Search
Close this search box.
Search
Close this search box.

How To Prevent Your WordPress Site From Being Hacked Guide (2023)

Update WordPress Version and Plugins

A crucial step is to update your WordPress site to the latest version. You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes.

Do the same for all plugins.

Install Sucuri Security plugin

WordPress Keys in wp-config.php

  1. In the backend, go to Sucuri Security / Hardening and click the harden button on the Security keys section.
  2. Tick the checkbox I understand that this operation can not be reverted and click the Generate new security keys button.

Hardening Options

  1. Go to Sucuri / Settings.
  2. Click Hardening tab.

Delete non-wordpress files

  1. In the backend, go to Sucuri Security > Dashboard.
  2. In the WordPress Integrity section, see if any suspicious files exist and delete them.

Stop a Directory Index From Being Shown

Sometimes, for one reason or another, you will have no index file in your directory. This will, of course, mean that if someone types the directory name into their browser, a full listing of all the files in that directory will be shown. This could be a security risk for your site.

To prevent against this (without creating lots of new ‘index’ files, you can enter a command into your .htaccess file to stop the directory list from being shown:

Options -Indexes

Stop Spam Registrations in WordPress sites that do not need them

Did you know that malicious computer programs called “spambots” search the internet looking for vulnerable websites? One method they have of forcing themselves into your site is by creating spammy user accounts.

By default, WordPress websites allow for user registrations from a specific link: yoursite.com/wp-login.php?action=register.

These spambots are programmed to go looking for that link to register fake users.

To do that, you can go to Settings » General.  Here you can uncheck the Membership box to make sure that no one can register on your site.

Disable blog section if you do not need it

  1. Install and activate Disable Blog plugin.

Disable xmlrpc.php

XML-RPC is a feature included in WordPress, which enables data to be transmitted. It uses HTTP as the transport mechanism, and XML as the encoding mechanism. Simply put, xmlrpc.php lets you access your website from custom admin software and mobile applications, rather than through a browser.

Unless you use remote technologies and mobile applications to update your WordPress site, you might not be familiar with XML-RPC. For the uninitiated, you can use xmlrpc.php to establish a remote connection to WordPress, and make updates to your site without directly logging in to your WordPress system.

The problem is that xmlrpc.php poses a security risk. It creates an additional access point to your site, which could leave it vulnerable to external attacks. Every time you authenticate XML-RPC, you need to supply your username and password. As you can imagine, this isn’t exactly ideal for security purposes.

For example, in order to prevent brute force attacks, you can limit login attempts on your WordPress site. However, with XML-RPC enabled, that limit does not exist. There’s no capping on login attempts, which means it’s only a matter of time before a determined cybercriminal gains access.

By disabling the feature, you are closing a potential area of entry for hackers. Of course, without XML-RPC, remote access isn’t possible. You would need to log in directly to WordPress for publishing and updating purposes. Therefore, if mobile apps and remote software are the methods you rely on for site updates, turning this feature off may not be a practical option.

However, if security is your top priority, this may be a step you want to consider. Additionally, if remote connections aren’t something you deal with on a day-to-day basis, you likely won’t miss the feature when it’s gone. In this situation, you have nothing to lose and only an added layer of security to gain.

In order to disable the xmlrpc.php, follow these steps:

  1. Download and activate the Disable XML-RPC-API Plugin.
  2. Go to WordPress XML-RPC validator and check that xmlrpc is disabled. Simply input your site’s address, and then click on Check. If you get an error message, it means that XML-RPC is disabled.

Hide WordPress and plugin’s versions

  1. Download and activate the Disable XML-RPC-API Plugin.
  2. Go to XML-RPC Security > Security settings.
  3. Turn On Hide WordPress Version and click save.

Hide WordPress users

  1. Download and activate the Disable XML-RPC-API Plugin.
  2. Go to XML-RPC Security > Security settings.
  3. Turn On Disable JSON REST API and click save.
  4. Go to XML-RPC Security > Speedup settings.
  5. Turn On Disable Remove RSS and RSD and click save.

Add security headers

In order to check your site regarding security headers you can use securityheaders.com.

Open your htaccess and this code to the bottom.

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
</ifModule>

Content Security Policy (CSP) Header

Open your htaccess and this code to the bottom.

