Almost 60% of the hacked WordPress sites were due to compromised plugins. WordPress is an easy target for hackers because of weak passwords and plugin vulnerabilities. Most beginners don’t know how to secure their websites and majority of them don’t even think about securing their WordPress websites. If you are one among them, you are in danger. Some time ago, some of the links from search engine results of BloggersPassion got stolen from hackers. Backdoor malicious script was injected in some of my blog files to steal backlinks. It was so painful for us not just because it costed a lot of money but it eventually dropped the blog sales. Only until the security attack was happened on BloggersPassion, we started taking more precautions to secure WordPress sites. If you are also one among those people who had never bothered about securing WordPress sites, stop wasting time and go secure your WordPress sites as soon as possible. Otherwise, even your blog links might also get stolen by hackers. That being said, this detailed post is written for the purpose of securing your WordPress sites from hackers stealing your backlinks, data or passwords. Let’s dive into the details without further ado.
How to Secure Your WordPress Sites from Hackers
How to Secure Your WordPress Sites from Hackers
Secure Your WordPress Sites from Malware and Viruses
This is the reason why our blog got hacked. It was a malware attack, which was a backdoor script inserted into one of our blog files to steal over 100 links from BloggersPassion. The issue is resolved now and my blog is completely secure from the attacks. It might happen with your blog as well and you never know who’s going to hack your site by injecting bad files into your website folders. We highly suggest you to install Anti-malware security plugin from WordPress as it can secure your WordPress sites from all the malware and viruses. This plugin runs a total scan on your website files to automatically remove all the security threads and backdoor scripts (if you have any). It will also keep your blog safe from known vulnerabilities. Here are few features of this WordPress security plugin.
It secures your blog from known threats. Also saves from login vulnerabilities. Keeps it safe from backdoor scripts. It will limit the access from others to .htaccess scripts. Also gives more protection to timthumb exploits.
If you want to keep your blogs safe from malware attacks, you should definitely install the above plugin. Secure from WordPress Brute Force Attacks Bruce force attack is the simplest way to gain access to your WordPress sites by hackers. It is a password guessing attack usually aims to steal all your data or backlinks from your sites. If you are not ready to combat against these attacks, your WordPress sites might get easily hacked. Here’s how it looks like; As they say “prevention is better than cure”, here are few simple ways to secure your WordPress sites from brute force attacks. You can easily prevent them by implementing the following techniques.
Install a security plugin (limit login attempts) Use stronger passwords Often change passwords (at least once a month)
Secure Your .htaccess File
.htaccess file is one of the most complicated files in your WordPress setup. If done right, you don’t have to install any of the above mentioned plugins and just by editing .htaccess file, you can save your WordPress site from hackers. It is such a powerful file. But I don’t recommend anyone (unless you know what you are doing) to edit the file as it can collapse your WordPress sites from even opening up. Then, how to secure your .htaccess file? By using BulletProof security plugin from WordPress. Again, it’s a free tool for WordPress users but it has a TON of features to secure your WP sites along with securing .htaccess file. This plugin completely protects your .htaccess file by providing a rocking firewall around it. Without your permission, no one can access your root files and it also restricts access to the admin dashboard. You can also prevent directory browsing by using a firewall around your .htaccess file. And this plugin exactly does that. Along with the above security features, this plugin also helps you with the following things.
