{"id":320,"date":"2022-02-07T09:25:27","date_gmt":"2022-02-07T09:25:27","guid":{"rendered":"https:\/\/yegara.com\/en\/guide\/?p=320"},"modified":"2022-02-07T09:32:23","modified_gmt":"2022-02-07T09:32:23","slug":"secure-your-wordpress-website-the-complete-guide","status":"publish","type":"post","link":"https:\/\/yegara.com\/en\/guide\/secure-your-wordpress-website-the-complete-guide\/","title":{"rendered":"Secure your WordPress website: the complete guide"},"content":{"rendered":"\n<p><strong>Protect your WordPress website from security threats, and how to recover if your site has been hacked.<\/strong><\/p>\n\n\n\n<p>Over 40% of all websites across the globe run on WordPress. It\u2019s the\u00a0most popular\u00a0content management system (CMS) available on the internet.<\/p>\n\n\n\n<p>Popularity brings a constant stream of unwanted attention from criminal hackers. This means WordPress website owners need to be aware of all the security measures necessary to safeguard their sites.<\/p>\n\n\n\n<p>As a site owner, you can add more protection by following these tips to make your WordPress site more secure.<\/p>\n\n\n\n<p>WordPress websites are generally hacked-into because of poor version control, the use of outdated plugins or themes, brute force login attacks and various other backdoor vulnerabilities. Such attacks can be prevented if you manage the security risks.<\/p>\n\n\n\n<p>The consequences of taking little or no action can be quite stark. A hacked website can have serious repercussions for a business&#8217;s brand image and revenue.<\/p>\n\n\n\n<p>In this comprehensive guide we\u2019ll demonstrate how to protect your WordPress site from criminals. First, we\u2019ll identify all of the major weak spots which typically leave a website vulnerable, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Password settings and brute force attacks<\/li><li>Admin access and user permissions<\/li><li>Version control and updating plugins<\/li><li>Choosing the right secure plugin<\/li><li>Malware scanning<\/li><li>Secure web hosting<\/li><li>Distributed denial of service attacks (DDoS)<\/li><\/ul>\n\n\n\n<p>We\u2019ll then take you step-by-step through a number of simple preventative measures. We\u2019ll demonstrate how to fix a hacked WordPress site and what actions you should take if the worst case scenario should occur.&nbsp;<\/p>\n\n\n\n<p>So, don\u2019t panic! We\u2019ve got you covered.&nbsp;<\/p>\n\n\n\n<p><strong>It\u2019s a massive guide, so here\u2019s some shortcuts for you:<\/strong><\/p>\n\n\n\n<p><a href=\"#adminlogin\" data-type=\"internal\" data-id=\"#adminlogin\">How to protect your WordPress Admin login<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Change your Admin username \/ Create a new administrator profile<\/li><li>Strong password generators<\/li><li>Two-factor authentication<\/li><li>Brute force attacks<\/li><li>Limit Login attempts<\/li><li>Automatically log out idle users<\/li><li>Security questions on login<\/li><\/ul>\n\n\n\n<p><a href=\"#permissions\" data-type=\"internal\" data-id=\"#permissions\">WordPress user permissions<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>User roles and responsibilities<\/li><li>How to change permissions in WordPress<\/li><\/ul>\n\n\n\n<p><a href=\"#wordpressadmin\" data-type=\"internal\" data-id=\"#wordpressadmin\">What you can change in the WordPress Admin menu<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Latest PHP version<\/li><li>Latest WordPress version<\/li><li>Update plugins<\/li><li>Security keys<\/li><li>Disable File editing<\/li><li>Disable PHP file execution<\/li><li>Move the wp-config.php file<\/li><li>Disable Directory Indexing and Browsing<\/li><li>Disable XML-RPC in WordPress<\/li><\/ul>\n\n\n\n<p><a href=\"#securedatabase\" data-type=\"internal\" data-id=\"#securedatabase\">Secure your database<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Database prefix<\/li><li>Backups<\/li><li>Monitor audit logs<\/li><li>Strong passwords<\/li><\/ul>\n\n\n\n<p><a href=\"#malware\" data-type=\"internal\" data-id=\"#malware\">Scan for malware<\/a><\/p>\n\n\n\n<p><a href=\"#securityplugins\" data-type=\"internal\" data-id=\"#securityplugins\">WordPress security plugins<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Do I need a security plugin?<\/li><li>Best WordPress security plugins<\/li><li>What do they offer and how do they differ?<\/li><li>Which plugin should I choose?<\/li><\/ul>\n\n\n\n<p><a href=\"#ssl\" data-type=\"internal\" data-id=\"#ssl\">SSL certificates<\/a><\/p>\n\n\n\n<p><a href=\"#ddos\" data-type=\"internal\" data-id=\"#ddos\">DDoS protection<\/a><\/p>\n\n\n\n<p><a href=\"#hacked\" data-type=\"internal\" data-id=\"#hacked\">What to do if your site has been hacked<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>How would I know?<\/li><li>My website has been hacked: what should I do first?