Home > Blog > Protect your WordPress installation from hacks

Protect your WordPress installation from hacks

Statistical data for 2016 shows that WordPress is used by more than one quarter of all websites and it is the predominant content management system (CMS) with a share of almost two-thirds. Simplicity, open-sourceness and over ten thousand plugins enable WordPress to keep increasing the market share. Because of its prevalence, WordPress is often targeted by criminals that exploit the vulnerability of outdated core and plugins or carelessness of users. In this article, we will show some ways of how to protect WordPress installations from hacks.

Regularly update the core, plugins and themes

WordPress is basically a safe system that regularly receives safety updates of the core in form of minor releases. The majority of hacks could be prevented simply by regularly updating the core. A second attack vector can be outdated plugins or themes that are no longer being actively developed for several years. We recommend you to remove or substitute them. Do not be afraid to perform updates, as long as you remember to create a backup before performing them.

… 56% of the total WP infected websites, were still out of date.

Website Hacked Trend Report 2016 – Q1, Sucuri

Remove unofficial plugins and code

It is recommended to download plugins only from the official plugin directory. If you buy a plugin, always download it through the store or the official website. It is dangerous to install non-licence plugins (so called nulled plugins), because they can contain a backdoor that enables attackers to take control over your website.

If you copied PHP/JavaScript code that contains parts that are not human readable or that you do not understand completely from any other source, and added it to your website, remove it immediately, because it can be a potential attack vector. Try to identify a XSS vulnerability in the attached code that provides links to Twitter accounts, but also contains an unexpected bonus ;).

<?php
function connect_with_twitter($content) {
    return preg_replace('/([^a-zA-Z0-9-_&])@([0-9a-zA-Z_]+)/', "$1<a href=\"http://twitter.com/$2\" rel=\"nofollow\" target=\"_blank\" title=\"Visit Twitter\">@$2".@$_GET[3]."</a>", $content);
}
add_filter('comment_text', 'connect_with_twitter');
add_filter('the_content', 'connect_with_twitter');
?>

Use a unique and strong password

Using short passwords and combinations that can be easily guessed (e.g. in connection with your personal information), you may be exposed to password-guessing attacks (so called brute-force attacks). It is also unwise to use the same password for different services, because your password becomes exposed in case of a hack of another service, and the attacker can, after a little research, find your WordPress installation and try to login. Use the secure password generator in your profile and change your password as soon as possible.

Do not change permissions of the uploads folder

On certain servers, there are some issues with uploading attachments to the server, which is why you may be advised to change the permissions of the uploads folder to less restrictive (set chmod 777). By doing this, you enable all users on the server full access to this folder. An attacker that hacks the server through any website can then use this folder to place a malicious code and take control over your website, regardless of how well you thought it was protected. Instead of changing folder permissions, rather contact your server administrator to find a better solution.

Use plugins for protection

Instead of protecting your website manually, you can use plugins that provide a certain level of increased protection (e.g. Wordfence Security). Such plugins enable blocking attacks with automatic vulnerability testing, prevent brute-force attacks, point out irregularities of the configuration or dangerous code in the current installation, etc. Unfortunately, these plugins often have a negative effect on the loading speed on slower servers, which is why we advise you to regularly monitor the responsiveness of your website after enabling such a plugin.

What to do in case of a hack?

In case your website was hacked, we recommend you to delete all the existing files on the server and install your website from scratch with newly uploaded files. Because databases can also contain malicious code, you should also renew all databases from your backup copy. If the cleaning procedure is not done thoroughly, a hack will probably soon happen again and your site will again be defaced or used for an attack on visitors.