Real-time File Monitor (IDPS) DB Monitor Intrusion Detection System (IDS) DB Backup: Full and partial DB Backups. Manual and scheduled DB Backups and Email Zip Backups. Plugin Firewall (IP Firewall): Automated Whitelisting & IP Address Updating in Real Time Idle Session Logout (ISL) Auth Cookie Expiration (ACE)
Set Up Website Firewalls
A firewall is a security network that protects your computers and websites. Having a firewall setup is a must if you want to harden your security levels of your website files. Every firewall uses filtering to filter all the data coming to your servers, networks and websites. It also analyzes data by inspecting all the files so you will be safe from hacking attacks. If you are wondering how to setup a strong firewall system on your WordPress sites, there’s a great plugin is available for you which is called “Ninja Firewall”. You can download the plugin for free from here This plugin itself is a web application firewall, a stand-alone firewall system that sits in front of your WordPress sites to secure your files. This plugin can scan, inspect or reject any HTTP requests sent to PHP scripts on your websites there by securing your files from malware or other security breaches. Apart from the above encoded PHP scripts, hackers shell scripts and backdoors will also be filtered by NinjaFirewall. Here are few incredible features of this plugin.
This plugin is a full stand-alone web application firewall. It works before WordPress is loaded. It has a powerful filtering engine. Supports a large set of encodings. It also has an anti-Malware Scanner. Blocks/allows uploads, sanitises uploaded file names. Blocks suspicious bots and scanners. Hides PHP error and notice messages.
Take Regular Backups of your Website Files
Creating regular backups for your website is the key to keeping it safe. In the worse case scenario, even if your site gets hacked, you don’t need to worry about the loss of all your blog posts, pages, comments and links. You can simply restore your data points to get all that data back. Even if your site might not get hacked or if you simply might lose all the data while making design changes on your sites, then also keep regular backups can help you immensely. We highly recommend you to start using BackupBuddy. It’s a premium tool to regularly backup all of your website files and you can restore at any moment in case of file loss. If you are searching for a free option, try BackWPup. It’s a free plugin which is useful for backing up all your files including your databases. This plugin automatically saves your complete installation including /wp-content/ and saves them to an external backup Service like Dropbox, S3, FTP etc. BackUpWordPress is also another great (free) WordPress plugin for taking regular backup all your website files. This plugin works in low memory, “shared host” environments so your site speed won’t affect much and it also have options to have each backup file emailed to your inbox. You can also exclude few files which you don’t want to take a backup from. So what are you waiting for? Make sure to use any one of the above mentioned plugins to start taking backups of your whole sites. We recommend you to take backups every week (in the least case scenario) to avoid regretting in the future.
Top 10 Best WordPress Security Plugins
Top 10 Best WordPress Security Plugins
Hands down, WordPress is the most popular CMS in the world which is used by millions of websites. WordPress is also the #1 platform which is mostly targeted by hackers all around the world. That’s the reason why you should always secure your WordPress site from all security attacks. Fortunately, there are a ton of WordPress security plugins available which can help you easily secure your sites. Here’s a list of top 10 best WordPress security plugins (in no particular order) you can use in 2023 to protect your blog from hackers.
Security activity auditing File integrity monitoring Remote malware scanning Blacklist monitoring Effective security hardening and so on
The best part is, if somehow your site gets hacked for whatever reasons, this plugin offers you post-hack security actions can be taken which includes a section to help you walk through the 3 important things you should do after a compromise. 6. Two Factor Authentication from UpdraftPlus This is the most popular 2 factor authentication plugin for WordPress with over 2 million active downloads and it’s also developed from the #1 WordPress plugin called UpdraftPlus. If 2-factor authentication is enabled on your site, you will require a one-time code in order to log in. This plugin supports standard TOTP + HOTP protocols and also supports Google Authenticator, Authy etc. It also displays graphical QR codes for easy scanning into apps on your phone or tablet. So if you want to add extra steps to log into your WordPress dashboard, 2 factor authentication plugin like this one is essential. 