At Prostack we’re serious about site security, and all our services are designed to help keep your websites safe. However, there are some additional steps you should take to ensure your WordPress site is protected against emerging online threats.
Keep WordPress updated
Make sure you’ve got the latest version to minimise the risk of an attack. When a new update is available, you will be notified from Dashboard –> Updates. Or you can set WordPress to automatically update by following the instructions here.
Protect your wp-config.php file
This file contains sensitive information about your website and database connection. Moving the file to a directory above the root WordPress folder for your website can help keep it secure from hackers. For example, if you have installed WordPress in /home/username/public_html/wp you can place the wp-config.php file at the /home/username/public_html/ or even the /home/username/ folder.
Limit Login Attempts
By default, WordPress allows unlimited login attempts to the dashboard. This can lead to brute-force attacks, where an attacker submits a large number of requests to the login form to try and guess the password. To help prevent this, you can use a Web Application Firewall (WAF) plugin like Wordfence. More details on this plugin can be found here
Using pre-login Captcha
Having a CAPTCHA installed for your WordPress login page can help prevent automated brute-force attacks. There are a number of plugins that can be installed to enable this. We also recommend you enable a CAPTCHA for any email forms to protect them from automated spamming.
Customize WordPress admin page URL
The majority of WordPress brute-force attacks are conducted on wp-login.php and wp-admin/ pages as they are the key links to an administrator’s login. It’s a good idea to change the WordPress admin area URL to help prevent this. You may use the WPS Hide login plugin to do this – details can be found here.
Disable file editing
When a user gains admin access, they can edit all files including themes, plugins and more. It’s a good idea to add the following to the wp-config.php file which ensures nobody can edit files on your website:
define(‘DISALLOW_FILE_EDIT’, true)
Block Image Hotlinking
Hotlinking doesn’t necessarily lead to hacking a website. However, it can lead to serious bandwidth usage if any of your website images are used by someone else. To avoid this, you may add the following rules to your .htaccess file replacing example.com with your domain name:
# Prevent image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} \
!^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|png)$ – [NC,F,L]
Block PHP Backdoors
By adding the following to a .htaccess file in your site’s wp-includes/ and wp-content/uploads directories, you can help prevent potentially malicious content from being executed, including PHP backdoors:
<FilesMatch “.+\.php$”>
Require all denied
</FilesMatch>
Help! I think my site is hacked – what now?
Don’t panic – just contact support as soon as possible. We may be able to help restore the site to a squeaky-clean version from backups.
It’s important that once you’ve done this, you immediately review your site’s plugins and ensure everything is up to date. Once a site is hacked it’s often a target for reinfection, so it’s important that any vulnerabilities are found and secured as quickly as possible.
We offer a comprehensive suite of security tools to help keep your site safe and sound. You can find out more about our security offerings here.