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline' 'self'; object-src 'self'; font-src https: data: 'self' http: fonts.googleapis.com themes.googleusercontent.com; connect-src https: wss: 'self'; img-src https: data: 'self' http: *.gravatar.com; worker-src blob: https: 'self' 'unsafe-inline' 'unsafe-eval'; media-src https: blob: 'self'; style-src https: 'unsafe-eval' 'unsafe-inline' 'self' http: fonts.googleapis.com"
</IfModule>

Change Default Login Page URL

Every WordPress website has a default login URL that looks like this – www.example.com/wp-admin.

Since hackers know the format of the default login URL, they can easily find your login page to launch brute force attacks.

But if you move the login page to a new URL (like http://www.example.com/newurl), then it’ll be harder for hackers to find the login page.

Hackers rarely target a single website. They prefer launching attacks on multiple websites so if they are unable to find your default login URL, they are likely to move on to their next target.

To change your login page:

  1. Install and activate WPS Hide Login.
  2. From your WordPress dashboard, go to Settings and choose WPS Hide Login and set the new login URL. Remember to save the setting.

Connect your site to ManageWP

ManageWP lets you easily update plugins for multiple WordPress sites.

Just add the ManageWP Worker plugin and set it up.

Delete all revisions

No need to have the revisions in your database after the cleanup. Just delete them through ManageWP.

Remove author archives from Yoast SEO

WordPress creates Author Archives pages for anyone who publishes content on a website sometimes keeping that page live even if that content is transferred to another user.
By default WordPress uses the ‘username’ a user logins in with for the Author Archive page URL and offers no way of changing this.
When Yoast is installed sitemaps are activated by default creating an Author Archive sitemap which contains all the Author URLs complete with usernames.
Hackers can use this file to gain important usernames for a website, making hacking easier by only needing to guess passwords.
This attack vector can be patched by turning off Author Archives in Yoast or if Author Archives are required by editing the URL of author archives in the WordPress code.

This is why you should remove author archives.

What is SQL Injection?

SQL injection is an attack used to exploit a security vulnerability in a website. This vulnerability occurs when the sever gives the direct response to the client. An attacker can communicate with the sever through MySQL by giving SQL commands.This happens because the user input is incorrectly filtered by the website. Taking advantage of this an attacker can inject a piece of code into the database and can take control over it.

What if I get hacked?

Update WordPress and all plugins. Try to find the infected files. To find infected files

  1. Put WordPress in maintenance mode.
  2. Install Sucuri plugin and go to Sucuri > Dashboard and check files on integrity.
  3. Install Anti-Malware Security and Brute-Force Firewall plugin and run a full system scan.
  4. Check if any new users in WordPress exist.
  5. Change your super admin password and add a strong one (unique).
  6. Check your server for any new emails.
  7. Check your database. If it is exteremely large, it may be hacked and you might fing enormous tables in it. Delete them.
  8. Check your subdomains. Some hacks may create a subdomain in your account.
  9. Check the plugins folder with ftp. If you find any suspicious plugin folders in it, delete them.
  10. Check your root htaccess file (eg. if you cannnot login in wordpress backend and you see a lot of javascript errors in console).
  11. If you have WP rocket follow the next steps.

If after scanning your site, your security plugin confirms that there is some malicious code on your site, then it’s impossible for WP Rocket to avoid including that code when it creates the cached content.

If your site has been hacked you should follow these steps:

  1. Disable Preloading in WP Rocket
  2. Clear the cache to remove the infected files (this can also be done manually if needed)
  3. Deactivate WP Rocket
  4. Clean up the hack on your site
  5. Once your site is clean, then you may reactivate WP Rocket.

If the hack exists (for example a message on top of your site) try to search for error_reporting(0). Usually hackers turn off error reporting before injecting their code to one of your files. Index.php files in WordPress subfolders are a common attack. Here is an example of a hack in a site that I investigated:

error_reporting(0); 
$strings = "as";$strings .= "sert";
@$strings(str_rot13('riny(onfr64_qrpbqr("nJLtXTym.....2B30="));'));

What if I cannot reach the site through Google?

In order to remove the viruses, you will have to bypass google. To do so:

  1. In chrome, click the 3 dots on the upper right.
  2. Click Settings.
  3. Search for security.
  4. Select No protection.
  5. When viruses are gone, reselect Enhanced protection.

Then you will have to submit the site in google for review. To do so:

  1. Add your site in Google Search Console.
  2. Request a review from there. You can add a description like this: WordPress updates, plugin updates and removal of all harmful files.
  3. If Google finds that your site is clean, warnings from browsers and search results should be removed within 72 hours.

Learning Resources

WordPress Speed Optimization Guide