7. Restricted Site Access If you want to limit access your site to visitors who are logged in or accessing the site from a set of specified IP addresses, you can use this plugin. This plugin is especially useful for multi-author websites or if you’re accepting guest posts from a ton of other users who need to access your site to publish those posts. You can also use this plugin to send restricted visitors to the login page, redirect them or display a message or page, literally you’ll have full control over your site. You can easily customize the redirect location or send them to the same requested path and set the HTTP status code and the list goes on. 8. Loginizer Security Want to prevent brute force attacks? Want to add 2 step authentication to login to your website for added security? Then, use this plugin as it blocks login for the IP after it reaches maximum retries allowed (you can also set the maximum limits). Not just that, you can blacklist or whitelist IPs for login using this plugin and this plugin gives you a wide range of features including 2 factor authentication, reCAPTCHA, PasswordLess Login etc to improve security of your WordPress website. This is also one of the popular WP security plugins downloaded nearly by 1 million people and also offers you features like renaming WP login page, admin URL and so on. 9. Hide Login Page Most hackers try a ton of different ways to login to your website and they also use techniques to find your login information through your login page, WP admin URL and so on. This plugin helps you safely rename wp-login.php and closes access to the WordPress admin panel. The good thing is, it does not change the code of your site, does not rename files and does not make any changes to your server configuration. You can do a ton of things including hiding wp-login.php, wp-signup.php and block access, hiding WP admin directory and block access and it also allows you to rename login URL easily. 10. Security Ninja This plugin performs security checks on your website to find it there are any security vulnerabilities within your site. It also helps you prevent 0-day exploit attacks, optimize and speed up your databases, checks if WordPress core is up to date, checks if automatic WordPress core updates are enabled, checks if plugins are up to date and so on Above all, this plugin runs over 50+ security tests instantly and discovers issues you didn’t even know existed so you can easily tighten the security of your WordPress sites. All in all, it’s a time saver plugin to safeguard your site from security threats.
Top 3 Most Secure WordPress Hosting Sites
Top 3 Most Secure WordPress Hosting Sites
One of the best and easiest ways to secure your WordPress sites is to invest in a secure web host. Yes, that’s plain and simple advice. A couple of years ago, we were hosted on HostGator (it sucks both security wise and customer support is pathetic too) and our site got hacked. That’s when we moved to WPX hosting. Although it’s a bit expensive when compared to HostGator but we haven’t encountered any security issues so far. That’s why we highly recommend you to invest in a secure web host. Here are the top 3 most secure WordPress hosting sites for all kinds of budgets.
WPX hosting WPEngine Kinsta
Let’s talk about each one of them so you can pick the best one that suits your budget and website needs to safeguard your WordPress site from all the hackers and malware attacks.
1. WPX Hosting
WPX hosting is the same web host we’re currently using at Bloggers Passion and we’re extremely satisfied with their security features and their cloud hosting is what gives you super fast website speeds. Why you should use WPX hosting? WPX hosting offers you “fixed for you” guarantee. One of the major reasons to invest in a web host like WPX hosting is it offers you an incredible service called “fixed for you” guarantee. For instance, if you run into any technical related issue on your website, you can contact their Support Team and they will instantly fix the issue for you at FREE of cost. The good news is that, their support system (live chat) is extremely fast which replies to your queries within 30 seconds (yes, you heard it right). Explain your problem and they will take care of it and fix your site at free of cost. How much does WPX hosting cost? WPX hosting offers you 3 pricing plans which are listed below. Use this special link to get 50% FLAT discount (on the first month hosting)
2. WPEngine
WPEngine provides you “managed hosting for WordPress” and that’s the reason why all the sites hosted on their platform load extremely faster. Not just that, WPEngine is known for providing bulletproof security to all the sites hosted on it. Why you should use WPEngine hosting? WPEngine hosting offers you a deep level scan. If your website is affected by malware, WPEngine customer support team will perform a deep level scan and malware cleaning to help you get back up and running. WPEngine also updates all the WordPress sites hosted on their platform automatically so you don’t need to worry about installing the latest version of WordPress on your site. How much does WPEngine hosting cost? There are 4 pricing plans offered by WP Engine which are listed below.
