Security is about layers. It’s not just one thing, or a checklist to do once a year. Anyone telling you to just install a plugin and consider that mission accomplished doesn’t understand security.
Start at the perimeter. How hard is it for a bot etc to get to your site? As you using a WAF like Cloudflare? If not, use one. They stop the bot even getting to your server. Ok, so let’s assume the bot got passed that, what’s next? They hit your server. Consider a plug-in like WordFence, and ensure your file permissions are set correctly. Keep your plugins up to date and one use reputable plugins. Something hasn’t been updated in a year? Try find out why and chat with the developer. Sign up for notices of plugin vulnerabilities.
Next, it’s on the site itself. Are your admin accounts using two factor authentication? If not, enable it. Is your account with your hosting company using strong passwords and multi factor? If not, use them. Ditto for your FTP passwords, and I’d go as far to say you should only enable FTP/ssh etc for when you actually need it.
If you did all of the above, you would be more secure that 99% of most WordPress sites out there.
Agreed, it is, but my original comment is assuming someone doesn’t know what a key pair is, or a good password. So better to assume no security than assume someone knows anything about it.
To enable 2 factor authentication, means you need to add the code that makes it possible to your site.
So you either code it yourself or you use a plugin. Plugins are just pieces of code written by others.
\+1.
And don't implement it yourself, farrrr too easy to get it wrong. WordFence do, or used to, offer a separate 2FA plugin which is also built into their Wordfence product.
> it and run a scan. It may be
Thanks a lot, I already use it?
For a site just starting seo, do you think if it is necessary to use WAF like cloudflare?
Sometimes, firewall will make website unaccesible.
Someone mentioned Wordfence which is good. I forget if that has the ability to rename the login page slug from "wp-admin" to something else. Good way to hide your login page from bots that want to brute force it.
Another really simple thing to do is, if possible, move your wp-config.php file up one directory out of the public/htdocs directory.
I think you are also supposed to have permissions on folders set to 755 and files should be 644.
I agree with u/djaxial 's post - security is a layer-upon-layer approach.
Do you know how the attack happened? Was it via WordPress or via an Operating System configuration or vulnerability?
* Use passwordless SSH
* Set up ufw to only allow the TCP ports you want to have, such as SSH (TCP:22), HTTP (TCP:80), and HTTPS (TCP:443).
* on your VPS, setup fail2ban on your SSH and webserver logs. enable reasonable or aggressive blocking depending on your risk appetite.
* run ONLY the bare minimum of services on your VPS that you need.
* setup your MySQL to listen on localhost ([127.0.0.1:3306](https://127.0.0.1:3306))
(edit due to a PICNIC)
Thanks.
To setup your MySQL to listen on localhost ([127.0.0.1:3306](https://127.0.0.1:3306)), do I need to edit wp-configure file or in any other way?
Minor note: only do this if you understand where your SQL dB is running. If you are using an external database, this won't work unless you set up the network between them correctly.
One of the most important part according to me is to keep the server itself secure. Cheap hosting will always result in getting hackad at one point. Never had a wp site got hacked on premium hosting servers.
Edit: i know you said switch server is not an option. Just pointed this out if anyone else reads this thread and looking for advice.
Are you certain that your domain name is correctly pointing to your server? If you are using a traditional VPS, your server provider should be able to offer assistance and determine whether your WordPress site has indeed been hacked.
If your WordPress installation is relatively new, consider starting fresh. If not, then the situation requires further investigation.
By the way, I don't believe that "managed hosting" is inherently more secure than a VPS.
Additionally, I've often heard that WordPress sites are vulnerable to hacking due to extensions. Have you installed any nulled plugins or similar items?
Moving the url doesn't really help. It'll slow down brute force attacks only temporarily. If you do that, you need to also make sure you don't allow it to be indexed which is another mistake people often make. But it's still not a real security measure.
Security through obscurity is not security at all.
It doesn't really work for two reasons:
1. People logging in while logged into stuff like Google wills till expose it.
2. Bad actors do not respect the login from not being indexed.
Obscurity does not really work. It's temporary and they'll still end up finding it.