<\/li><li>How do I fix a hacked WordPress website?<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"adminlogin\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"450\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/What-You-Can-Change.png\" alt=\"\" class=\"wp-image-325\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/What-You-Can-Change.png 600w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/What-You-Can-Change-300x225.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Change your admin username \/ create a new administrator profile<\/h3>\n\n\n\n<p>Every hacker knows the default username for the primary user of a WordPress website is \u2018admin\u2019, it stands to reason that one of the first things you should do is\u2026change it.<\/p>\n\n\n\n<p>This is a fairly simple procedure. In the main dashboard, you can create a new user, which will also allow you to generate a new (unique) username. Then you can delete the original user and, at the same time, say goodbye to \u2018admin\u2019.<\/p>\n\n\n\n<p>You could use the unique email ID \u2013 which is created alongside any new profile \u2013 as your new username. This would add an extra layer of security against any brute force attacks.<\/p>\n\n\n\n<p>If the user profile you\u2019re deleting was initially assigned the role of administrator (usually the case if it was the first user generated), remember to re-assign this role to the new user you\u2019ve created. On deletion of the old profile you should also choose \u2018attribute all content to\u2019 the new Administrator profile in order to transfer and save any historical site content.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Strong password generators<\/strong><strong>&nbsp;&nbsp;&nbsp;&nbsp;<\/strong><\/h3>\n\n\n\n<p>Choosing a strong password is a simple way to protect your WordPress site from a potential cyber attack. Due to the sheer number of passwords we use for different websites, it is becoming more prudent to try and steer clear of passwords littered with upper case, lower case, numbers and symbols \u2013 because they\u2019re harder to remember.&nbsp;<\/p>\n\n\n\n<p>But easy-to-remember passwords are easy to guess.<\/p>\n\n\n\n<p>So we\u2019d recommend using an online tool, which will create a random password for you, such as\u00a0<a href=\"https:\/\/www.strongpasswordgenerator.org\/\">Strong Password Generator<\/a>. This site basically does all the heavy lifting by generating a secure password, based on your requirements.\u00a0<\/p>\n\n\n\n<p>A password manager, such as 1Password, LastPass or Dashlane will store all of your passwords for you in a secure environment, so you don\u2019t have to remember them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Two-factor authentication<\/strong><\/h3>\n\n\n\n<p>Two-factor authentication (2FA) is becoming more common across a host of websites: mainstream sites like Google, Facebook, and Twitter are using it now. As the name suggests, this involves a two-step process. First, a user provides their usual login details to a website. Second, they\u2019re asked to input a passcode. This is sent via another source: usually text, phone app, or email.<\/p>\n\n\n\n<p>2FA is proving to be quite an effective layer of security as it\u2019s nigh-on impossible for crims to have access to both components required for this process. So it really is something you should look to install for your WordPress site.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"brute\"><strong>Brute force attacks<\/strong><\/h3>\n\n\n\n<p>Essentially, a brute force attack is when a criminal tries to guess what your username and password are. It\u2019s an automated attempt to take advantage of any weak online passwords. As these attacks are automated, they can run into tens of thousands each day.<\/p>\n\n\n\n<p>This is precisely why it\u2019s essential you take appropriate steps to create a strong username and password along with implementing two-factor authentication. These measures should help prevent any brute force attack on your WordPress website.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Limit login attempts <\/strong><\/h3>\n\n\n\n<p>There are <a rel=\"noreferrer noopener\" href=\"https:\/\/en-gb.wordpress.org\/plugins\/search\/limit+logins\/\" target=\"_blank\">special plugins and online tools<\/a>\u00a0available which will limit the number of incorrect login attempts made on your site.\u00a0 <\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Automatically log out idle users<\/strong><\/h3>\n\n\n\n<p>It\u2019s so easy for a user to become distracted when working on a website: leaving a page open whilst away from a desk, for example. This could allow an opportunist hacker the equivalent of an open goal to make changes. It poses an unexpected security risk.