Some websites get broken into. Perfect security is impossible. But it’s also not necessary, any more than it’s necessary to make it absolutely impossible for someone to break into your house. The goal is to make it hard enough that the hackers go after easier targets.
Because generally it’s not personal. You’re not a bank or a government; hackers aren’t trying to steal your data. They just want to use your server to send spam email and deliver malware to visitors’ computers.
Which is still a problem for you if it happens, because it’ll get your server blacklisted, which prevents sending your email and warns off potential customers. You’ll have to spend time and money restoring your site, making sure the malware is gone, and getting off the blacklists.
Hackers use bot programs to hit websites at random and try to pry their way in using various known security errors. If everything is bolted down, they move on. This is not a ninja assassin coming after you. It’s a thief wandering along the street testing who forgot to lock their car door.
Your web hosting company will do some things to protect you. It’s their server, after all, and they’re also inconvenienced by being blacklisted. But there are also measures you can take.
Table of Contents
How Do They Get In?
Security consultants WP White Security did an audit of hacked WordPress sites and found:
- 41 percent were hacked because of security problems on their web server
- 29 percent because of a security issue in their WordPress theme
- 22 percent because of a security issue in their plugins
- 8 percent by password guessing
That first item means it’s important to choose a hosting company who pays attention to security. There’s nothing else you can do about that.
For the rest, you’ll need choose a high-quality theme and plugins, and add a plugin or two to protect your site by tightening down the hatches and alerting you to potential problems.
And the password… about that…
Selecting Password and Username
Hackers keep lists of popular passwords and IDs and try them all to see whether one might get them into a site.
There are two things you can do. One is to choose a password that’s not on the list of most popular passwords. A while back there were news reports about a Chinese social media site — their government’s version of Facebook, only without the freedom — that was hacked, the whole thing, millions of users, because their administrative password for the whole site was… Can you guess?
Yes, that’s correct. It was “password.”
Don’t do that.
In fact, don’t use any common word or name as a password. Don’t use a date. Don’t use a word with some letters changed to numbers or punctuation inserted. Those aren’t secure.
If you think you need a simple password because it’s easier to type or remember, please stop what you’re doing right now, install a password manager program, and change every password you have to a unique, hard-to-guess value. I use Bitwarden, which plays well with various browsers and can synchronize with multiple devices, including phones.
Earlier, when you were installing WordPress, I recommended you choose an identifying name that’s not “admin” and not the same as your own name. To guess your password, the prying bots also have to guess your username, so let’s not give it away for free.
Another way to make passwords difficult to guess is to limit the number of attempts you’ll allow from any given source. We’ll discuss that, too.
If the above made you want to change your password on your website, that function is on your Profile screen (get there with the “Howdy” link at the right end of the dark toolbar). WordPress can automatically generate a secure password for you if you let it.
Changing the administrator username is more complex, and I wouldn’t bother.
Request an SSL/TLS Certificate
SSL, sometimes called TLS, is a security protocol that lets browsers and your server encrypt their communications to prevent digital eavesdropping. It also gives visitors a way to verify they’re on the authentic website of an organization or person.
To test whether SSL is already enabled for your site, enter your URL as “https:// yourdomain.com”. If that works, SSL is already enabled, but still read on.
This is not a crucial capability for your website, since you’re not exchanging private information with your visitors. However, it helps you in two ways.
First, if you login to your website without encryption on a public network (coffeeshop Wi-Fi for instance), eavesdroppers might capture your username and password.
Second, search engines boost the scores of secured websites, so this is an easy way to improve your ranking.
Most hosting providers (and all my recommended ones) offer SSL encryption at no additional cost. Some install it automatically, by default, when you get a domain and hosting from them. However, if you got your domain elsewhere you probably will have to explicitly request it.
In your Site Tools screen, look for “Let’s Encrypt!”, SSL, TLS, or Security. On SiteGround it’s under Security > SSL Manager.
Reminder: This is not the Dashboard of your WordPress website, though it looks similar and even says Dashboard on it. This screen is on the SiteGround website (other hosting services have similar screens).
This should take you to a screen showing whether SSL is already “active” for your domain. Typically, you just have to click a button to request it.
“Let’s Encrypt” is a popular system for assigning free SSL certificates, but any free option is fine. Unless you’re a bank, paying for a premium certificate isn’t necessary.
A “wildcard” certificate applies to your domain and also to its subdomains. This selection will work, but it’s less secure and there’s no benefit unless you use subdomains.
Note: Your attempt to activate SSL may fail if you recently changed the “name server” in your DNS settings. In that case, try again in a couple hours.
Look for extra HTTPS settings, and an option to “Enforce HTTPS” for your site. Also opt to “rewrite external links” if that option is available. Installing a certificate makes SSL possible. I recommend you make it mandatory. Once the certificate is installed, it shows up on a list (a short list containing just the one certificate). There’ll be an extra menu or other control to “manage” or “enforce” the certificate. Examples from SiteGround:
Find and enable the option to “enforce SSL/TLS” or “enforce HTTPS”.
