How to make your Wordpress site secure?

Chris Worner

Well-known member
Registered
Joined
Apr 15, 2016
Messages
612
Points
28
One of my WP sites got malware and I had to reinstall wordpress cms and plugins but I still couldn't find out where it came from. Everything is fine now but how to avoid getting malware again? do you guys share any tips to make Worpdress site secure?
 

ZenHosting

Member
Registered
Joined
Apr 26, 2016
Messages
64
Points
8
Hi Chris,

Sorry to hear your Wordpress site was infected with malware.

I'd recommend you install the Wordfence, Clef and Codeguard plugins. Wordfence will harden your site's security, Clef will lock access down and with Codeguard, you can get backups automatically taken so if your site does become infected again, you can restore the files or databases, at any time. You would have to sign up to a Codeguard plan, though.

This guide is excellent: http://codex.wordpress.org/Hardening_WordPress
 

RDO Servers

Well-known member
Registered
Joined
Apr 3, 2015
Messages
1,027
Points
83
Honestly, if your concerned about security, I would recommend moving away from WordPress. It is so commonly used, it is the ideal target for hackers. When they find a way to hack the new version, they have essentially hacked thousands of websites since the same exploit can be applied to all WP sites running that version.

If you want to stay with WP, then you need to be very diligent with updating WP and all of your plugins as soon as new versions are released.
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
Using something else than wordpress :smart:

To be more serious, the first problem with wordpress is plugins & themes.
- What plugins or theme do you use ? Some nulled ?
- Who code them and does he know to code (
- When is the last update -> plugins and theme : are they totally compatible with WP 4.5

There is a lot of sites which report all security issues with WP themes and plugins and I can only say there is a lot of issues.

But before starting to investigate, check your server security :

- Do you have CSP ? -> http://content-security-policy.com/
- Check your HTTP headers to see if you have XSS protection, Xframe protection etc : https://tools.keycdn.com/curl
- Analyze your logs to understand how you got the malware. What does it do ? Is it wordpress the problem ?
 

Localnode

Well-known member
Registered
Joined
Dec 15, 2015
Messages
333
Points
43
The basics:
Make sure the computers you use are free of spyware, malware, and virus infections.
Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
Use long passwords for your WordPress login. Preferably hard to guess, with numbers.
Keep your WordPress and plugins up-to-date.
If you have an SSL certificate, connect to your WordPress admin login using HTTPS.
When connecting to your server you should use SFTP encryption.

Restrict access to your WordPress admin area
Code:
# BEGIN RESTRICTION
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xx.xxx.xxx.xxx$
RewriteRule ^(.*)$ - [R=403,L]
# END RESTRICTION
Place this in your .htaccess replace "xx.xxx.xxx.xxx" with your IP.
Also replace the wp-login bits if you have your backend hidden.

Don't use the "admin" username.
Consider two-factor authentication.

Plugins like iThemes and Wordfence definitely help.

Always make sure Wordpress and plugins are up to date!
 

Maxoq

Well-known member
Registered
Joined
Feb 25, 2015
Messages
520
Points
28
.....
- Analyze your logs to understand how you got the malware. What does it do ? Is it wordpress the problem ?
I also heard of analyzing log files to find out error on your web hosting or websites but I don't know where to start and how to find errors.

The basics:
If you have an SSL certificate, connect to your WordPress admin login using HTTPS.
I have not ever used SSL for my sites. Does it really help in secure your site? how?

For SSL, how much can I pay for a year or it's free?
 

Localnode

Well-known member
Registered
Joined
Dec 15, 2015
Messages
333
Points
43
Localnode
Your host should be able to help you analyse the log files.

An SSL makes sure the information you submit is encrypted i.e establishing an encrypted link between a web server (using an SSL) and a browser.
So yes, it really helps secure your site.