1 WordPress Install 25,000 visits per month 50 GB bandwidth 10GB Local Storage
3 WordPress Installs 75,000 visits per month 125 GB bandwidth 15 GB Local Storage
10 WordPress Installs 100,000 visits per month 200 GB bandwidth 20 GB Local Storage
30 WordPress Installs 400,000 visits per month 400 GB bandwidth 50 GB Local Storage
So what are you still waiting for? Use the following link to sign up for WPEngine hosting. Host Your Website On WP Engine Hosting
3. Kinsta
If you’re looking for a highly secured web host that offers ultimate speed and performance, Kinsta hosting is just for you. Kinsta offers powerful hosting features like free backups, Cloudflare enterprise-grade protection, 24/7 customer support from experts, unlimited free website migrations, and much more. Read our honest review of Kinsta to know more about this web hosting along with its pros, cons, features, etc. Why you should use Kinsta hosting? Kinsta hosting offers a wide range of security features including;
Automated backups Cloudflare DDoS protection and free SSL Two-factor authentication that you can enable for added security
Kinsta hosting also offers SFTP/SSH protocols. Basically, SSH (Secure Shell) is a network protocol that allows secure remote access over an encrypted connection. That way, you can easily manage all your website files along with the folders and do other things such as modifying their permissions, editing files directly on the server, and so on. SSH access also helps you easily prevent brute-force attacks on your website because they are often performed on the root user of a server. By making the root user inaccessible via SSH, you can easily prevent such attacks. Kinsta also has an incredible uptime guarantee of over 99.9%. How much does Kinsta hosting cost? Kinsta hosting offers multiple pricing options which are listed below.
The Starter plan costs you $35 per month and provides 1 WordPress install. This plan can handle up to 25k visits, offers 5GB disk space, and provides free SSL and CDN. The Pro plan costs you $70 per month which offers 2 WordPress installs, handles up to 50k visits, offers 10 GB space, and provides free SSL and CDN. The Business plans come in four various pricing tiers and the pricing starts at $115 per month where you can get 30-60 GB of SSD storage, 1-4 free site migrations, and 50-400 GB of server bandwidth. The Enterprise plans also come in four pricing options starting at $675 per month and offer you get a server bandwidth of 600-1500 GB. You can manage up to 60-150 WordPress sites and you’ll get 100-250 GB of SSD storage.
The best part about Kinsta hosting is that you can get 2 months of FREE hosting using the following link. Get Two Months Free With Kinsta Hosting Kinsta also offers a 30-day money-back guarantee and no long-term contracts. That means you can get a full refund if you cancel your hosting account with Kinsta within 30 days. Read: Kinsta Pricing Plans Compared: Which Plan You Should Choose?
8-Point WordPress Security Checklist
8-Point WordPress Security Checklist
If you want to secure your WordPress sites from getting hacked, make sure to use and follow the following 8 point WordPress security checklist as it covers almost all the things. Let’s briefly talk about the above things so you can understand better and use this WordPress security checklist effectively. Important note: Make sure to always backup your files before you update plugins, WordPress, themes etc. That way, if something horrible happens, you can always restore them without losing any data or content on your blog.
Stay Safe from Most Common WordPress Security Threats
WordPress has its own security threats and vulnerabilities which include the following.
