You’ve probably heard about series of news on government websites getting hacked and this in fact scares you thinking how will your business make it in such a world where there are hundreds of hackers ready to do it. If they run WordPress, they probably didn’t follow the best WordPress security best practices.
In other ways, your website might be spam ridden with Spam comments, registration, login attempts to hack your Admin access and well you are just starting to believe you need hundreds of thousands of dollars to develop a very standardized back end lock to do most of the heavy lifting for you or you’re probably giving up about it because you get hacked every single time well…I guess this post might really be of help to you.
To protect wordpress website doesn’t have to be a game of do or die instead, it’s just a necessary measure taken to ensure the safety of your valuable works which you’ve labored on to create.
Two years ago, my friend Scarlet from Canada told me about how her Food blog got hacked out and this really pissed her off that she began thinking that WordPress is probably not as powerful as it look. But well, I narrated something to her and help her do some stuffs that at least protected her website from all those petty hacks.
In case you might ask, Who are Hackers? My definition goes as “Hackers are those that tries to get some illegal access to your properties….(usually internet connected properties.), So this way, your Mobile Phone, Email, Website, Computer, Anything you have that can easily be accessed via the internet.
These people make use of powerful robotic software that send anomalistic bots to your own properties and those bots try to hack your access probably Using your Username to Guess your password and many other means like that and depending on the strength of your property’s security, it might not take too long before that is done.
That said, its good to actually know that there isn’t any internet connected property that can’t be hacked. The fact is the US Government is trying all in its might bring an end to this regime but as time gets by, we might be able to see better results.
But take note that big firm websites were hacked or being attempted to be hacked. Its said that there are thousands of attempts to hack Facebook admin system.
Yahoo mails can be hacked and so many more. So is your WordPress website which is the main focus here. So the question of how to secure your website for maximum security is a question of how big it is. The bigger your website property becomes the more attractive it becomes to hackers.
Spammers too do this and the fact your website isn’t well secured can actually lead to many problems for your internet business.
For example, if spammers eventually take over your website and your website is filled with bad links that Search engines like GoogleBot, Yahoo/Bing forbids, your website might be labelled “Unsafe to use!” or in fact be removed from the index page.
This can be really bad for your long time work which you’ve built with your sweat and inconvenience. This way, taking a maximum attempt to secure your website will actually put your mind through rest to some great extent and you can happily see how things go.
As the case with WordPress, this CMS software is used by hundreds of thousands of companies from Tiny to Giants. WordPress was ones a mere blogging tool but now its so powerful that you can virtually run any type of website on it as its extensiveness had grown big wings that you actually don’t need to be a real Guru developer before you can get those things done.
WordPress is very awesome and we all love it. This is why most of us chose it. Now because of its popularity, its usually a target for hackers and spammers.
There are though lots of thousands of plugins and templates that do just what you want but there aren’t much security plugins as the rest.
This isn’t really great but I guess if there are many, there could be a problem and those problems could break the core rather than making it. But knowing how to manage your system well will definitely bring a maximum security to your WordPress website and you can be rest assured that there isn’t going to be much problem.
This post will be divided into two. The first will be…
#1. How to secure your WordPress website.
#2. How to get back your already hacked wordpress website.
Now as I have said earlier, WordPress is a PHP script that communicates directly with the MySQL database. When you make posts or comments or pages, those information gets sent out to the database which are then stored to be retrieved when you request for them.
This means that each time you click on your post title, PHP makes a request to the MySQL database and then retrieve the corresponding post. So are Users.
WordPress has the User system where people can sign up and sign in. User’s details get sent to the DB and are saved for later use that is when the request for retrieval is made. That said, your Database is very important here and its what we’ll be dealing with at the most.
So sit down right and get a cup coffee and keep reading. The post is quite long. So make sure you read every bit of it.
So as said earlier, I will be taking the first division of the post which is How to secure your WordPress website.
So How do you secure your WordPress website?
Securing a website is a very important and crucial factor for a successful internet business. Now as said earlier, WordPress becomes the most widely used software thus making it to become the main target for most hackers. To therefore get this system secured takes some measures.
These measures takes a pot of works and commitment. But as a matter of fact, We might have to start doing some analysis.
As of presence, WordPress is in its latest version 4.5 which was released not very long ago this year. This update gets many security updates and other increased functionality.
WordPress therefore is a very awesome software to build a website or business on because of the large community of developers behind it. These developers contribute to the development and lots of bug fixes to make sure the system keep staying at the top.
Its funny enough that many developers from other CMSs like Joomla or Drupal usually divert to WordPress because its like its large enough and well documented enough to start developing for the platform.
As the case may be, I would actually recommend WordPress for your whatever type of website you want to create just that I won’t recommend WordPress for Social Networking but a simple membership website, WordPress can handle it to that extent.
Alright so back to our topic which is how do we secure our WordPress website from the dangerous hands of hackers? I will answer those questions based on my views and many views of other developers who have worked with companies and helped secure their websites.
WHAT ARE THESE BEST WORDPRESS SECURITY BEST PRACTICES ANYWAY?