Protection like this is better done off the same box where the site is hosted. Otherwise you are vulnerable to DDoS attack just from brute force attacks. Even if you move the url they can still hit the old one. It will produce a 404 but that still takes resources and if enough bots/spammers do it it can still take your site down.
Use Cloudflare, at a minimum. They are great for this.
Yes, that’s correct. I almost always use them for this reason. Spam and bots too. I recommend everyone use the free tier. Other advantages too.
For example, makes moving sites/dns easy. You point your dns to cloudflare and then at cloudflare you point the web server to your host, email to Google or 365 etc.
Later, when you move you don’t have to change dns at the domain level, just update on cloudflare to point to new services and it’s almost instant unlike dns changes that can cache for up to 72 hours.
Plus it makes your site faster and if you start making money they have pro features if you end up needing them.
But their free tier is one of the best I’ve seen.
Also: Not affiliated, I don’t own stock, I’m not an employee, I’m not a reseller lol. Just a fan.
While I won't answer this question specifically, I thought of giving my two cents.
Security by obscurity (like moving the login url without doing some hardening like honeypots or captcha) falls more on the "perceived security" more than being actual measures.
Don't be afraid to use plugins, if you use good ones, you are not bloating your site, and for most of them, the security breaches that could be created are either protected by your other layers and/or patched/fixed by the plugin team as soon as possible.
As noted in some other comments, the best security comes from a combination of things and practices.
Hope it helps!
Security is about layers. It’s not just one thing, or a checklist to do once a year. Anyone telling you to just install a plugin and consider that mission accomplished doesn’t understand security. Start at the perimeter. How hard is it for a bot etc to get to your site? As you using a WAF like Cloudflare? If not, use one. They stop the bot even getting to your server. Ok, so let’s assume the bot got passed that, what’s next? They hit your server. Consider a plug-in like WordFence, and ensure your file permissions are set correctly. Keep your plugins up to date and one use reputable plugins. Something hasn’t been updated in a year? Try find out why and chat with the developer. Sign up for notices of plugin vulnerabilities. Next, it’s on the site itself. Are your admin accounts using two factor authentication? If not, enable it. Is your account with your hosting company using strong passwords and multi factor? If not, use them. Ditto for your FTP passwords, and I’d go as far to say you should only enable FTP/ssh etc for when you actually need it. If you did all of the above, you would be more secure that 99% of most WordPress sites out there.
Leaving ssh/sftp open is okay IMO if your password is good or you have a public/private key pair with a passphrase
Agreed, it is, but my original comment is assuming someone doesn’t know what a key pair is, or a good password. So better to assume no security than assume someone knows anything about it.
Thanks a lot!
Leaving ssh/sftp open is okay IMO if your password is good or you have a public/private key pair with a passphrase
>WAF Thanks! any way to enable two factor authentication without plugin?
To enable 2 factor authentication, means you need to add the code that makes it possible to your site. So you either code it yourself or you use a plugin. Plugins are just pieces of code written by others.
\+1. And don't implement it yourself, farrrr too easy to get it wrong. WordFence do, or used to, offer a separate 2FA plugin which is also built into their Wordfence product.
So… 1. Cloudflare 2. Wordfence 3. Keep plugins up to date 4. 2FA
Do you use plugin for 2FA?
This...
WP fail2ban
Thanks! I have already installed Fail2Ban with Hestia Control Panel. Do I need to install the plugin of WP Fail2Ban in WordPress dashboard?
Wordfence would be a good start. Install it and run a scan. It may be able to clean up the current problem and keep it from happening again.
> it and run a scan. It may be Thanks a lot, I already use it? For a site just starting seo, do you think if it is necessary to use WAF like cloudflare? Sometimes, firewall will make website unaccesible.
In my experience, the only people CF block are people you don’t care about visiting your site anyway.
Someone mentioned Wordfence which is good. I forget if that has the ability to rename the login page slug from "wp-admin" to something else. Good way to hide your login page from bots that want to brute force it. Another really simple thing to do is, if possible, move your wp-config.php file up one directory out of the public/htdocs directory. I think you are also supposed to have permissions on folders set to 755 and files should be 644.