Some SSL's are free, and some are not. StartSSL and Lets Encrypt both offer free SSL's. My personal recommendation is paying the $10 or less per year for a paid SSL that has the widest compatability. Plus it helps your Google ranking having an SSL.
 

noorucn

Member
Registered
Joined
Nov 28, 2014
Messages
25
Points
0
First of all, the most important thing to do is to change your default Wordpress login page. Its so common knowledge for any hacker to know to add wp-login.php after domain name to reach your login page. I use plugins to change my login page to some anonymous links so that hackers dont get any chance of coming near my website.
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
VirtuBox
That's not a good idea to change the WordPres login page. Because using a plugin to do it mean it can include some security breachs.
Protect it against bruteforce with a captcha or a Nginx/Apache rules is a better solution.
It's harder to bruteforce properly a wp-login.php page than trying with ssh or ftp.
 

stackstar

Member
Registered
Joined
Nov 22, 2016
Messages
30
Points
0
Doing things like adding recaptcha to login forms, disabling unused or unnecessary plugins and doing external audits with tools like wpscan are good baseline efforts.

Choosing a web host that offers managed wordpress or are experienced in wordpress security are the next thing to consider. After you take precautions securing your site, you have to ensure the environment through which it is hosted is also secure to the best of their abilities.
 

Julio

New member
Registered
Joined
Nov 23, 2016
Messages
12
Points
0
I use wordfence on my blog and it works great but I also look for other means of securing my blog with plugins and htaccess code.
 

Julio

New member
Registered
Joined
Nov 23, 2016
Messages
12
Points
0
I read about that but I really did not understood what they meant about 30 days community patch.

When I installed it almost 2 weeks ago I did not look at it until yesterday I might upgrade to the premium.
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
VirtuBox
That mean when there are a security issue with WordPress, they will apply the patch only 30 days after the premium. So during this time, they don't protect your site at all.
Upgrade to premium ? If you have a vps, all the Wordfence features can be setup with more settings for free.
If you have a shared hosting, don't try to make WP more secure, because you are already limited by your provider settings and shard hosting doesn't offer enough isolation between websites to make sure there is no risks.
 

Julio

New member
Registered
Joined
Nov 23, 2016
Messages
12
Points
0
Thanks VirtulBox,

I'll look into getting a vps server then since i'm already paying about the same of a vps server.
 

Colombiawebs

Active member
Registered
Joined
Dec 14, 2016
Messages
65
Points
8
Good day

I recommend the following plugin for wordpress

Wordfence.com

It protects you from attacks, malware and many other threats

If the security of your website is compromised

Install the plugin, run a scan and indicate where the threat is, to remove it and secure your web

Blessings
 

jmlopez

Member
Registered
Joined
Jul 11, 2016
Messages
24
Points
3
jmlopez
Wordfence is a good plugin to scan malware and virus on WP site but take care when removing it, if not it will leave on your database with a dozen of tables and it can make your database size bigger.
 

HostXNow

Well-known member
Hosting Provider
Registered
Joined
Nov 26, 2014
Messages
374
Points
28
It's best for the provider to secure everything at the network/server level thus saving resources used by hundreds or thousands of customers all running the same security plugins. Using many security plugins for WordPress just slows everything down. Sure the odd one of two may help for very high traffic sites which are more likely to be targeted, but the majority of the commonly used plugins aren't needed, and attacks are usually best stopped at the network/server level using CSF, mod_secuirty rules, LiteSpeed/Nginx/Varnish etc.
 

nitaish

Member
Registered
Joined
Dec 27, 2016
Messages
39
Points
0
Wordfence is recommended for securing Wordpress. I have been using it since long and it does a tremendous job. Also, make sure to keep your wordpress, plugins and themes updated with latest versions otherwise even Wordfence may fail.
 