&nbsp;<\/p>\n\n\n\n<p>You\u2019ll note that pretty much all financial websites will automatically suspend any session once activity ceases for more than a few minutes. For a WordPress website, there are a number of security plugins \u2013 specifically&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/inactive-logout\/\">Inactive Logout<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/bulletproof-security\/\">BulletProof Security<\/a>&nbsp;\u2013 which are designed to give you the same functionality.&nbsp;<\/p>\n\n\n\n<p>Both are free and offer a range of parameters which will allow you to choose a specific timescale before logging a user out of a session, along with bespoke message settings.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Security questions on login<\/strong><\/h3>\n\n\n\n<p>For additional peace of mind you can also add one or more security questions during the wp-admin login process by installing the&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/wp-security-questions\/\">WP security questions<\/a>&nbsp;plugin.&nbsp;<\/p>\n\n\n\n<p>Once installed, just visit your settings page and activate the plugin to configure the range of specific security questions you wish to set for users.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"permissions\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"451\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/WordPress-User-Permissions.png\" alt=\"\" class=\"wp-image-326\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/WordPress-User-Permissions.png 600w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/WordPress-User-Permissions-300x226.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>WordPress user permissions<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">WordPress user roles and responsibilities<\/h3>\n\n\n\n<p>If your site is for your sole use then you will automatically have full administrative access. So user permissions and the various roles available don\u2019t really require any further thought.<\/p>\n\n\n\n<p>As your website user base begins to grow it\u2019s important to consider who else you grant full administrator access to. You can allocate six standard user roles, each with different levels of seniority and capability:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Administrator (can do everything \u2013 recommended to be assigned to just one user, usually the website owner)<\/li><li>Editor (main responsibility is overseeing site content)<\/li><li>Author (main responsibility is creating content)<\/li><li>Contributor (allowed to read, edit and delete their own posts only)<\/li><li>Subscriber (allowed to read posts only)<\/li><li>Super Admin (can do everything across a network of associated WordPress sites, including deleting a site if necessary)<\/li><\/ul>\n\n\n\n<p>The more users given full Administrator access, the more vulnerable your WordPress website could be to cyber attacks. Think carefully about the roles and user permissions you allow. In short, don\u2019t give admin access unless absolutely necessary.&nbsp;<\/p>\n\n\n\n<p>Good practice here would be to have one user assigned as an Administrator. Then create a finite number of users well versed in the functionality of your website as editors.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"wordpressadmin\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"450\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/WordPress-Menu-1.png\" alt=\"\" class=\"wp-image-329\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/WordPress-Menu-1.png 600w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/WordPress-Menu-1-300x225.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">What you can change in the WordPress Admin menu<\/h2>\n\n\n\n<p>There are a number of actions you can take which can protect your WordPress website from potential security vulnerabilities.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Latest PHP version<\/strong><\/h3>\n\n\n\n<p>WordPress is built on the PHP programming language. All PHP files within your WordPress install can be identified by the .php extension.<\/p>\n\n\n\n<p>You don\u2019t need to know how to code using the PHP scripting language to create a WordPress website. But you do need to perform periodic updates to ensure your site is using the latest PHP version. Each new PHP version will provide features designed to improve both the stability, speed and security of your website. It will also fix any bugs that have crept into the system.<\/p>\n\n\n\n<p>As with operating systems, PHP does not provide security support for all the different versions. If your site\u2019s running on an older version, not only are you missing out on new features, but you\u2019ll be exposed to more security vulnerabilities and system bugs. Your site may also be slower.<\/p>\n\n\n\n<p>PHP usually releases a new version regularly whilst often phasing out an older version at the same time. Each version can usually expect to receive full security support for at least two years once a new version has been released.