#1. It Starts from Webhost
You might wonder what a webhost have to do with WordPress security but I verily say on to you that the number one place where there will always be errors will be your web hosting company.
Yeah this days, there are lots and hundreds of web hosting companies that promises to be awesome just to nail a deal with you. You get convinced and you pour your dollar out but you regret it later on when you see how you’ve been treated.
So anyway, choosing the right web hosting company in this wise is as important as anything. Its so important that even if you’ll want your business to grow to a real giant, your web host is the right answer to this.
So in case you ask how your web host come to the scene I’ll tell you that the level of support offered to manage your website is very important which is actually the fundamentals of any web hosting company.
I can therefore define web host as a landlord from who you buy your farmland.
While farming on the unknown land, pests and rodents will try to steal your crops which you’ve invested your time and money on.
If your landlord is a great one, because he owns the land, he already know the status of his lands and so will give you piece of advise on how to keep those animals away.
That’s exactly how a good webhost should be. So any web hosting company that doesn’t offer great and tangible support
to you, just leave it because that’s where it starts.
Other importance of a great web hosting company will be speedy internet network and spaces and bandwidths. All this are important but that’s not the topic here though.
#2. Initial Installation
WordPress as other CMS go through a process of installation. During this period, your new website make some php queries and the communication with the database is made and so it send data about your website straight into the database.
How this affects your security is how secured your installation process is. Your MySQL Database password and username needs to be extremely hard to guess because like i said earlier, WordPress isn’t an HTML but a PHP script that communicates with the database. It stores information over there.
So even of your Admin password is 5M words, forget it your DB will be vulnerable and as easy as possible, you will fall victim. So from the on set, try creating a very powerful password.
Using lots of combinations ranging from upper case to lower case and numbers and symbols and many more will actually help the security. Your DB Username and DB Name should be rigid too and that won’t allow any easy guessing.
Note: In case you plan to save your info in your system, make sure its well kept where only you have access to.
#3. Your Admin Username is Important
Yeah! This isn’t very popular practise. By default, WordPress labels you “Admin” the moment you start the Admin account creation.
WordPress sees you as the first user to create an account and the conditional statement in this system calls you that. And believe me, you can actually change that later if you accept it initially.
Admin therefore becomes your Username. Some other people try to be a little bit rigid by changing the Admin to maybe their website or business name. But believe it or not, all these practises aren’t very secured.
This makes your administration to become vulnerable because the hacker can easily guess your username and then using that to hack into your admin.
Well there is a solution to that problem. There are few plugins that helps you rename the Default WordPress Username right within the Admin and you can set it to a more rigid value which you can’t even remember but have to save elsewhere. Make sure your password is well kept too.
#4. Email and Mail provider
Each time you forget your password on a membership website, you enter your email to get a reset. Now if your email can be easily accessed, believe me, Hackers can use this as an advantage over you.
Therefore using a very security conscious email provider is very important. Normally hosts offer email hosting as part of your hosting plan.
You can also use this opportunity by being your own email provider and then keeping super safe your email system especially the password.
The security way will be creating two email addresses. One for your WordPress admin login while the other for contact us. Make the latter very secured because you’ll be getting your reports on it.
#5. Shield from Spammers
Spammers use their bots to send spam messages and users to your website and this can make your website to get ridden with Malware, Adware, Trojan etc.
So you need to keep number 1, Your comment form safe. If for example your website gets thousands of visitors everyday and you are extremely visible in the search engine, then you might be prone to spams.
So securing your website from them is quite essential and like I’ve said earlier, Search engine companies might find your website to be corrupt and might attempt to remove you from their index pages or label you as Hacked and this isn’t good for your business.
To go against spammers, you first need to think about whether to allow comments in your post articles or not.
If Yes, then you can think of scheduling post comments for a fixed time and when that period is over, the system locks the form out or if you want the form to be there forever, you can download Google Captcha. This is quite awesome. Don’t be the type that thinks of anonymous commenting.
Yes that’s good for your commenting but believe me, its not entirely good because the more anonymous you make your website commenting, the more its prone to spams.
Use Google captcha or use any other smart spam shield system. There are bunch of then at the WordPress plugin repository.
#6. Secure your Admin Page
Usually in WordPress, there are four default roles which are
1. The Administration
2. The Author
3. The Contributor
And by default, all of them have access to four admin and will see the same thing. Author are those that publishes. Contributors do the same but have slightly greater roles over authors. subscribers are just your normal readers who love your website.
Now, for security purpose, its usually advised to lock all users out of your admin because having access to your Admin might put your website at risk.
There are ways of approaching this anyway. But the most fundamental is to know which type of website you run. For example, you run just a mere blog, you might not really want people to sign up.
Some bloggers want others to contribute to their website by allowing this but there are ways of approaching this.
If you don’t want sign ups, simply go to your WordPress admin settings page and then click on the general.
Then tick on the “Anyone can sign up” To either turn it off or on.
In case your website or blog supports guest blogging but still don’t want sign ups, you can download this plugin Front End User Post It works like a charm.
