How I Made My Hacked WordPress Website Tight Secure

I always thought like you that nobody can hack my website as I am using strong passwords: And no hacker would even care to hack my website! But even unsinkable Titanic sank. On 2nd March, 2013 evening, I was making some changes on my WordPress website TechForWorld and suddenly logged out from my WordPress Admin log-in. I tried logging in again but could not log-in. I was sure something went wrong.
WordPress Security

I immediately opened the home page of website and it was showing the ‘defaced’ page by a hacker. Defacing or Website defacement means changing the visual appearance of the site or a page. Hacker had put his own HTML code with his graphics and text on the home page. I also tried to recover my password by ‘Lost you password?’ link on log-in page to get a link to change my password on email. But I got the error “wp-includes/class-smtp.php file is missing” when requesting for a password. That meant one or more of website files were also deleted to make it hard to recover the website. Hacking techniques are always well-planned!

1. Do Not Panic; Remember that WordPress is Easier to Hack

At first, it was shocking to know that my website is hacked, but I was not surprised because it is a well known fact that WordPress websites are easier to hack. More and more WordPress websites which do not have extra security shield are hacked. So a webmaster should always remember this fact and should not panic when a website is found hacked.

2. Remember that Hackers are Losers

Why hackers are there for? Absolutely for money! They want to earn money overnight by hacking others’ websites and ask them for money. What do they earn by their ‘hard’ work? Nothing. Hackers never get paid money because ultimately the website owners have all the control over their website. I never think hacking as a smart way to earn money, rather it is illegal and worst type of cyber crime. Hackers are dumb losers, ultimately.

3. Inform Your Domain Hosting Provider

Whenever you find your website hacked, the first thing you should do is to inform your domain hosting provider by emailing and more preferably by calling them. Malwares (using which your website is hacked) can affect the server and other websites, so they can take necessary steps to prevent further attacks.

4. Choose a Random, Unguessable User Name

Instead of using default and common ‘admin’ user name, you can use your full name or email address or any other random name which is hard to guess. The good thing is that WordPress user name is only used for log-in and it is not used to display anywhere.
User name of an existing user cannot be changed. Instead, create a new user with desired user name and profile. Then delete the old user name you wanted to rename. While deleting that user, choose to assign all posts of that user to new user.

5. Use Strong Passwords

The first most important security tip you will always get is using strong passwords. When a password becomes strong? When it is of sufficient length and it is made of combination of letters, numbers and special symbols. Also choose a password which is not easily guessable by anybody: Avoid using your name or date of birth which is very common practice. Importantly, never use same passwords for your different accounts. If you have a habit of using same passwords, and if your password is hacked on a less secure website, you may lose your other accounts also. Also consider changing your passwords on regular basis for better security.

Immediately Change Passwords

Whenever you know your website is hacked or sense any suspicious activity, immediately change passwords of all your accounts like control panel, FTP, WordPress, domain email, etc.

6. Backup is Your Best Security

Worst case is, if you are too lazy to regularly backup your data, you lose all your hard work done for a long time. It will take tiresome efforts to restore a website when you do not have backup. I repeatedly recommend to make a habit of regularly taking backup of all data. (Read my article on tips for data backup and safety)  Spending some time and money in backup is a truly rewarding investment and will really save your life in hard times.

A. Backup Files

Use an FTP client or control panel to download website files to your computer. Also consider taking backup of backup in an external hard-drive or cloud. You do not need to backup all files every time. Instead, you can download modified files or code (if you have customized the design, etc.) and update to your backup. File/image uploads done during regular post writing are stored in ‘/wp-content/uploads’ folder so consider regularly taking backup of that folder.

B. Backup MySQL Database

It is MySQL database in which WordPress stores content of your website. So it is very important to backup database. You can use your website’s control panel to backup database. Or you can also use a plugin which will help you to easily backup database and also schedule them to email you automatically at a regular period of time.

It was Backup Which Helped Me Get Back My Site Immediately

Comparing with my backup, I found that the hacker had deleted or modified many of files from my website. I re-uploaded files from my backup to the website and was able to successfully change my WordPress Admin password using ‘Lost your password?’ link.

Still I had to recover the “defaced” homepage of the website. I checked WordPress settings but could not find a solution to get back my original homepage on the website. Finally I found the hacker’s HTML code showing on home page in WordPress theme’s index.php file: Full path like ‘wp-content/themes/[Theme name]/index.php’. I also replaced that file from my backup and got my homepage back.
I started monitoring each folder and file on the website. I found that all files in WordPress’ wp_include folder were modified on the same date the website was hacked. I deleted all those files and re-uploaded from my backup.
Then I downloaded all website files and scanned them with multiple anti-virus and anti-malware programs as suggested by my domain hosting provider. I also used several online utilities and checked the website for any malwares or phishing threats. Everything was good thankfully.

