Use secure multi-factor authentication (using hard keys or passwordless sign-ins), as attackers need to have your password and the second factor for successful admin authentication.
After taking the steps above, you will need to change your WordPress password to something solid and unique. Use password managers to store secrets and generate random passwords that do not have dictionary words or lists.
Two-factor authentication is a great way to add an extra layer of security to your WordPress site. We recommend using a plugin such as Authy or Google Authenticator to set up two-factor authentication for your site.
Importance of WordPress security
Use site checkers, security checklists and incident analysis checklists to look for indicators of compromise. You can find any known security vulnerabilities using vulnerability scanning.
Reduce your attack surface significantly without much cost by following this step.
Once you have diagnosed the issue, it paves the way to think about admin fixes around these issues.
Shortcuts in security are highways to hell
As a business owner, if you are worried about your reputation, incoming revenue through the website or storing sensitive information, it is vital that you provide your website for third-party security assessments, also known as web application penetration testing.
To reset passwords and admin permissions, you will need to connect to your WordPress site using an FTP client. Once connected, you will need to navigate to the /wp-content/ directory and edit the following files:
WordPress Security Plugins
However, if this is not close to your skill-set, you should seek professional help. It is imperative because your actions may lead to data loss, change in website config or unintentionally running any tasks that may lead to further malicious actions.
Two-factor authentication mechanism requires you to enter a second factor, such as a code from a mobile app and your password when logging into your WordPress site.
- Sucuri Security – Auditing, Malware Scanner and Security Hardening
- iThemes Security
- Wordfence Security
- WP fail2ban
- All In One WP Security & Firewall
- BulletProof Security
- WPScan – WordPress Security Scanner
- Google Authenticator – Two Factor Authentication
- Security Ninja
- Astra Web Security
- Shield Security
- Hide My WP
Logging and monitoring your WordPress site is essential to be aware of any cybersecurity threats or unusual events. By default, WordPress does not offer any admin security features to help you monitor your site.
Keeping a WordPress site is a critical element for the health of the website and the security of the underlying data, keeping it secure.
10 security tips to keep your WordPress site secure
Another important security measure is to use strong passwords for all of your user accounts. A strong password should be at least eight characters long and include a mix of upper and lowercase letters, numbers, and special characters. You can generate strong passwords using a password generator tool such as KeePass (open-source) or commercially available options.
1 – Update WordPress regularly – Patching
If you see this message, it’s crucial to take action immediately. Google will typically blacklist a website for one of two reasons:
These days, finding analysis write-ups is often an excellent way to read about other issues and troubleshooting steps to learn and help yourself.
2 – Use strong passwords
Online resources by famous incident responders, security experts and WordPress experts are often a great source of information. These could be mailing lists, social media profiles/blogging sites, websites or forums.
3 – Use reliable security tools
a) The site has been hacked and contains malicious code.
There are multiple reasons why it’s crucial to let stakeholders and customers know about a security breach.
One of the WordPress essentials is to keep your WordPress site secure is ensuring that you are using the latest version.
d) Any other relevant information
4 – Back up your data regularly
a) A timeline of events leading up to the hack
5 – Penetration Testing / Secure Configuration Reviews
With that said, it does not mean all WordPress security plugins are bad. Some of the well-known plugins, including Sucuri, Wordfence, etc., are well-supported and helpful.
b) The site is hosting malicious content.
However, they may or may not be reliable, supported or maintained WordPress security plugins by the time you need help (if ever). In addition, there are some simple things that you can do to help protect your site, such as keeping your WordPress version up to date, using strong passwords, and backing up your data regularly.
For WordPress, there is some excellent help available for free. This includes Cloudflare free plan that allows network and application layer firewall options and protects the site against DDoS/DoS attacks.
Once you have changed your password, we recommend that you update all user passwords and permissions. This will help to prevent the hacker from reaccessing your site.
6 – Basic Secure Hardening Checklist
It’s essential to address one big misconception before we start deep diving into WordPress security and hacking mitigation steps.
- Limit the admin login interface to known IP addresses only. You can do it easily using Cloudflare or a similar mechanism restricting by IP address or at the application level using URL path.