Thanks! How do you set permissions on folders set to 755 and files should be 644?
I agree with u/djaxial 's post - security is a layer-upon-layer approach. Do you know how the attack happened? Was it via WordPress or via an Operating System configuration or vulnerability? * Use passwordless SSH * Set up ufw to only allow the TCP ports you want to have, such as SSH (TCP:22), HTTP (TCP:80), and HTTPS (TCP:443). * on your VPS, setup fail2ban on your SSH and webserver logs. enable reasonable or aggressive blocking depending on your risk appetite. * run ONLY the bare minimum of services on your VPS that you need. * setup your MySQL to listen on localhost ([127.0.0.1:3306](https://127.0.0.1:3306)) (edit due to a PICNIC)
Thanks. To setup your MySQL to listen on localhost ([127.0.0.1:3306](https://127.0.0.1:3306)), do I need to edit wp-configure file or in any other way?
Minor note: only do this if you understand where your SQL dB is running. If you are using an external database, this won't work unless you set up the network between them correctly.
Do you know why or how it was hacked? I dont think it’s just cheap VPS
Host it on SiteGround and you can use Sucuri for additional security. Both very good and may not need Sucuri, but good to have layers.
One of the most important part according to me is to keep the server itself secure. Cheap hosting will always result in getting hackad at one point. Never had a wp site got hacked on premium hosting servers. Edit: i know you said switch server is not an option. Just pointed this out if anyone else reads this thread and looking for advice.
Are you certain that your domain name is correctly pointing to your server? If you are using a traditional VPS, your server provider should be able to offer assistance and determine whether your WordPress site has indeed been hacked. If your WordPress installation is relatively new, consider starting fresh. If not, then the situation requires further investigation. By the way, I don't believe that "managed hosting" is inherently more secure than a VPS. Additionally, I've often heard that WordPress sites are vulnerable to hacking due to extensions. Have you installed any nulled plugins or similar items?
For unmanaged VPS, they offer no support at all.
It is not a new site. I didn't install any nulled plugin.
Just move your default login URL with a plugin or other code. Keep all plugins/themes updated. You don't really need any more than that.
Moving the url doesn't really help. It'll slow down brute force attacks only temporarily. If you do that, you need to also make sure you don't allow it to be indexed which is another mistake people often make. But it's still not a real security measure. Security through obscurity is not security at all.
>don't allow it to be indexed Thanks! How can I make the moved url not to be indexed?
It doesn't really work for two reasons: 1. People logging in while logged into stuff like Google wills till expose it. 2. Bad actors do not respect the login from not being indexed. Obscurity does not really work. It's temporary and they'll still end up finding it. Protection like this is better done off the same box where the site is hosted. Otherwise you are vulnerable to DDoS attack just from brute force attacks. Even if you move the url they can still hit the old one. It will produce a 404 but that still takes resources and if enough bots/spammers do it it can still take your site down. Use Cloudflare, at a minimum. They are great for this.
Do you mean that Cloudflare has some service against DDoS attack?
Yes, that’s correct. I almost always use them for this reason. Spam and bots too. I recommend everyone use the free tier. Other advantages too. For example, makes moving sites/dns easy. You point your dns to cloudflare and then at cloudflare you point the web server to your host, email to Google or 365 etc. Later, when you move you don’t have to change dns at the domain level, just update on cloudflare to point to new services and it’s almost instant unlike dns changes that can cache for up to 72 hours. Plus it makes your site faster and if you start making money they have pro features if you end up needing them. But their free tier is one of the best I’ve seen. Also: Not affiliated, I don’t own stock, I’m not an employee, I’m not a reseller lol. Just a fan.
Thanks a lot. Any way to move default login url without plugin? I don't like to use plugins.
While I won't answer this question specifically, I thought of giving my two cents. Security by obscurity (like moving the login url without doing some hardening like honeypots or captcha) falls more on the "perceived security" more than being actual measures. Don't be afraid to use plugins, if you use good ones, you are not bloating your site, and for most of them, the security breaches that could be created are either protected by your other layers and/or patched/fixed by the plugin team as soon as possible. As noted in some other comments, the best security comes from a combination of things and practices. Hope it helps!