7. Do NOT Use FileZilla FTP Client!

Especially for last two days I had been using FileZilla FTP client extensively to upload changes to my website, and the website was hacked. I think that silly utility is the real reason of hacking. I also found so many complains and recommendations against FileZilla. What is the reason? FileZilla stores all your FTP information and passwords in history in a file in plain text (see the image). Can you believe it? How silly and crap that is!

FileZilla FTP stored password

This is how FileZilla keeps your FTP passwords stored in plain text even after you clear history!

FileZilla stores your password in plain text, without encrypting in XML files at ‘C:/Users/[User Name]/AppData/Roaming/FileZilla/’ directory in your Windows computer. Those files are not secured and can be accessed by anybody! So hackers can easily access those files by using any malware or phishing scripts and steal your FTP password. Then they inject malware on your website to modify your files and hack your website.
And wait, the story is not still over. I also clicked “Clear History”  and “Clear Quick Connect Bar” menu to delete all my password history in FileZilla. So did it remove FTP details from those XML files? No! FTP passwords history was still there! Isn’t it sad? How can world’s most popular FTP utility can get so silly,  insecure and helpful to hackers?

Many people have been mistakenly thinking of FileZilla as world’s best, easiest utility to upload/download and modify FTP files. I could never imagine that this utility is a crap itself. I stopped using it immediately and also removed from my list of best free software downloads.

Control Panel is Best

To modify files over FTP, I would best recommend using your website’s control panel instead of using crap utilities. That experience might not be so enjoyable, but it is surely more secure. If you are not provided a control panel using which you can manage your entire website, ask your domain hosting provider. Or you can consider using another secure FTP client (We will soon do a detailed research on this and provide you an update).

8. Keep Your System Updated

It is very important to keep antivirus program in your computer updated. Antivirus and anti-malware programs can detect phishing attacks on your computer which come through other websites and will help you keep your system more secure.

9. Take WordPress Updates Seriously

You should also keep WordPress and installed plugins updated.  Do not ignore notifications about updating WordPress and plugins. WordPress community keeps improving the security and features of WordPress so it is recommended to update WordPress. Older WordPress versions are always less secure than latest.

10. Be Careful While Choosing a Plugin

You should be careful while choosing any plugin because WordPress plugins are third-party products. Choose only popular, reputed and trusted WordPress plugins. (Read my article on best WordPress plugins). Do not just install any plugin you find interesting. Check the plugin’s and its developer’s reputation; check how many people have downloaded that plugin; also read its reviews and ratings. It is very easy to know how reputed and trustworthy a plugin is.
Also it is often recommended to delete unused (plugins which you have deactivated) plugins.

11. Prevent Browsing of Your WordPress Directories

You can prevent the world from browsing your WordPress directories (in other words, listing files in your directories) by adding following line at the top of the .hetaccess file. You will have to edit .hetaccess file on your website to do this. If you are using Yoast’s WordPress SEO plugin, use it to edit .htaccess file very easily. Please be careful while editing this important file.

# Prevent browsing of WordPress directories
Options -Indexes

12. Secure WordPress Include Files

Files in include folder are modified to hack your website. My website was hacked by deleting some and modifying all of them as mentioned earlier.
Add below code before the statement ‘# BEGIN WordPress’ in .htaccess:

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

This will block outside access to your files in ‘include’ directory.
If your website is multi-author, remove following line from above statements:

RewriteRule ^wp-includes/[^/]+.php$ – [F,L]

13. Secure wp-config.php file

Wp-config.php is the file which stores your database username and password.

Add following lines at the very TOP of the .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

This will block anyone trying to open the wp-config.php file with their browser.