- Disable XML-RPC function usage over the Internet. XML-RPC is a remote procedure call protocol that uses XML to encode its calls and HTTP as a transport mechanism. “PHP” refers to the programming language in which WordPress is written. The xmlrpc.php file is used to handle communications between different WordPress installations. For example, if you have multiple WordPress sites, you can use the xmlrpc.php file to post content from one site to another. As long as the remote site supports XML-RPC, you should be able to post content to it using this method. However, because the xmlrpc.php file can be used to POST data to a WordPress site, malicious actors can exploit it. For example, an attacker could use xmlrpc.
- Disable directory indexing that may lead to information disclosures of website contents and the file system. The underlying issue with this relates to permissions configuration. You can disable directory indexing by adding “Options -Indexes” in the .htaccess file.
- Disable PHP file execution hazardous functions that could lead to threat actors abusing the code routines.
7 – Use a Web Application Firewall
Keeping your website secure is mandatory to protect your data. Here are some essential tips to help keep your WordPress site secure:
8 – Don’t use nulled themes or plugins
The first thing you need to do is remain calm. It can be tempting to panic when you think your site has been hacked, but it’s essential to keep a clear head to take action to fix the problem.
Your incident report should include:
c) Your site is redirecting to another website
9 – Use two-factor authentication
It would be best if you took action to remove the malicious code or content from your website. Once clean, you can submit a request to Google to have your site removed from the blacklist.
It is a continuous process that you should work on to reduce the probability of adverse events in the future.
10 – Logging and Monitoring
Threat actors or attackers are constantly finding new ways to exploit vulnerabilities in older versions of WordPress, so it is vital to make sure that you have the latest version installed. You can update WordPress core by going to the “Updates” page in your dashboard directly.
b) A list of any changes that have been made to your site
Even if you take all of the precautions detailed above, there is always a chance that your WordPress site could be compromised due to supply chain security risks.
You should take the following steps if you think that your site has been hacked:
Hackers often use nulled themes and plugins to gain access to WordPress sites. If you are using a nulled theme or plugin, we recommend that you replace it with a genuine copy as soon as possible.
Once you have edited these files, you will need to save and upload them to your WordPress site.
Web application penetration testing is a process of assessing the security of a web application.
What to do if your website is hacked
This blog post will discuss some tips on securing and protecting your WordPress sites from malicious attacks.
1 – Remain calm
If you see any of these signs, we recommend that you take immediate action to investigate the reasons behind such changes.
2 – Turn on maintenance mode on your website
b) You see strange error messages
After you have reset the passwords and permissions, it is recommended that you change your WordPress password to a unique and robust password.
- Go to the WordPress administration panel.
- Settings – WP Maintenance Mode page.
- Under the “General Settings” section, switch the Status to Activated.
- Click the Save Settings button.
3 – Start creating an incident report
This WordPress security guide shared the signs of compromise and the top ten steps to beef up security. Security is not an immediate investment, nor does it provide immediate ROI.
If you have any further questions, please contact the Cypher team. We will be happy to set up a call to discuss your security concerns.
Using an outdated or vulnerable theme or plugin is one of the easiest ways for hackers to access your WordPress site. Updated themes and plugins reduce the hacking risks.
If you think your WordPress site has been compromised, you should first enable admin maintenance mode. This will prevent visitors from accessing your site while working to fix the problem.
Finally, informing customers about a security breach can help prevent future attacks by allowing customers to trust that you will take additional steps to protect their sensitive user data. You might need to assess the potential breach if you need to report a breach to the local/national regulatory authority.
The goal here is to identify vulnerabilities that could be exploited by an attacker to gain access to sensitive data or to perform other malicious actions. Penetration testing can be conducted manually or automatically, and it may involve testing the application from both inside and outside the organisation’s network.
4 – Reset access and permissions
However, it is not limited to the top 10 risks. Some in-depth checks involve business logic flaws and practical attacks with multi-sequence or multi-staged payloads based on the application or APIs functionality.
A “nulled” theme or plugin is a pirated copy of a premium WordPress plugin or theme. These themes and plugins are often modified to include malicious code, which hackers can use to hack your site. It is essential to only use themes and plugins from reputable sources, such as the WordPress.org plugin repository.