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Latest WordPress version<\/strong><\/h3>\n\n\n\n<p>Updating the version of WordPress your site is currently using is just as important as updating to the latest PHP version. It\u2019s for the exact same reasons: security, speed, new features and bug fixing.<\/p>\n\n\n\n<p>You can check which version of core WordPress your website is currently using by going to the Updates page on your main dashboard. Minor updates tend to happen automatically, but for major updates you should keep a check on this page. When required, you simply need to click on the \u2018Update Now\u2019 button.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Update plugins<\/strong><\/h3>\n\n\n\n<p>Most sites are hacked through a failure to update plugins. The thousands of plugins available present a very large \u2018attack surface\u2019 for potential hackers with criminal intentions, so it\u2019s essential that you keep an eye on this.<\/p>\n\n\n\n<p>Don\u2019t ignore the Updates page in WordPress Admin. When plugins need to be updated, you\u2019ll get a notification at the top of the page. If you click on that it will take you to the Updates page. The \u2018Update Now\u2019 button appears next to each plugin and theme when necessary.<\/p>\n\n\n\n<p>On the Plugins page, you can also choose to enable automatic updates: worthwhile if you\u2019re don\u2019t log in to WordPress Admin very often.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Remove unused plugins<\/strong><\/h3>\n\n\n\n<p>It\u2019s also best practice to limit the number of plugins you have installed on your website. Only keep those which you actively use and remove any which are no longer necessary.<\/p>\n\n\n\n<p>It will provide a smaller \u2018attack surface\u2019 to nefarious hackers: fewer plugins, fewer vulnerabilities. Doing this may also help speed up your site \u2013 always good!<\/p>\n\n\n\n<p>WordPress is very efficient at providing email notifications to website owners when new updates are available. Hackers can find version numbers in a website\u2019s source code, preying on those sites still operating on older, unsupported versions. So install new versions as soon as you can.\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Security keys<\/strong><\/h3>\n\n\n\n<p>A website uses cookies to correctly identify a user when they log in with their username and password. Hackers with bad intentions will look for these cookies in your database in order to decipher the passwords and gain access.<\/p>\n\n\n\n<p>To add an extra layer of protection, WordPress uses security keys and salts to guard the cookies. It encrypts all of the passwords stored in your site\u2019s database, making them much more difficult to crack.<\/p>\n\n\n\n<p>So, for example an encrypted password might look like this \u201836g489bd34hg72ed98s0rf\u2019. As you can see this is a significantly harder password to decipher than \u2018123456\u2019. There are four security keys \u2013 AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, all with corresponding salts.<\/p>\n\n\n\n<p>You don\u2019t have to invent these passwords yourself, WordPress provides a&nbsp;<a href=\"https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/\">random generator<\/a>&nbsp;which does this for you.<\/p>\n\n\n\n<p>Once generated, you just need to paste each security key password into the wp-config.php file which can be found in your website\u2019s root folder (usually from line 45 onwards). We recommend that you change your security keys and salts on a regular basis.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Disable file editing<\/strong><\/h3>\n\n\n\n<p>WordPress provides a built-in code editor that allows you to edit your theme and plugin files from your Admin dashboard. To view these files you need to click on the \u2018Appearance\u2019 tab followed by \u2018Theme Editor\u2019. For plugins go to \u2018Plugins\u2019 and then \u2018Plugins Editor\u2019.<\/p>\n\n\n\n<p>It\u2019s recommended to remove both these code editors from your site. If a hacker gained access to your dashboard they could use these editors to launch malware or DDoS attacks. Or simply take all of your data.<\/p>\n\n\n\n<p>To disable them all you need to do is add this line of code to your wp-config.php file, above the line which says \u2018That\u2019s all, stop editing! Happy publishing\u2019:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define( \u2018DISALLOW_FILE_EDIT\u2019, true );<\/code><\/pre>\n\n\n\n<p>Once you\u2019ve saved these changes, both these file editors are disabled and will no longer show on your Admin dashboard.