14. Disable File Editing

Administrators can edit WordPress code files (PHP code) of the website using WordPress Dashboard by default. But if hackers manage to log-in to a website’s WordPress Dashboard, they can easily execute their code to attack the website. Normally you do not change code of your website everyday, so it is recommended to disable editing of files. You can easily disable editing of WordPress files by adding following lines to wp-config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

Whenever you want to edit files, comment the above line temporarily as below:

/* define(‘DISALLOW_FILE_EDIT’, true); */

15. Use 755 Permissions for Directories, and 644 for Files

755 (rwxr-xr-x) permissions on directories means that only the owner has write permission while others have read and execute permissions. For files, 644 (rw-r–r–) means that file owners have read and write permissions while others can only read the files. That way you can secure your files from being modified by hackers.
You can change file and directory permissions by using an FTP client or control panel. You can also easily change permissions by executing following commands by logging in to your WordPress Linux shell/server:

find /your/wordpress/folder/ -type d -exec chmod 755 {} ;
find /your/wordpress/folder/ -type f -exec chmod 644 {} ;

16. Change WordPress Security Keys

WordPress Security Key API

An example of generated WordPress security keys using the API

WordPress uses six security keys stored in wp-config.php to manage security and stored passwords. If your account was hacked recently, you must change those security keys. Click here to re-generate the random security keys using WordPress API. Open the wp-config.php file inside your WordPress directory and overwrite old keys with the new ones.

17. Powerful Plugins for Extra Security

Is it possible that you want to do something in WordPress and dozens of plugins are not already available? I would recommend chosen plugins for great security of your website:

1. Exploit Scanner

Quickly scan all your WordPress files for malicious code. The plugin will also detect spam links hidden in your WordPress blog posts using CSS or IFRAMES.

2. Wordfence Security

This a free security plugin that includes a firewall, anti-virus scanning and malicious URL scanning. This plugin will automatically detect any modifications done in core WordPress files.

3. WordPress Sentinel

This plugin will monitor your WordPress files and alert you whenever files are added, deleted and edited in any of the folders you want to keep a watch on.

Conclusion

I have experienced myself that hacking can damage ranking of your website temporarily, so you must use couple of such techniques to secure your WordPress website. You may never know and your website may be hacked any time, so be ready all the time for it- with full backup of your data.
I would also recommend purchasing the domain hosting from a reputed hosting provider only. Ultimately server security plays an important role for websites’ security.

Special thanks to:
Neil Patel
Ricky Singh

 

My interview by Indian Bloggers Community on WordPress Security

Comments

  1. says

    Hi Jignesh,

    This breakdown is beyond helpful. Hackers are losers, really, and by being vigilant and following these tips you can lose the losers, right? 😉

    Thanks for sharing!

    Ryan

  2. says

    Excellent post. I was checking constantly this blog and I’m impressed! Very useful information specifically the final part 🙂 I take care of such information a lot. I used to be seeking this certain info for a very long time. Thanks and best of luck.

  3. says

    Good post for the WP users!

    Am new to WordPress and learned a lot related to its security.

    Will try to implement the required stuffs to protect my account and thanks for writing!

  4. says

    Hi ! I really got inspired after reading this post…that have been written in a good manner for thousands over there ! actually, my site was also hacked after 3 months of hard work…unfortunately….there was no back up from my side….and what i learnt from this hack was….BACK UP !!!!
    Thanks friend ! you are awesome…..

  5. says

    I was very pleased to find this website. I wanted to thank you for your time for this wonderful read!! I definitely enjoyed every little bit of it and I have you bookmarked to check out new stuff on your blog.

  6. says

    Most of the WordPress sites are hacked using SQL injection,my one of tech site was hacked in this way last year by some religious fanatics without any reason….

  7. says

    Well most of the blogs faced brute force attacks on wordpress blogs. So it is always recommended to secure the wordpress blogs with some plugins.

    Thanks for the security tips.

  8. says

    Hi, Jignesh,
    Great Post buddy, I was looking for information how to protect my wordpress website. I got all the things here. Thank You for sharing.
    Have a great week ahead. 🙂

  9. says

    HI Jignesh, Great post. I am new to your blog & before this i think it is impossible to hack a WordPress site. But now i am going to update my site with more security as describe by you. so really thank for sharing this.

  10. says

    A few years ago I had a wordpress site hacked and ever since then I am constantly looking at ways to improve security. Thanks for the info and tips. Bookmarked to my list 🙂
    Jordan.

  11. says

    Heya i’m for the first time herе. I found this board and I find It really useful
    & it helped me out much. I hope to give something back
    and aiԁ otherѕ like yоu helped mе.

  12. says

    Hey! I just wanted to ask if you ever have any problems with hackers?
    My last blog (wordpress) was hacked and I ended up losing
    months of hard work due to no back up. Do you have any methods to stop hackers?

  13. laffi dodiya says

    All this post are such a great and written in good manner really it helps me in many ways ..thank you

Leave a Reply

Your email address will not be published. Required fields are marked *