Brute-force Login Attempts Malicious Redirects Cross-site Scripting (XSS) Denial of Service
If you want to safeguard your WordPress from hackers, you need to keep an eye on fixing the above WordPress security threats. So let’s talk briefly about these WordPress vulnerabilities to keep your WordPress site safe in 2023 and beyond. Denial of Service A denial-of-service (DDoS attack) is one of the most common cyber attacks performed by hackers to get access to a site where the attackers attempt to prevent legitimate users from accessing the service. Here’s how it looks like; The hackers usually send a ton of random messages asking the network or server to authenticate requests that have invalid return addresses. That way, they get hold of your site. The best way to prevent such attacks is to create a firewall around your site and you can go through our best security plugins section (which is mentioned above) to easily create firewalls using few plugins. Malicious Redirects Malicious redirects simply means, hackers or attackers get access to your website and change your pages to redirect to other websites (that they own or endorse). That way, you’re not only losing your traffic but also sales if those attacks are done on any sales pages on your site. In fact, we faced this issue over 3 years ago when our blog Bloggers Passion was hosted on HostGator. Their customer support team couldn’t help us in anyway and that’s when we migrated to WPX hosting and they resolved this malicious redirects issue within a day. The best way to deal with this issue (or prevent malicious redirects issue from happening on your website) is to create a firewall and often checking for malware. You can also use web hosts like WPX hosting so this kind of issue won’t even occur. Cross-Site Scripting (XSS) Cross-site scripting (XSS) is a type of security vulnerability where the attackers inject client-side scripts into web pages and this can be mostly found in web apps and plugins. The best way to deal with this issue is to create a firewall, install anti-virus software in your PC (or laptop) and secure your databases. Brute-force Login Attempts A brute force attack is a trial and error and one of the most popular password cracking methods used to get access to your WordPress website. Whether you know it or not, around 80% of confirmed data breaches are due to weak or stolen passwords. That’s the reason why you always need to make sure your WordPress login passwords are really strong and hard to guess. The best way to prevent such brute force login attempts is to limit your “invalid login” attempts and make use of stronger passwords. Regularly change your login passwords for extra security.
3 More Essential Things We Did at BloggersPassion After The Security Attack
Here are few most important things we did at Bloggers Passion to secure it from hackers.
Brute force attacks (that mostly happen due to password guessing and password decoder tools) Malware attacks (where hackers install malicious code into your website files to divert your website traffic to other sites such as adult sites, gambling sites, spamming sites and so on) SQL injections (where the hackers get access to your website databases to insert malicious data into your databases) Cross-site scripting (mostly happens due to WordPress plugins, so make sure to install only those plugins from trusted developers with a proven track record)
Go for premium WordPress themes over free themes Use a secure web host like WPX hosting as they take solid security precautions and offers features like “fixed for you” guaranteed in case of cyber attacks on your site Install a firewall for your own computer (and don’t download apps, files etc from unauthorised sites)
Read: Top Affiliate Marketing Tools for Bloggers in 2023 Here are a few easy yet most effective ways to secure a WordPress blog in 2023.
Regularly take backups of your website (it’s better to get a web host like WPEngine, WPX that automatically takes backups of your site or you can use premium tools like VaultPress, BackupBuddy) Install a security plugin Limit your login attempts Change your default WP admin login to something else Use stronger passwords and frequently change them for better security (to prevent brute force attacks)
iThemes security Sucuri security Wordfence security
WPScan plugin Sucuri (one of the widely used plugins for malware scanning) WP Sec (it’s a great website to scan your whole site for automated WordPress scans)
Browse more Blogging Resources:
How to Start a Blog in 2023 [Step by Step Process] How to Get Your Blog Noticed in 2023 A Powerful Blog Setup Checklist How to Promote Your Blog for Free in 2023 What is Personal Branding with Personal Brand Examples in 2023 Top Ways to Interlink Your Blog Posts Like a PRO Blogging Tips That Work Like a Charm in 2023
Final thoughts on securing your WordPress site from hackers
Final thoughts on securing your WordPress site from hackers
Each WordPress security attack is different. Hackers can get access of your sites by using various ways like password guessing, inserting malicious codes into your files, brute force attacks etc. So you must be always ready for all the attacks to secure your WordPress sites from hackers or intruders. You never know who is going to hack or crack your website files. Taking backups, keeping your websites safe from malicious codes, installing the most essential security tools like BulletProof security, iThemes security can save you a lot of time, money and efforts. NEVER take your WordPress security lightly as prevention is always better than cure. So make sure to implement the WordPress security tips mentioned in this guide to harden the security of your WordPress sites.