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Disable PHP file execution<\/h3>\n\n\n\n<p>WordPress keeps a number of directories open for you on your website so you can easily upload new themes, plugins and other content such as videos or images. If hacked, these directories can become a security risk and used to upload a number of malicious files. These files are made to look like the standard core files used by your website.<\/p>\n\n\n\n<p><a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a> users have the luxury of knowing that PHP scripts are blocked at platform level.<\/p>\n\n\n\n<p>If you\u2019re using different hosting you can prevent this from happening by disabling PHP file execution in those directories where they wouldn\u2019t be needed. All you need to do is to create a .htaccess file in a text editor such as NotePad and copy this line of code into it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;Files *.php&gt;\n\tdeny from all\n&lt;\/Files&gt;  <\/code><\/pre>\n\n\n\n<p>Save the file and upload it to \/wp-content\/uploads\/ on your website, which you can do via your web host\u2019s FTP client or File Manager.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Disable directory indexing and browsing<\/strong><\/h3>\n\n\n\n<p>Disabling directory indexing and browsing ensures that your website\u2019s files can\u2019t be looked at by those seeking to gain access for malevolent purposes.&nbsp;<\/p>\n\n\n\n<p>This is a very quick and simple fix. Remember the .htaccess file mentioned earlier? Well, if you open that up once more in your text editor all you need to do is add the following line into the document:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Options -Indexes<\/code><\/pre>\n\n\n\n<p>Save the file and upload it back onto your server \u2013 and you\u2019re done.\u00a0\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Disable XML-RPC in WordPress<\/h3>\n\n\n\n<p>If you use the WordPress app to update and add content remotely to your website then the XML-RPC remote procedure call software is a useful feature which should remain enabled on your site.<\/p>\n\n\n\n<p>If you don\u2019t do this, we recommended that you disable it, if only to block another line of attack for cyber criminals. The simplest way to do this is to install the&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/disable-xml-rpc-api\/\">Disable XML-RPC plugin<\/a>. XML-RPC will be disabled once it\u2019s activated. If circumstances change and you need to re-enable XML-RPC, simply reverse the process and deactivate the plugin.<\/p>\n\n\n\n<p>\ud83d\udca1  <a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a> , we get lots of attacks on xmlrpc.php., so we block all attempts by default. However, we whitelist applications with a good reputation that need to use it legitimately: like Jetpack. You\u2019re protected as standard with  <a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a>  and don\u2019t need to use the above plugin.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"securedatabase\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"450\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Secure-Database.png\" alt=\"\" class=\"wp-image-330\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Secure-Database.png 600w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Secure-Database-300x225.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Secure your database<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Database prefix<\/h3>\n\n\n\n<p>If you\u2019re familiar with the file configuration of WordPress sites you\u2019ll know that the database file begins with the prefix \u2018wp_\u2019 followed by your site name \u2013 \u2018wp_yourwebsite\u2019.<\/p>\n\n\n\n<p>When you first set up a WordPress site you should take the option to rename the database table prefix. It doesn\u2019t need to be anything complex \u2013 you could use your name initials \u2013 \u2018yourinitialswp_\u2019 or \u2018wpyourwebsiteinitials_\u2019 will be fine.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Backups<\/strong><\/h3>\n\n\n\n<p>Performing regular backups of our WordPress site data is one thing we all know we should do but it\u2019s surprising how many site owners let this important task fall by the wayside. It\u2019s not the most thrilling job in the world but it simply has to be done.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Monitor audit logs&nbsp;<\/strong><\/h3>\n\n\n\n<p>Keeping a close eye on your WordPress website\u2019s audit log is an effective way of checking user activity and making sure they\u2019re not doing anything which would be outside the permissions you\u2019ve set. If you have lots of users or if you\u2019re managing a number of websites this can become quite a cumbersome task.&nbsp;<\/p>\n\n\n\n<p>The&nbsp;<a href=\"https:\/\/wordpress.org\/plugins\/wp-security-audit-log\/\">WP Activity Log<\/a>&nbsp;plugin does all the hard work for you by creating a handy reference log of all the activity happening on your site. Everything from a user who\u2019s forgotten their password to more malicious login attempts will show here.