web hosting
build a website

Security on WordPress

Feb 9, 2014   //   by Anthony Devine   //   Website Development tips  //  No Comments

In a few recent Months there are a number of WordPress sites that are being hacked. I have had a few sites hacked myself which was down to building a Website for somebody over 4 years ago and they have not kept the plugins or core software up-to-date, which has left them open to malware.

One site that was hacked of mine was from a base64 javascript injection, this was a nightmare as it injected code into every single php file in the wp-contents folder. There are a great number of php files in the wp-contents folder so it was a big task a head.

You can decrypt base 64 injections with certain sites but you really just need to remove all of the script, you can do this manually as I did or run a script to automatically remove it. The reason i did it manually even tho it took about 3 hours to do is because I wanted to make sure I got all of the scripts.

Once you have completely removed the script you need to upgrade your version of WordPress to the latest version as there are always vulnerabilities and backdoors that are fixed in each new release. Once the core files are up-to-date you need to update your theme files and plugins. Plugins are the way most hackers get into your site so these need to be kept up-to-date and if there are any theme files or plugins that you are not using then you need to delete these files as these are security risks.

When you have everything up-to-date you need to then think about what security plugins you are going to use. The free plugins that I recommend are as follows:

  • Limit Login Attempts by Johan Eenfeldt – This stops multipe attacks on your login page as it locks you out for 30mins if you enter in the password wrong a number of times
  • Captcha by Bestwebsoft – This adds a captcha form on the backend login form which will stop machine based attacks on your site
  • Anti-spam by Webvitality – This stops all of the spam comments added onto your site
  • Wordfence security – A firewall and anti virus scanner
  • Sucuri Security – Scans your site for malware
Another security issue is using the database prefix _wp, this should be changed to something else as it is what most people use as default and can be a risk.

You should also make sure that if you have been hacked that you change all of your servers FTP login details and you should change your WordPress login details as well. Passwords should be strong passwords, you can use this site to find a strong password: Secure Password Generator. You should also make sure that your wordpress Username is not admin, this is a big security risk. To delete this user and create another administrator login you need to do the following:
  • Login as admin and create a new Administrator account
  • Logout of admin account and login as your new account
  • Delete your admin account, it will then tell you to select from the drop down list which account to assign all of the posts admin created. Select your new account form the drop down and proceed with the delete
  • You new account has now been created, you have removed admin and have assigned all of admins posts to your new user

Remember before doing any of the above make sure you take a backup of your database!

The final step to tightening up on your security is to change your folder permissions so they are not all CHMOD777 this will mean that certain parts of wordpress may not function as it usually does in terms of being able to upload from the backend and update form the backend but you just have to mess around with the file permissions until you get the right ones that you need.

The most important thing to remember is to keep all of your files up-to-date and always keep a backup so if there are any issues you can always roll back to a clean verson of your site.