Laurence Flynn

Well-known member
Registered
Joined
Dec 31, 2016
Messages
92
Points
8
To be honest all you need is vigilance. You have to make sure your core, plugins and themes are up to date and you have to ensure your plugins have active development. That plugin you installed 5 years ago? Go its wp.org plugin page and if it said Last Updated: 3 years ago you probably want to find something else that does the same job. Try and use as few plugins as you can and remove any themes you don't use. Your host should do the rest with (1) mod_security rules, (2) firewall rules and (3) malware scanning. Since we beefed up security years ago we went from seeing multiple malware tickets per day to maybe 1 a week. On 5000 sites with half running WP.
 

Klaus Warzecha

Member
Registered
Joined
Nov 10, 2016
Messages
42
Points
8
Klaus Warzecha
Are you sure malware scanning will work, I tried to install a malware software that my host provider recommended but after installed and tt took so long, more than 1 day to scan with no virus or malware is detected while my site was alerted by Google due to it contained malware and they inserted links or posts into WP site.
 

Laurence Flynn

Well-known member
Registered
Joined
Dec 31, 2016
Messages
92
Points
8
Your host should be doing a basic scan every day and a deep scan once a week. A basic scan just scans new files and a deep scan scans all files. On Linux this is easy with Maldet. If your host doesn't scan you should buy a malware detection scanner. This is just a web crawler usually and should only take a few minutes. However, there are many options and many are super pricey (like Detectify at $60/mo!). There are others like SiteLock, GeoTrust Anti-Malware but their basic packages scan limited pages. There's Sucuri at $200/yr. If your host doesn't have you covered then you should have something, especially running WP.
 

rankmyhub

Well-known member
Registered
Joined
Feb 14, 2017
Messages
193
Points
18
How to secure wordpress is a good topic, let me add my inputs as well.

1) Get SSL on front end and back end as well
2) Install a wordpress firewall or security plugin. If you are new to WP then stick with wordfence, or else iThemes wordpress security or iControl WP simple firewall are more advanced.
3) change the wordpress prefix from wp_ to something else
4) Restrict strong password to subscriber role, this is the least role on WP.
5) Use third party commenting systme like Disqus or something else, this will eliminate users from becoming memebers on your wordpress installation
6) Do regular scanning
7) Avoid pirated or nulled or cracked plugins and themes
8) If you are on windows computer or laptop, make sure that your system is clean and safe. Most malwares get into wordpress from your own system
9) Disable directory indexing on your CPanel.
10) Always have regular backups of your wordpress website, the plugins suggested above will do that job.

Most important thing is, you need to harden wordpress and manage it. Lot of people say that wordpress gets hacked easily, its true only if we are not managing it. We have dealt with lots of wordpress websites and our sites never got malware or hacked, because we manage things in proper way. So not matter whether you follow 10 points or not management is important.

Hope this time, you will take care of things, happy blogging.
 

vinaya

Well-known member
Registered
Joined
Jun 30, 2017
Messages
229
Points
18
If you have SSL certificates on your website it protects your sites from malware and other attacks. You can also use security plugins. The one that I can recommend is called Word Defense, which is available as free. This plugin stops unauthorized access to your websites. Since it provides IP of the person who is trying to hack your website, you can block the IP so that there will be no problem in the future.
 

24x7serverman

Well-known member
Hosting Provider
Registered
Joined
Jul 25, 2017
Messages
651
Points
28
Here are some tips to make your website secure -

1. Always make sure you will not share the root password with anyone using the email or chat, same for the database passwords.
2. Always patch the scripts with the latest update which is available for your website.
3. Make sure to check the access logs of your website periodically so you can check the IP addresses from where your website is getting accessed. If you will find the IP suspicious then block those IP addresses.
4. Install the security plugins which are available for your WordPress website.
5. Check the scripts,codes periodically so you can find if there is any malicious script or code uploaded.
6. Download the backup of the website periodically to avid the loss of business. It should be taken on your local system.
7. Make sure the systems from where you are accessing the website should have the updated antivirus.
8. Make habit to update the password of your control panel, administrative panel, databases periodically.
 
Older Threads
Replies
12
Views
2,785
Replies
11
Views
9,263
Replies
3
Views
2,272
Newer Threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top