&nbsp;<\/p>\n\n\n\n<p>\ud83d\udca1 With  <a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a> you can view your site\u2019s audit log in your My20i account control panel.\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Strong passwords&nbsp;&nbsp;<\/strong><\/h3>\n\n\n\n<p>Set a strong password for your database: it\u2019s good practice. When setting the database password make sure you apply all the principals as for the main login \u2013 the more complex you make your password, the harder you make it to hack.&nbsp;<\/p>\n\n\n\n<p>Remember, you can always use an online strong password generator tool to create one for you.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"malware\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"450\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Scan-Malware.png\" alt=\"\" class=\"wp-image-331\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Scan-Malware.png 601w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Scan-Malware-300x225.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Scan for malware<\/strong><\/h2>\n\n\n\n<p>All of the measures mentioned so far in this guide will go a long way to making your website much more secure and safe. But, if you want to be even more proactive you can regularly scan for any malware that may have sneaked onto your site.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong> <a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a>  free on-demand automatic scanner<\/strong><\/h3>\n\n\n\n<p>If you\u2019re using  <a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a>  as your hosting package, we include free malware scanning as part of the package. This software automatically scans your site for malware on a daily basis. It can also conduct a scan \u2018on-demand\u2019, should you identify any suspicious activity on your site.\u00a0<\/p>\n\n\n\n<p>Once each scan is complete, we\u2019ll compile a report on the results which you can view in your  control panel. If any malware is spotted we\u2019ll send you an email notification immediately, along with the recommended steps to take. Once complete, you can run another scan to make sure everything has now been fixed.\u00a0<\/p>\n\n\n\n<p>Our WordPress Checksum tool works in a similar way (again \u2013 you\u2019ve guessed it \u2013 part of\u00a0 <a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a>  !). It checks that your installation matches the official WordPress repository, and can often find core files that have been changed by malware and auto-replace them for you.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Other malware scanning options<\/strong><\/h3>\n\n\n\n<p>If you\u2019d prefer to adopt a more \u2018hands-on\u2019 approach, there are a number of online providers that will be able to perform this service for you, such as&nbsp;<a href=\"https:\/\/transparencyreport.google.com\/safe-browsing\/search\">Google,<\/a>&nbsp;<a href=\"https:\/\/sitecheck.sucuri.net\/\">Sucuri SiteCheck<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/wpsec.com\/\">WPScans<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"securityplugins\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"450\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Security-Plugin.png\" alt=\"\" class=\"wp-image-332\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Security-Plugin.png 601w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Security-Plugin-300x225.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"securityplugins\"><strong>WordPress security plugins<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Do I need a security plugin?<\/h3>\n\n\n\n<p>The quick answer is: no, not in every case.<\/p>\n\n\n\n<p>It depends on what you\u2019re using WordPress for: if it\u2019s just a small blog then you almost certainly don\u2019t need one if you follow the tips in the post. And there are other factors to consider.<\/p>\n\n\n\n<p>More plugins mean longer loading times. Longer loading times lead to fewer people taking the time to read your posts, buy your product or browse your services. Google knows this, so they reward faster-performing sites by giving them higher positions in the search engine results. Performance can affect your bottom line, and security plugins can make loading times longer and conflict with other functions.<\/p>\n\n\n\n<p>So that might be an argument to not use a security plugin.  <a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a> provide a range of\u00a0secure hosting\u00a0features like the Web Application Firewall (WAF), brute force login protection\u00a0and more. So if you\u2019re  <a href=\"https:\/\/yegara.com\/wordpress\">WordPress PRO<\/a> user you don\u2019t really need one.