have been hacked and actually often they fail in doing that. We’re sure you will agree its much better to stop hackers in the first place with SharkGate™, rather than just promising to let you know when you have been the victim of another hack and go through all the hassle of getting it fixed again. We believe in doing the right thing for our customers.

BACKUP YOUR WEBSITE

Okay this tip is not really a security one and maybe we should not add it to our ’10 ways to prevent your wordpress website from being hacked’ list but we felt we had to. A s if you don’t use our services to prevent your wordpress website from being hacked then this is essential !. Unless you are an up and coming security expert and can spare the time each day to keep your site fully watched then backup your site. This is even more important if you try to fix your website yourself if it is hacked. That could be your first time at cleaning a website which means a good chance of breaking your website. Backup all the files of your website and do a full database backup. Stores these files on a different server than your current website.

LET US DO IT

The easiest and fastest way to answer this question ‘how do I prevent your wordpress website from being hacked ?’ is to use our SharkGate – WordPress Protection. After that sit back and relax whilst we to the hard work to prevent your wordpress website from being hacked. We automatically stop hackers from attacking your website. Imagine if your website was a nightclub, then SharkGate™ would be your friendly but firm doorman. He would welcome all those clubbers you want to let in and politely turn away those intent on causing mayhem – the sharks as we call them. You do not need to install any software or changing your hosting company and our friendly engineers can activate it for your site in less than 5 minutes and they promise not to talk techie, unless you want to!.