To test, open a browser window, enter the URL of your site as “http://yoursite.com”, and press Enter. If you’re set up correctly, the URL will change to “https:” and display a lock icon beside the URL (different browsers display this differently).
There’s one final step to make your site work correctly and efficiently when SSL is enforced. In your site’s dashboard, visit the Settings > General screen and change “http:” to “https:” in the two URLs there (WordPress Address and Site Address – they should always be the same for your site). Save changes.
Apply Updates Promptly (Automatically!)
Few sites with up-to-date software are hacked. The most vulnerable sites are the ones that haven’t applied updates recently. Their security flaws are known, so the hacker bots know how to break in.
WordPress can apply updates to plugins and themes automatically. Your hosting provider will probably update the base WordPress software for you (whether you like it or not), but you have to allow the other automatic updates. Do this by visiting Plugins in the dashboard, and click Enable auto-updates for each of them (or select them all at once and use the “Bulk actions” dropdown to do them all at once).
Note: Some plugins may prevent you from enabling the WordPress built-in auto-update because they have their own auto-update. Please complain to them and ask them to change it. (UpdraftPlus no longer does this bad thing — this is an old screenshot).
Similarly, visit Appearance > Themes in the dashboard and enable automatic updates for each theme.
This will work for themes, and for plugins you get from the WordPress.org catalog. If you get things from elsewhere, you may need to apply updates manually.
If there are certain plugins or themes you don’t want updated automatically (perhaps because you’ve had them customized), you can exempt them.
Occasionally the new version of a theme or plugin is incompatible with other components, and may cause part of the site to fail. That’s rare, but still, it’s not a bad idea to monitor whether your site is functioning – plus, it can fail for other reasons, like your server being down. There are free website monitors online where you can arrange to get notified if there’s a problem. See Monitoring for Site Out of Service.
Use a Security Plugin
If there were no security holes in your web software, you’d have no worries. But security is hard to do well, and any software of significant size is bound to have some issues.
The purpose of security plugins is, first, to find whatever holes you can; second, to make it harder for outsiders to exploit any you’ve missed; and third, to scan for signs the site has been compromised.
The setup program installed the plugin iThemes Security by iThemes. If it’s not active, go to the Plugins screen in your dashboard and activate it. This is an active protection measure. It has a lot of options, some of which you should always enable, and some you should enable unless they cause problems for you.
Once you’ve activated this plugin, go to Security > Settings in the dashboard. The first time you do this, a Security Check screen will suggest you let it automatically configure various security settings. Click the Secure Site button to allow this. Let it activate Network Brute Force Protection. Whether to receive their emails is up to you. I don’t find them all that helpful.
Note: If you use Secure Site again later, it may undo some of the changes I’m about to recommend.
Once it completes the security check, you’ll be on a screen that lists several sections containing groups of related settings. Change the following further settings.
- Disable Database Backups if it is enabled. There’s a better way to do that, which we cover in Enable Periodic Backups.
- Click the Configure Settings button for WordPress Salts. Check the box and click Save Settings. You’ll have to log back in afterward. You only have to do this once. This does some invisible magic to make your site encrypt information with a unique key, making it harder to hack (“salt” is a technical term used in cryptography).
- In WordPress Tweaks, enable the following:
- Remove the Windows Live Writer header.
- Remove the RSD (Really Simple Discovery) header.
- Reduce Comment Spam.
- XML-RPC: Select Disable XML-RPC. Among other things noted on the screen, this will prevent you getting “pingbacks,” notices on your posts that some other blog referenced the post. Nearly all of those are spam.
- Leave other settings at their default values.
- In Notification Center, uncheck all Enabled checkboxes, unless you want to constantly receive emails about bots trying to break into your site.
- Local Brute Force Protection: Should already be enabled. This locks out folks after a certain number of failed login attempts, to defeat password guessing attacks. There’s a checkbox on this configuration screen labeled, Immediately ban a host that attempts to login using the ‘admin’ username. If you took my advice earlier, there’s no such user, so check this box. It’s a pretty safe bet anyone trying that ID is attempting to break in.
- 404 Detection: Enable. 404 refers to the response a server sends to report “page not found.” If your site contains no broken links, you don’t expect a lot of requests for nonexistent items… unless someone’s poking around trying different URLs to see if they can break in. This cuts them off after a specified number of tries.
- Banned Users: Check Enable HackRepair.com’s blacklist feature. This prevents a lot of known bad actors from seeing anything on your site, and is unlikely to block any legitimate visitors.
- Network Brute Force Protection: Yes! This shares the results of your password guessing protection with other sites, so IP addresses that tried to hack your password are blocked elsewhere (and vice versa).
- System Tweaks: Enable. In its configuration screen:
- Protect System Files: Check.
- Disable Directory Browsing: Check.