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Best WordPress security plugins<\/h3>\n\n\n\n<p>You may not get similar protections at other Packages, so in this section we\u2019re going to take a closer look at some of the best WordPress security plugins currently available.<\/p>\n\n\n\n<p>The first tip for security plugins is to make sure, whichever you choose, that you select one from a reputable source. Don\u2019t download a paid plugin from a site offering it for free!<\/p>\n\n\n\n<p>With this in mind, here\u2019s a list of the ten best security plugins that offer lots of different features to ensure the bad guys don\u2019t break through to your WordPress website:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Wordfence Security<\/li><li>iThemes Security<\/li><li>Sucuri Security<\/li><li>All In One WP Security &amp; Firewall<\/li><li>Defender Security<\/li><li>WP Hide &amp; Security Enhancer<\/li><li>VaultPress<\/li><li>MalCare Security<\/li><li>SecuPress<\/li><li>BulletProof Security<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong> <strong>Which security plugin should I choose?\u00a0<\/strong> <\/strong><\/h3>\n\n\n\n<p> with the primary task of helping to keep it protected from any unwanted visitors.\u00a0 <\/p>\n\n\n\n<p><a href=\"https:\/\/wordpress.org\/plugins\/wordfence\/\">Wordfence Security<\/a>&nbsp;is arguably the most comprehensive, all-in-one WordPress security and firewall plugin currently available today.&nbsp;&nbsp;There\u2019s a free and premium package, both of which offer a significant level of protection for your website. It has a strong web application firewall (WAF) and malware scanning feature. It also uses 2FA to defend against brute force attacks (a feature not common on free plugins).&nbsp;<\/p>\n\n\n\n<p>Unlike other plugins, it not only tracks attempts to hack your website but also where this traffic is coming from (Google crawlers, humans or bots).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"ssl\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"450\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/SSL.png\" alt=\"\" class=\"wp-image-333\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/SSL.png 601w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/SSL-300x225.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SSL certificates&nbsp;<\/strong><\/h2>\n\n\n\n<p>Acquiring an SSL (Secure Socket Layer) certificate means a website can run on HTTPS (Hyper Text Transfer Protocol Secure) rather than HTTP. An HTTPS site is identified by a padlock symbol next to the website address in a browser. It\u2019s purpose is to secure the safe passage of data between a browser and a web server.\u00a0\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/yegara.com\/en\/guide\/how-to-fix-the-not-secure-warning\/\">https:\/\/yegara.com\/en\/guide\/how-to-fix-the-not-secure-warning\/<\/a>Make sure you have Installed and Enabled your SSL Certificate<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"ddos\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"450\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/DDos-Protection.png\" alt=\"\" class=\"wp-image-334\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/DDos-Protection.png 601w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/DDos-Protection-300x225.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ddos\">DDoS protection<\/h2>\n\n\n\n<p>Have you ever heard of a website traffic jam?<\/p>\n\n\n\n<p>That\u2019s basically what a \u2018Distributed Denial-of-Service (DDoS) attack is. When a large corporate website is \u2018brought down by hackers\u2019 then more often than not it\u2019s due to a DDoS attack. The aim of such attacks is to flood a website\u2019s server with more traffic than it can cope with, until eventually it grinds to a halt and breaks.<\/p>\n\n\n\n<p>These attacks aren\u2019t designed to hack into your database files and remove any information. They\u2019re there to cause havoc with your day-to-day business by shutting-down your site. They can happen to any website (not just large ecommerce sites) at any time.<\/p>\n\n\n\n<p>All hosting packages come with  1 Tbps+ DDoS protection, as an added security you can add Cloudflare to add more options. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" id=\"hacked\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"450\" src=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Hacked.png\" alt=\"\" class=\"wp-image-335\" srcset=\"https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Hacked.png 601w, https:\/\/yegara.com\/en\/guide\/wp-content\/uploads\/2022\/02\/Hacked-300x225.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">What to do if your WordPress website has been hacked<\/h2>\n\n\n\n<p>Cybercriminals are in an arms race against security measures. So there\u2019s always a chance that your site will get hacked. If you\u2019re prepared for it, you can mitigate the damage.