Brute-Force Login Attempts
Hackers use automated scripts to find WordPress log in pages and submit different usernames and passwords over and over again in an attempt to figure out the correct combination. Recently, a large number of sites with the username “admin” had been hacked because that username is very predictable. Short log-ins that use words found in the dictionary are also especially vulnerable. If your WordPress installation came with the user “admin” already set up, set up another user with administrative privileges and delete the “admin” user. Using a username and a password that is long, containing no common dictionary words, using upper and lowercase letters, using numbers and special characters is recommended. Moving the admin panel login to a custom URL is also recommended. Finally, limiting the number of unsuccessful logins and banning IP addresses who perform many unsuccessful attempts to login will help to prevent Brute-Force WordPress Hacks.
Default Prefix for WordPress Tables
In the database which contains all of the content for your website, there are many tables. Each of these tables has a prefix which in many cases is “wp_”. Hackers know that most installations use “wp_” as the default prefix for the database tables and they exploit this commonality. Changing the prefix can be done in the WordPress installation process. Any prefix that is less predictable would help. You can also change the database prefixes after by making several manual changes to the database or by installing a WordPress security plugin. Smart hackers may still be able to see your new prefix for your WordPress tables, but making this change will at least prevent hackers who are using automated scripts which rely on the most predictable characteristics of WordPress.
A SQL injection attack comes when hackers embed commands into their URLs which cause changes in the database or cause the database to reveal something about itself which makes it vulnerable for additional attacks. URL hacks can also execute PHP commands which can open the door to malware or reveal additional vulnerabilities. The best defense is to change your .htaccess file. This file defines the rules for your hosting environment. You can set up rules to prevent many types of SQL injection and URL hacks.
Accessing Important Files
All WordPress sites contain certain files, which if accessed and changed could cripple a site or give hackers access. The .htaccess file can be changed to also prevent direct access to these files. It is important to prevent access to readme.html, license.txt, install.php, wp-config.php, error_log, fantastico_fileslist.txt and fantversion.php.
What You Can Do If Your WordPress Site Has Been Hacked
If you can still get into your website’s admin panel, immediately change all usernames and passwords.
If you can restore the site from a backup that happened prior to your hack, do so. If you do restore from backup you may need to change your usernames and password again. If your host is not keeping backups, they should. If your not sure if the site is backed up, ask your host and ask to have one backup for you to store on your local computer.
Check your computer for Malware. Sometimes hackers get access to sites by hacking a computer first and monitoring your key strokes. If you type in a username and password they will record it and use it to hack your site. Microsoft has a free malware protection tool. Avoid getting malware in the first place by not clicking on suspicious links in emails, and not installing programs such as free browser plugins if you do not know the source. Many useful and free programs come with malware.
Change your security keys. Even after you have changed your passwords, hackers can still get into your website because they have cookies that enable their access. To eliminate this access you can change your security keys. The WordPress Key Generator will create new keys for you which you can update in your wp-config.php file.
Search through your code for backdoors left by hackers. Strange bits of code that you can not identify a purpose for could be left behind by hackers to give them the ability to come back at any time. If you have already restored from backup to a time before your site was hacked, this could should not be there, if it is, your backup didn’t go far enough back. You may need to find an older backup.
If you can’t restore the site from a backup and if it is too difficult to clean out the hacker’s code, it may be easier to start over from scratch. Hopefully you have your content (the text) saved somewhere locally on your computer or maybe you can scrape it off of what is left of your site. If not, try checking The Way Back Machine to see if they have a cashed version of your site. You can also try to check Google’s cache. To do so, search Google for “site:domain.com” (replace domain with your domain name. That should give you a list of all pages on your site which Google has in it’s database. Under each page you should see a small pulldown menu and in that menu you select cached. You can then copy and paste any text that you find. Your next step is to to a brand new installation of wordpress, install your theme (hopefully you still have the theme files) and begin to repopulate your site with it’s content.
How to Prevent Your WordPress Website from Being Hacked
Keep your WordPress website updated with the latest version of WordPress. Wordpress is regularly upgraded with new functionality and wity security measures that help stop hackers.
Use complex usernames and passwords as described above.
Install security plugins such as Better WP Security. It covers most of the wordpress vulnerabilities mentioned earlier in this blog post.
Install WP Security Scan. It will scan your code and look for anything that is out of place like malware. It will also make you aware of any vulnerabilities that it finds.
Change the prefix of your WordPress database tables.
Make the changes described earlier to your .htaccess file to prevent hackers from accessing important files that could cause vulnerabilities if accessed. Also make changes to your .htaccess file to prevent SQL injection and URL hacks.
Move your admin panel login to a URL that is not so easily identified and not common. Limit the number of unsuccessful login attempts.