- Filter Non-English Characters: Check, unless you use non-English characters in your post titles.
- Filter Long URL Strings: Uncheck. This causes problems with some plugins that legitimately employ long URLs, notably Matomo statistics gathering.
- Remove File Writing Permissions: Uncheck.
- Check all Disable PHP boxes.
- Everything else: keep default settings.
Go through the other functions in these settings screens to acquaint yourself with them. Some may become useful to your circumstances. Some specific items:
- File Permissions: This contains no settings — it’s a report showing which files might be open to modification by outside forces. It will probably warn you about the possibility of modifications to .htaccess and wp-config.php. This isn’t a problem if you’re well protected otherwise. There’s an option in a different section to lock them down, but doing so might cause problems with other plugins that have valid reasons to make these changes.
- SSL: Don’t enable – it’s a duplicate. If you followed earlier suggestions you already enabled SSL/TLS (you can confirm this from the lock icon to the left of your browser address field, and the fact that your URLs begin https rather than http (in fact, if you take out the “s” in https, your browser will put it back).
- Password Requirements: If you’re the only person with a login, it may be a waste of time to force yourself to choose a good password (which you have already done anyway. Right?). But if you create other user accounts, this is a good move.
What If I Get Hacked Anyway?
If you follow the recommendations in the above sections, it’s unlikely your site will be broken into. But if it does happen, what do you do?
You’ll probably learn of the hack by email from Google and/or your hosting provider. They scan for symptoms, and Google will block your site from searches if they detect a problem. Once the problem is fixed, you must follow their process for having your site reviewed and unblocked. The email will contain the information you need for requesting a review.
As I mentioned before, 41 percent of site hacks are the fault of the hosting company — not anything to do with WordPress, and therefore out of your control. If that was so in your case, the hosting company shouldn’t expect extra payment to clean up their own mess and prevent recurrences. Security of their basic server software is supposed to be an expense for the hosting company — not a revenue stream.
If it wasn’t the hosting provider’s fault, you might consider the services your hosting company will offer, to clean up your site and monitor it for future incursions.
However, the cleanup doesn’t have to be done in-house by the hosting provider; you can do it yourself, or pay someone a one-time fee to do it for you. I recommend Jim Walker (https://thehackrepairguy.com/). Compare prices.
To do it yourself, you need access to your WordPress dashboard. If the hack has disabled your access to that, get a professional to help you. Your hosting provider may have shut down your site, so you may have to ask them to re-enable it so you can fix it.
Disable Automatic Backup
Automatic backup programs (such as UpdraftPlus) keep a limited number of backups; they delete the oldest backup to make way for a new one. After a break-in, turn scheduled backups off so a good backup doesn’t get erased to make room for one that contains malware. We’re not going to use backups for hacker recovery except as a last resort, though. Very likely the malware was been around long enough before anyone detected it, that none of your backups are good.
Clean and Secure Your PCs
There’s a chance the hackers gained entrance to your server not by attacking it directly, but through malware on your PC. Because your computer probably stores passwords to websites — including your own — malware that gains access to your system can often send all your passwords off to its evil master.
So, start with a thorough virus scan of your PCs and other web-capable devices — phones and tablets can also be hacked! — and change the passwords on those devices.
Never use the browser’s saved passwords feature. If an intruder gains control of your computer, it’s easy for them to grab those passwords and break into all your online accounts. Use a free password manager program that encrypts the data and requires you to enter a master password to access the list. I recommend Bitwarden, which synchronizes saved passwords across all your devices and stores them encrypted.
Use a Malware Removal Plugin
Since developers hate malware, there are several free plugins to handle this problem. I recommend Security & Malware scan by CleanTalk,by CleanTalk Security. Go to the Plugins screen in your dashboard, and click Add New. Search for this one, install it, and activate it. It’s simple to use. You’ll need to register an email address with them but you can do this with one button click. The tool scans for known malware, and also has intelligent rules to look for malware that’s not yet known.
It should simply fix your problem. Then you can ask your hosting provider to confirm the fix, and if they give the nod, contact Google to ask for a review.
If the plugin doesn’t work, go to the professsionals.
Final Steps of Malware Cleanup
Change the following passwords:
- Your hosting service account.
- Your domain registrar account, if it’s different from the hosting service.
- Your website login (but don’t forget your old password, just in case, because it’s stored in your backups).
- All email accounts in your domain, because if the hackers have any of these logins, they can still connect to your server to send spam or read email.
If you’ve created additional administrative users in WordPress, create new passwords for those also (or delete the users).
It’s best to clean up the malware before changing passwords, so you can be assured the hackers don’t have any code on your site to immediately grab the new passwords.
Test the site thoroughly and make any needed adjustments. Especially test any plugins that have their own data, like Mooberry.
Finally, re-enable automatic backups, and maybe initiate a backup now. Go into Google Drive (or wherever you’re storing the backups), and delete any older backup files, which are suspect.