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How would I know my site\u2019s been hacked?<\/h3>\n\n\n\n<p>There\u2019s a number of signals that would suggest your website has been hacked. Some of the key indicators would be:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>You\u2019re unable to log in with your password\/username<\/li><li>New content has mysteriously appeared on your site without your knowledge<\/li><li>You receive a notification from your hosting provider or security plugin of malicious activity<\/li><li>Your website is redirecting to other websites (dating, gambling sites etc.)<\/li><li>A Google search of your WordPress website returns with a \u2018This site may be hacked\u2019 message<\/li><li>A website user alerts you to unusual content and\/or activity on the website<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>If my website has been hacked, what should I do first?<\/strong><\/h3>\n\n\n\n<p>The first thing to remember is that there\u2019s a process and a fix for this \u2013 so try to remain calm!<\/p>\n\n\n\n<p>Then, if you\u2019re able to do so, move your website offline into maintenance mode. This will prevent any more users noticing that your website has been hacked. You can then take steps to fix your website and put it back online.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How do I fix a hacked WordPress website?<\/strong><\/h3>\n\n\n\n<p>Before you take any further steps, change all of your passwords on the website. <\/p>\n\n\n\n<p> install wordfence plugin and scan your site to find which codes were altered and which files are added to your site. <\/p>\n\n\n\n<p>Once this is complete you can then restore your website using the most recent backup taken before the malware appeared. Diligent website owners will be able to call upon a backup taken very recently. This is why regular backups are so important!<\/p>\n\n\n\n<p>You can now begin to check if all is now fixed internally by requesting a fresh scan for any remaining malware (before doing this it\u2019s worth checking to see if any old themes or plugins need to be removed). Keep repeating this step until all malicious files are gone and the scan reports are clean.&nbsp;<\/p>\n\n\n\n<p>Finally, you should perform a full rundown of the security best practices outlined throughout this guide before putting your website back online:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Check user permissions and roles \u2013 are they all as they should be?<\/li><li>Review usernames and admin logins<\/li><li>Change passwords again \u2013 make sure they\u2019re \u2018strong\u2019<\/li><li>Update any plugins and\/or themes<\/li><li>Check that the latest PHP and WordPress versions are installed<\/li><li>Re-install your security plugins and 2FA<\/li><li>Change your secret keys<\/li><li>Remove any unused plugins and disable any functionality on your WordPress website that\u2019s not necessary<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">In conclusion<\/h2>\n\n\n\n<p>The measures outlined in this guide are aimed at giving WordPress website owners the best possible chance of preventing the very real threat of a cyber attack.<\/p>\n\n\n\n<p>Unfortunately new vulnerabilities appear all the time, so we can\u2019t say that these best practices will definitely stop a hacker with criminal intentions from breaking into your site. But they can \u2013 and will \u2013 reduce their chances of success significantly.<\/p>\n\n\n\n<p>Take control of your website\u2019s security now: it\u2019s a good habit to develop.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Protect your WordPress website from security threats, and how to recover if your site has been hacked. Over 40% of all websites across the globe run on WordPress. It\u2019s the\u00a0most popular\u00a0content management system (CMS) available on the internet. Popularity brings a constant stream of unwanted attention from criminal hackers. This means WordPress website owners need [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,2],"tags":[],"class_list":["post-320","post","type-post","status-publish","format-standard","hentry","category-how-to","category-security"],"_links":{"self":[{"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/posts\/320","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/comments?post=320"}],"version-history":[{"count":6,"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/posts\/320\/revisions"}],"predecessor-version":[{"id":337,"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/posts\/320\/revisions\/337"}],"wp:attachment":[{"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/media?parent=320"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/categories?post=320"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yegara.com\/en\/guide\/wp-json\/wp\/v2\/tags?post=320"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}