With standard settings, you are good to go. But in case you run a membership website, then my only advise is to download Ultimate Member. You can set what you want users to see based on roles. Its easy to use and its secured. So you protect your Admin area from non Admin. Its that awesome for your security.
#7. Regular Plugin and Website maintenance
You should always and regularly update your website’s plugins for better security fixes. If you use plenty of plugins, whenever there is an update, always make sure to update them.
So to do this, deactivate the plugin if its active and then update it by clicking in the update button found below the plugin description. The process is very fast and quick.
Then activate it back. Other maintenance means are regularly updating your username or password if you feel you need to update them. Always check your email address and monitor all activities going in your website.
Watch users for any abnormal behavior and you can always restrict anyone that doesn’t do well with your criteria.
#8. Always Back Up and Back Up
WordPress is awesome. Like I’ve bragged earlier that there are tons of plugins in their repository, the same come with the issue of Back up plugins. There are lots of Back up plugins for WordPress ranging from Freemium to Premium.
All you need to do is pick your choice depending on what type of task you want. The premium ones usually have more extended functionalities unlike the free ones.
I will recommend these two to use because they are very easy and way bettee in the market.
#I. UpDraft Plus
#II. Back Up Buddy
These plugins are amazing and with ease, you can always get your website backed up and secured.
#9. Use Security Plugins
This is another important factor to securing your wordpress website or blog. There are lots of plugins that are capable of soing yh job right at the WordPress Repository.
My personal pick will be the WP AIO Security Plugin This plugin monitors your website squarely and helps insert PHP rules to your base website thereby securing it from potential hackers and spammers.
One interesting feature this plugin has is the Lock out system. This allow you set time attempt for retrying log in. That is if any user tries to log in but failed in a set period of time, the system will lock such person out.
It also help your website from those that steals your posts. It disables right click and doesn’t allow your images to be copied thereby leaking your bandwidth.
This plugin is very handy and its awesome. Just download it and use. And its free. There are lots others but I will recommend only
2. iTheme Security
#10. Always do external analysis
This is another important factor to know whether your website is harboring any bad or malignant software. There are lots of third party companies that does that depending on the fee. They can analyse your website and help get it aware of potential threats.
How to Regain your hacked WordPress website
This can be a very taskful solution because it all depends on the amount of damages which those hackers and spammers have cost your website business.
Normally, Google or Yahoo or Bing might’ve labelled you Hacked and Google might’ve in fact removed you because they think you longer make sense but regaining back your access and value too rank back high may take you some stress while trying to maintain the already hacked website.
Assuming you have a back up system for your website, you can always restore back from where you backed it up and have then reconfigure your website to be more strict but if you’re a beginner and don’t even know how to back up and your website was hacked then I’ll suggest you first turn off the website by putting it in the development mode.
This restricts every access to only you the admin. You can then access your database and then do some tasks there. Why am not going to explain so much about the database is because if you don’t knowledge of PHPMyAdmin, it might be difficult for you to understand everything I’ll be saying unless you are familiar with the system. And so my major advise is deleting your WordPress installation and then reinstalling a new one.
But Not So Fast!!!
So far you still have access to your WordPress Admin page, there are two ways to go by this,
#1. Back Up Database:
In case your website installation have being affected by bad installations from hackers probably Adware and Malware, then you can just back up Database but I will not totally advise this here but it all depend on the severity of damages which have been made. If those damages are so tough, then you can proceed from leaving the database back up and following the second way.
#2. Export your valuables:
Its like the aftermath of a tornado. You just need important things from your wrecked house not the ruined building again. So this is where WordPress come in again.
The most important thing here is your posts and pages and comments and if you use other custom posts, WordPress can still help. So how this helps is that You just navigate to the Tools located in your Admin area and then click on the export button. This brings you to an interface where you will be able to export your posts, pages, comments etc.
You will see everything that can be exported. You can actually click on “Export all” and then the system downloads all the files in a small portable XML file.
When this is done, the you can completely demolish the wrecked out website and then rebuild offline or online depending on whichever suits you better.
After rebuilding, then go back to that tool and click on Import and then look around and when you see WordPress, click on it and it asks you to download WordPress import tool and when that is done, you can then upload that XML file you downloaded earlier and then assign an author to all the importing.
When you are through, then you can continue with your posts where you left them.
But its usually important to contact your web host for help in such situation so far they are available for support 24/7.
In some cases, they can help you fix out the crazy issue with your database because its quite rigid and it will be a topic on its own later on.
Now you can see yow important it is to always keep your website secured.
The most important thing usually is backing up your website each time so that when you have issues, you can always restore back from where you stopped.
If you ask How many times can you always do back ups, then I’ll say it depends on the complexity and popularity of your website.
What I meant is that each time you get higher, you are becoming more and more of a target and this means backing up more better.
So that’s just all the way it goes.
In case you enjoyed the post, you can always share with friends and families around or better still, comment out your opinions and what you feel is bothering you.
I’ll answer your question. If you also have additions or subtraction, comment it out. Thanks for reading.