We are not endorsing Cloudflare; you are free to make other choices. However, based on the proactive and industry reputation, it is similar to choosing Microsoft’s Active Directory against other directory services.
As of today, some of the popular WordPress security plugins are:
Security by obscurity is using insecure ways of using shortcuts to show something as secure rather than on its quality for its security. In cybersecurity, shortcuts cost very dearly. There are numerous examples where the security by obscurity approach led to disastrous situations.
a) Your site is loading slowly
WordPress Security: 10 Tips to Secure your Site
It builds trust and transparency between the company and its customers. Additionally, it allows the company to take responsibility for its mistakes and show that it’s committed to protecting its customers’ information.
To reinstall these files, you will need to connect to your WordPress site using an FTP client. Once you have deleted the version of the files in the FTP client, you will need to upload the backup version of these files to your WordPress site.
We are not against plugins but suggest using them with caution. Do your research on the reputation of plugins, authors and if/where better alternatives are available, prefer not to use plugins.
A small example would be using Cloudflare free or pro plans based on your requirements, saving you the use of many plugins for security protections.
5 – Diagnose the issue
Hackers can gain an initial foothold or privileged access to a website in multiple ways, and once they have access, they can wreak havoc on your site and its data.
However, you can install a few plugins that will help you keep an eye on things or utilise the previously mentioned solutions such as Cloudflare, Fastly, and the like.
Common types of tested vulnerabilities include HTML, SQL injection or command injection flaws, Cross-site scripting issues, authentication and authorisation bypass. These are typically checked against the top ten OWASP security risks.
If you think your WordPress site has been hacked, one of the first things you should do is reinstall all backup themes and plugins. This will help to prevent the hacker from reaccessing your site.
It also helps with caching and secure DNS options. The pro plan is not expensive based on your website functionality if you can afford it.
7 – Reinstall backup, themes, and plugins
There are hundreds of plugins and tools available to help you with any task related to a WordPress site.
We hope this WordPress security guide was helpful.
8 – Change your site passwords again
You can enable maintenance mode by adding the code in your wp-config.php or the dashboard:
One of the pitfalls is installing security plugins that are buggy, insecure or run out of support. It is more important to give this task to relevant resources, i.e. security specialists, or if you are a micro-business, then find a reliable freelancer who can help you with security goals.
9 – Alert your customers and stakeholders
WordPress is one of the most popular content management systems in use today. While it is a very user-friendly platform, it is also important to remember that it needs to be adequately secured to protect your website and its data.
d) You are seeing new users or content on your site that you didn’t add
Back up your WordPress site regularly. It ensures that you have a copy ready if something happens to your site. There are many different WordPress backup plugins available, including direct Cloud backup options these days.
Compromised WordPress sites may also display these symptoms:
10 – Check for website blacklisting status
Last update on 2022-03-26 / Affiliate links / Images from Amazon Product Advertising API
c) A list of any sensitive information that may have been compromised
A web application firewall (WAF) is a security tool that helps to protect your WordPress site from attacks. A WAF can block malicious requests before they reach your website and help mitigate the effects of an attack if your site is breached. Some popular WAFs include Cloudflare and Sucuri Firewall.
Once essential housekeeping is out of the way, you will need to diagnose the issue to discover how your WordPress site was hacked. It can be a complex step, but some tools can help.
If your site was blacklisted (by Google or similar search engines) due to the attack, Google would subtly notify visitors about visiting your website. This is done by displaying a message to the user in the search results: “This site may harm your computer”.
If you think your WordPress site has been hacked, one of the first things you should do is reset all user passwords and admin permissions. This will help to prevent the hacker from reaccessing your site.
i) any other files that have been modified
If you think your WordPress site has been hacked, it’s crucial to create an incident report. This is your trail of events or recordkeeping to help you later with what happened and handy information if you need to contact your hosting provider, law enforcement or other authorities such as ICO (Information Commissioner Office).
That is why it is essential to ensure that you take steps to secure your WordPress site and keep it protected from potential threats.
If you think your WordPress site has been hacked, it’s crucial to alert your customers and stakeholders as soon as possible.