WordPress Site Hacked

Your WordPress site has been hacked and you are upset. Before going off on a rampage and blaming everyone consider this:

  • Hackers come in through poor security on themes and plugins as well as,
  • Brute force attempts on the wp-admin login

The WordPress Security Checklist below will help prevent those miscreants from hacking into your site and causing havoc. See also a list (further down) of on and offline resources that will help you trace what went on during the hack and tools to help prevent a further hacking attempt.

As a first step you need to immediately change your passwords (as in right NOW) and username (if it was admin). Now sit back and read.

Server Level Security:

Disallow bots from scanning the important WordPress directories: By using the Robots.txt file it is always a good idea to block the wp-content, wp-admin, etc. directories.

This can be done by adding the following line:
Disallow: /wp-*

Turn off directory browsing: Many servers by default allow you to browse the listing of files within a given directory. You may have come across this before when a page is missing or there is no index to a directory. The server outputs a listing of the files in the directory instead. This is particularly important in regards to plug-ins. If someone can see which plugins you have on your site they might be able to see which ones are vulnerable.

This can be done through your .htaccess by using the code below:
Options All -Indexes

Protect your wp-admin folder. The wp-admin folder is a critical security point with in WordPress. Denying access to this folder (as well as the wp-config.php file) goes a long way to ensuring that your WordPress site is secure.

This can be done in several ways and you may want to do all of them.

Limit access to your wp-admin folder by IP Address: If you know that you are on an IP Address that doesn’t change you can prevent any intruders by blocking every IP but your own. The drawback here is that if you are travelling, are off site or trying to update the site from a location that is not your typical one you will be denied access as well.

This can be done through your .htaccess by using the example code below:
order deny,allow
deny from all
allow from 12.345.67.890
allow from 890.67.345.12

Limit access to your wp-admin folder through password protection: While not as secure as the IP Address method, it can be extremely effective to simply password protect your folder on the server level. This can also build upon the security enhancement of limit access to your wp-admin folder by IP Address by, for example if someone is able to spoof your IP address they still would need to hack your password to break in.

Limit access to your wp-admin folder by hiding it:
There is no reason that your wp-admin folder has to be called wp-admin. Hackers look for this administration folder in this location. One easy way to eliminate hacking of your site and administration area is simply rename the folder to something else. Simple enough?

Protect your wp-config.php file: The password to your database is stored in plain, readable text in your configuration file (wp-config.php). Access to your database gives hackers control over your complete site, so to say you need to protect it is an understatement. The first and most obvious step is to ensure the permissions are set correctly. Some servers set the wrong permissions by default which allows anyone who wants to the ability to read the contents of that file. The permission should be set using SSH or through an FTP client to 640. You can also do this using the File Manager in your hosting control panel (cPanel)

Additionally you can actually move the wp-config.php out of the main WordPress directory and still have everything function properly. This way hackers don’t know where to look for the file. For example if your wp-config.php is located in /public_html/blog/wp-config.php you could move it to /public_html.

WordPress Level Security

Remove the WordPress version number from the META tags: Some hackers target specific versions of WordPress because of known open vulnerability. An easy way to prevent your site from coming up as a target is to simply remove any indicators of the software version.

In older version of WordPress your theme file would have the following code in the header.php that generates a simple tag that outputs the current version:You can prevent this from being an issue by simply deleting that line of code.

Disable the “Admin” account: By default WordPress creates an “admin” account every time you install it. While the passwords are generated randomly it is never a good idea to let people know the login of your most powerful account. Because all WordPress installations have the same username for the master account you are doing just that.

Simply changing the username from admin to something less obvious will improve the security of your site.

This will have to be done through the database as WordPress won’t let you change or remove the account through the administration interface. The account is located in the wp_users table, and you can simply change the account name, display name, etc… to that of your choosing.

Change the WordPress table prefix: All installations of WordPress use the same name for all of the tables on the database. The problem with this is that if a hacker is able to use a SQL injection exploit they know exactly which tables to change data on. If you use an alternative prefix when you install the software this is prevented.

Use Security Keys: WordPress doesn’t require that you take advantage of their “security key” tool that better encrypts cookies, there by better protecting your passwords. Using security keys is a simple process where you generate a key and make some simple modifications to the wp-config.php file. You can generate WordPress security keys on this website: http://api.wordpress.org/secret-key/1.1/

Annie Cushing‘s Must-Have Tools for Spam / Hacking: