A client recently sent me a panicked email: their WordPress website had been hacked and their home page was full of young, bare-chested men, each one linking to a porno site. Not a great start to the day.
Yes, Your Site is Vulnerable
Any site is vulnerable, no matter how obscure
This was a low-traffic site. I was surprised to see it hacked. But the truth is, these kinds of attacks arenβt made by humans directly. Theyβre automated, run by bots that scan websites and take advantage of known vulnerabilitiesβall while the actual human hackers sleep soundly. Yes, this can happen to you.
After a minute or two, I saw the siteβs main <.htaccess> file had been compromised. It was full of commands to bypass WordPress altogether, overriding the siteβs normal display and replace it with mano-a-mano love magic. So my first move was a quick fix. I replaced the contents of the compromised <.htaccess> file with the standard WordPress commands (see below). The clientβs site came back up instantly.
WordPress Out of Date?
Older versions of WordPress have known weaknesses that hackers love to exploit. One of the easiest things you can do to keep your site secure is simply to make sure youβre always running the latest version of WordPress.
Unfortunately, my clientβs WordPress install was several versions out of date; they hadnβt updated, or called me to update, the site. So that was an obvious and easy thing to fix, too.
Digging Deeper, Making WordPress Secure
But I knew I could probably do more, make the site really secure. I doubted my clientβs server had been hacked directly via FTP (something an email exchange with the siteβs host confirmed) so I figured it was an injection attack of some kind. I went Googling. Hereβs what I learnedβ¦
What to do When Your WordPress Site is Hacked β But Preferably Before Your WordPress Site is Hacked
1) Quick WordPress Security Fixes
Fix <.htaccess>
First of all, if your <.htaccess> file is full of junk commands (and after making a back-up copy of the hacked file because you never know!) replace its contents with something like the following, the most common WordPress settings under Apacheβ¦
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
These commands vary slightly from site to site so, for quick client-specific reference, I keep a copy of each siteβs htaccess commands in my local client folders, in plain <htaccess.txt> text files.
Next, while youβre messing with the <.htaccess> file, you can add a layer of protection to the all-important <wp-config.php> file. Add the following lines to <.htaccess>β¦
<files wp-config.php>
order allow,deny
deny from all
</files>
This prevents any access to the <wp-config.php> file from beyond the server. Awesomeness in the house.
Back Up Everything
I do two layers of back-up.
First, I go to WordPress βΊΒ Tools βΊΒ Export and choose to export All Content. This sends a text dump of all users, posts and pages (and sometimes other content) to my desktop which I can re-import later should things go badly.
Second, I log in to the siteβs control panel and get access to phpMyAdmin. From here, I export a backup of the complete SQL database behind the website which can also be re-imported later. (You canβt have too many backups.) If you donβt have direct access to phpMyAdmin, talk to your siteβs hosting company for pointers.
N.B. There are WordPress plugins which automate the process of regular back-ups but itβs helpful to know how to make these quick back-ups βby handβ.
Update WordPress
Next, update your WordPress install to the latest version. Itβs just a matter of one or two clicks whenever you see that yellow βnew versionβ note on your dashboard. After youβve backed-up, though, riiiiight?
Change Passwords
Do this for all your users, in case somebody has used a really dumb password. WordPress will email each user their new log-in details.
If youβre feeling sufficiently paranoid, do the same for your FTP account.
Remove Unused Themes
It doesnβt make sense to have extra files hanging around, especially files that can interact directly with your database and server. Remove any unused themes from WordPress, either from WordPress βΊ Appearance βΊ Themes, or simply with your FTP client.
Remove Unused Plugins
The same goes for any unused plugins. If you leave them in place, hackers can guess their default paths and try to access your server. Delete via WordPress βΊ Plugins βΊ Installed Plugins or your FTP client.
2) Change the Obvious
You can (and should) do all of the following every time you install a new instance of WordPress. These best practices give you an added layer of security by changing some of WordPressβ default values. Youβll thank yourself later.
First, Never Use βadminβ
When youβre setting up a brand new site, WordPress suggests the very first user be named βadminβ. Change this every single time to something else, anything else!, because hackers know to start with βadminβ as the default user.
If youβre currently using βadminβ as your main administrator account, do these things for yourself right now: add a new user cunningly named anything but βadminβ, then assign the role βAdministratorβ, log out, log back in as the new cunningly-named user, then simply delete the stupid βadminβ user (switching all that userβs content to the new account). Done.
Second, Change the WordPress Table Prefix
During installation, the <wp-config.php> file suggests you use wp_ as the master table prefix, but this can be anything you like. You should change this every single time to something else, anything else!, because otherwise hackers know exactly what all your WordPress tables are called and they will attempt direct SQL injection attacks. Nasty like Rhianna on crack.
N.B. If your site is already up and running with the wp_ table prefix, itβs a little trickier to change, but you can do it: the WordPress security plugin mentioned just below comes with a tool to automate the process of switching your table prefixes to something non-obvious.
3) Install a Security Plug-In
There are several great plugins but I like WP Security Scan as a first line of defense. Itβs free and relatively easy to set-upβif youβre comfortable working via FTP and have some basic Apache nerd skills.
%27%20fill-opacity%3D%27.5%27%3E%3Cellipse%20fill%3D%22%239b9b9b%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22rotate(-94.8%20142.7%20-130.1)%20scale(56.50057%20172.31573)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(-127.36988%20-42.8647%20100.94312%20-299.94641%20528.1%20292.5)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22rotate(44.5%20-492.7%20207.6)%20scale(173.70332%20101.73858)%22%2F%3E%3Cpath%20fill%3D%22%23d7d7d7%22%20fill-opacity%3D%22.5%22%20d%3D%22M-34.8%20131.4L533.4-12.4%20201%20515.5z%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E "WSD Security Plugin")
Once you install the plugin, youβll see it listed at the bottom of the admin menu. The content area will show a list of helpful notes, green and red, corresponding to whatβs good and bad about your current installation.
WSD Security Scan does several things to make your WordPress site invisible to common hacksβ¦
- It removes a line of code from your siteβs HTML which broadcasts the version of WordPress youβre using (so hackers donβt know what theyβre attacking and, in fact, you may not even pop up during their spidering process);
- It turns off database error reporting so that hackers donβt have access to useful clues;
- It lets you know if the security suggestions Iβve listed above have been implemented.
It also helps you do two other very useful things which, for non-nerds, are more complicated to pull off. These are explained belowβlike, right-now-belowβ¦
4) Secure Your WordPress Directories with the Correct Permissions
If you visit the Scanner page of the WSD plugin, youβll see a list of vulnerable files and directories. Items that have insecure permissions will be highlighted.
Use your FTP client to get info on each directory and file listed, then adjust the permissions until they match WSDβs suggestions.
N.B. One of these files is the <.htaccess> file and, once you tweak its permissions, WordPress will starting showing the error message βPlease make sure your .htaccess file is writableβ. Now, when setting up a WordPress site, having the <.htaccess> file writeable is a good thing. But once youβve got the site settings worked out, itβs best to lock down <.htaccess> just as this plugin suggests; you can always loosen things up again later, on an as-needed basis.
5) Secure Your /wp-admin/ Directory
Getting this recommendation up-and-running is tricky but for business-critical, heavily-trafficked and e-commerce sites, itβs a powerful way to keep your WordPress site nice and secure.
Letβs apply a standard Apache/server-level lock to your /wp-admin/ directory. Anyone trying to access that directory will then have to enter a separate UserID and Password before they see a single WordPress screen. That is, your WordPress back-end will now have two layers of UserID/Password protection.
The gist of it is that you place two small files in your /wp-admin/ directory:
- an <.htaccess> file which contains a set of commands to restrict access to specific users, and;
- an <.htpasswd> file which contains the list of users and their encrypted passwords.
Iβve included the necessary files in the archive below, which contains everything youβll need.
After you upload these files to your /wp-admin/ directory, youβll need to adjust the first two filenames. Remove β.txtβ from the end and add a β.β to the start, so you end up withβ¦
/wp-admin/.htaccess
/wp-admin/.htpasswd
/wp-admin/WhatsMyRoot.php
If there are any similarly-named files already in your /wp-admin/ directory, before overwriting, make sure to copy them to your computer for safe keeping.
The tricky thing is finding your root URL to put in the first file. For that, use the <WhatsMyRoot.php> page. Place it anywhere on your server, then access it using your browser to find your siteβs root URL. Simply copy and paste the URL into the <.htaccess> file where indicated.
Next, make sure to remove the <WhatsMyRoot.php> file as soon as youβre done. Leaving it in place is a security risk.
Now look through the two remaining files in a plain text editor and edit both so that all occurrences of βreplace_with_correct_root_urlβ, βreplace_with_user_nameβ and βreplace_with_encrypted_passwordβ contain the correct information.
%22%20transform%3D%22translate(1%201)%20scale(2.14844)%22%20fill-opacity%3D%22.5%22%3E%3Cellipse%20fill%3D%22%23d0d0d0%22%20cy%3D%2283%22%20rx%3D%22105%22%20ry%3D%22105%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20cx%3D%22255%22%20cy%3D%22136%22%20rx%3D%22122%22%20ry%3D%22122%22%2F%3E%3Cellipse%20fill%3D%22%23d4d4d4%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(-115.26873%2020.32499%20-5.94639%20-33.72365%20125.8%20158)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20cx%3D%22185%22%20cy%3D%2289%22%20rx%3D%22110%22%20ry%3D%2230%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E "htaccess and htpasswd settings template files")
Users names go to the left of the colon in the <.htpasswd> file. Encrypted passwords go to the right.
Here are links to several password generators in case one of them is down, as one was for me, right when you need itβ¦
Now, when you visit your /wp-admin/ directory, the server will ask you to verify your identity before you can proceed to WordPress.
You donβt need to set up a separate UserID/Password for each user. To keep your maintenance simple, you can add a single user with a strong password, then share that userβs details with all your trusted site editors.
For mission-critical sites, however, you should supply a range of unique UserIDs and passwords, adding each one on a new line in the <.htpasswd> file. If you do this, youβll need to tweak a single line in the <.htaccess> file. Changeβ¦
Require user replace_with_user_name
β¦toβ¦
Require valid-user
β¦and now the server will grant access to any of the unique users listed in the <.htpasswd> fileβso long, of course, as they have the right password.
6) Further Reading on WordPress Security: Go Deeper
If youβre feeling adventurous, there are more sophisticated things you can do. You can change the location of the /wp-admin/ directory. You can protect WordPress from malicious script injections. You can prevent hot-linking to the images on your site.
Read about these additional to-dos, and more, at the following pagesβ¦
Address
%22%20transform%3D%22translate(1.4%201.4)%20scale(2.84375)%22%20fill-opacity%3D%22.5%22%3E%3Cellipse%20fill%3D%22%2366c3ff%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(26.17506%20-.29026%20.74742%2067.40186%20166.2%2014)%22%2F%3E%3Cellipse%20fill%3D%22%23bfaa9d%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(21.13544%20.05539%20-.3045%20116.19247%2086%2013.6)%22%2F%3E%3Cellipse%20fill%3D%22%23fce8db%22%20cx%3D%2236%22%20cy%3D%2219%22%20rx%3D%2229%22%20ry%3D%22100%22%2F%3E%3Cellipse%20fill%3D%22%23fce1f1%22%20cx%3D%22249%22%20cy%3D%223%22%20rx%3D%2228%22%20ry%3D%22110%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
%22%20transform%3D%22translate(.5%20.5)%22%20fill-opacity%3D%22.5%22%3E%3Cellipse%20fill%3D%22%239499ff%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(20.19014%20-.53258%20.45621%2017.29506%204.1%2031.4)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20cx%3D%22103%22%20cy%3D%2258%22%20rx%3D%2282%22%20ry%3D%2211%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20cx%3D%22108%22%20cy%3D%224%22%20rx%3D%2286%22%20ry%3D%2212%22%2F%3E%3Cpath%20fill%3D%22%23d6d6d2%22%20d%3D%22M24%2016h131v32H24z%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
Recent Comments