If you are WordPress user and you are worried about your WordPress security then this article is for you, and we will tell you different ways to protect Your WordPress Blog or website From Being Hacked, It’s very easy for any hacker to inject any harmful code into your website if you are not serious about your WordPress security . So if you love your website and visitors then apply this steps on your blog.
Hacking WordPress Site using SQL Injection
If you use any plugin which is not authorized by WordPress or from unknown sources, then that plugin can hack your website using SQL Injection, because the plugin has a feature to Insert, Alter, Delete, your database table so using that then can gain access to your WordPress admin.So avoid using plugin from any unknown sources
Disable or Hide Upload Directory
If you upload directory is open then anyone can gain access to your files and folders and upload anything to your site and then inject harmful codes in your files, Even .htaccess file will be inserted, your file permission will be changed easily.
If you are facing this then look for a malicious file that is inserted into your website, it may be in Themes folder or Plugin folder in Wp-Include folder or in the wp-config.php file.
To tackle this situation you can delete all inactive plugin and inactive themes from your WordPress installation or if you don’t want to delete then set 000 permission of that folder.
Disable Directory Listing using .htaccess
Create a blank file in a text editor. Name it .htaccess and paste the following Add Options -Indexes in that file Upload that file in your /wp-content/uploads/ folder or at any place where you want to disable listing.
You can also contact your hosting provider and tell them to disable directory listing from the whole server.
Disable PHP Execution in Upload Directories
Create a blank file in a text editor. Name it .htaccess and paste the following code in there:
<Files *.php> deny from all </Files>
Upload that file in your /wp-content/uploads/ folder. You should also upload it in your /wp-includes/ folder.
Upgrade or Update your WordPress and Plugins
If you see any update in WordPress or in plugins, then do that immediately, because WordPress send an update to patch security holes and by updating that you can patch that loophole.
Steps to Recover From WordPress Hack
Update your WordPress Installation, Upload Zip folder in WordPress extract that and replace wp-admin and wp-include folder with new folders.
NOTE – Don’t remove Wp-Content folder because that folder contain your theme files plugins and images.
For Wp-content you need to review each folder manually and remove any unknown PHP files in the image folder.Delete and install all plugin and themes again
Delete all inactive plugin and themes
Update you WP-config file with a new one but don’t forget to place your DB details in the new wp-config file.
Disable Theme and Plugin Editing from WordPress Admin
Add below line in your wp-config file to disable theme and plugin editing from WordPress admin
define( ‘DISALLOW_FILE_EDIT’, true );
Delete Unauthorized WordPress User
When any hacker access your admin area then they create 2-3 profile with Admin access, so you need to check that area also if you see any unauthorized user as admin then delete all those users from your website.
USE SSL for WordPress Admin Login
Secure your logins and the admin area by using SSL so that both passwords and cookies are never sent in the clear, You can add below code in your wp-config.php to force all logins and all admin sessions to happen over SSL
define( ‘FORCE_SSL_ADMIN’, true );
Use WordPress Security Plugins
Use WordPress security plugins like Wordfence or All In One WP Security & Firewall or BulletProof Security to secure your wordpres site , but all this will help you in secure your wordpress site . If your site is alredy infected then follow above steps.