WordPress itself isn’t a security problem if you keep your nose clean. Neglecting security is a problem. It’ll consume that box of tissues quicker than you can say permissions. It’ll cause you to sit through frustrating calls to your hosting provider. You’ll spend hours scrambling around the code. Imagine if you could just set things up, sit back, and watch Game of Thrones.
You need to keep WordPress and your plugins and themes updated. From WordPress 3.7 you’re able to automatically update the core whenever a new update is released. You should makes sure this is enabled and running. See the WordPress Codex on Updating WordPress for more Update information.
Your Server Environment
Your hosting provider should look after your server for you. If you are responsible for the server environment though, make sure you keep it up to date. A vulnerability in your server is a vulnerability in your site.
Usernames and Passwords
Keep your password nice and secure. A strong password helps protect against a brute force attack. I keep a strong base password and add certain characters in certain places to make every password I have unique. Whilst keeping it easy to remember. I don’t write it down, or use any password managers. If a password on some site’s compromised—it’s a bummer—but at least they don’t know my password anywhere else. For your username, don’t use the default admin account. In fact, delete it and use something else.
I make sure that all the files are set to 644, and directories to 755. Except for the
wp-config.php file, which I set to 600.
Second Admin Login
You could use a
.htaccess file inside the
/wp-admin/ directory and restrict the access with a required user. The WordPress Codex has some details about setting this up. You should be comfortable with the server and how
.htaccess files work before attempting this. When this is set up, you’ll need to enter the password for the
.htaccess rule and then your normal WordPress login. You could extend this further by only allowing access from selected IP addresses if you’re on a fixed one!
Fixing a Hack
There’s no catch all way to fix a hacked WordPress install. It depends on the setup and the hack. There is however a general approach I’ll take when trying to fix a WordPress install:
- Check the date modified of files on the server—often through (S)FTP. Were there any files that have changed recently? Can I see anything in there that looks weird? Most of the hacks I’ve seen involve some unwanted base64 code.
- Can I restore from a backup to a point where the site was clean? If so, great! But there’s still work to be done to try and prevent what just happened.
- Apply all updates to WordPress, plugins and themes.
- Re-install the core WordPress files, even if an update isn’t required. This grabs new clean core files from the WordPress servers.
- I’d scan the files looking for any changes I found from the first step. This is often a scan for base64 code.
- Clean up any ugly unwanted code.
- Scan the database for any oddities through phpMyAdmin.
- Check over all the file permissions.
- Reset the all the passwords.
- Generate new keys for
- Contact the host to help check the logs, talk about what happened and to try and prevent it from happening again. A good host should be able to provide you with some support.
Check out the Hardening WordPress post in the Codex. It’s a big deep dive into WordPress security.