Protect your WordPress website in 10 simple steps.
Recently we encountered a situation where one of our client’s website was compromised. The website is a WordPress website with third party plugins installed as per the sites requirement. The hack was noticed when we checked the LFD alerts of AUTHRELAY and found spamming was being initiated from the server. We were quick to notice the alerts generated for the website and then started our investigation.
Upon investigation we tried to login into WordPress admin area, but were unable to login and thought the password was incorrect. But so strange was the hack that we were unable to change the admin user password because the admin user itself was renamed. So we have to modify the admin user and then reset the password from phpmyadmin thus allowing us access to the WP dashboard.
The hack was an attempt to send spam emails by installing a malicious plugin. Luckily we noticed some more alerts from Wordfence plugin and took timely action. We noticed that the database access was compromised resulting in change of admin user and then installing the malicious plugin. This is where we noticed one big loophole of not protecting the wp-admin area.
A sample of the malicious files as you can see ninja-wp plugin was installed.
Your websites may still get hacked even after using security plugins like Wordfence or any other plugin you may use. It’s very important to keep a regular check on alerts that are generated from your security plugin. So here are 10 simple steps of basic security of your website.
1.) Monitor your security plugins alerts daily. You can configure the alerts in plugin or you will receive it on your admin user email account. There is no excuse to miss the alerts.
2.) Secure your database server, there are many articles on that and here is one from our blog which shows how to secure your MySQL server on a cPanel server. Guys, this is very important that you use strong passwords for your database, cpanel & FTP users. In regards with your database server which is mysql, please ensure that Remote mysql connections are disabled. Make sure port 3306 is NOT open in CSF firewall.
3.) Very Important: – Protect your wp-admin area with .htaccess file. Here is the sample file code placed under public_html folder to protect your wp-login.php file. Please add your IP address in allow from line, this will also stop brute force attacks on your website.
Deny from all
allow from ipaddress
4.) Change your admin user to something different and which you can remember easily. Avoid using admin as username as its very common to identify.
5.) Remove unwanted plugins, make sure to update the plugins at regular interval.
6.) Update your core WordPress to latest version, this is easiest job to do.
7.) PHP version specially for WordPress websites should set to the latest version.
8.) To remove any vulnerabilities, the systems should be patched by updating all packages to the latest version. Also, the mod security rules should be updated on the server, mod security acts like a WAF (Web Application Firewall) to stop various kinds of attacks.
9.) Yes, it is possible that there are neighbouring websites causing issues or permissions issues on the hosting side that is not properly isolating sites which can cause these occurrences. Please contact the provider to confirm host security.
10.) For dedicated servers or VPS, please ensure that you install cpguard or immunify on the server, which is anti-Malware Protection software for servers, it help us to find the more phishing URLs from the server and also helps to detect most of the attack, brute force etc. It’s integrated with the CSF and its own set of WAF rules.
There are still many other ways to protect your website, Our WordPress experts can assess your website, find out vulnerabilities and secure it with proven methods. We can surely assist you with securing and monitoring your website. You can order our WordPress security plan.