Phebey
My WordPress blogs keep getting hacked every few months and old backups have to be deployed.
This is not only super annoying but also takes a lot of my time.
I suppose they intrude my blogs via old plugins. I host more than one domain per shared webspace, why it's hard to pinpoint the problem.
Any advice?
Use a decent security plugin with a lockout facility, change the login url, use a completely random name for your admin id and make sure you can’t see that id as the author of posts. That will protect you from amateurs and enthusiasts.
Julia
Use a security plugin with 2 factor authentication.👍2
Andreas
security plugins are garbage. Most hacks happen because of exploits in software (normally plugins and themes).
if you don't keep them updated, you will get hacked.
I use this plugin on all my sites.
https://en-ca.wordpress.org/plugins/companion-auto-update/
0 hacks to date.👍1
This is just sheer ignorance. If you think that security plugins are garbage and this is advice you give to other people, then you deserve to be hacked.
0 hacks to date proves nothing other than that you have been lucky.
This is no different than saying "locks on doors are garbage", I leave my doors unlocked all the times, zero burglaries to date.
Andreas
That is not ignorance, thats experience talking.
I have seen way too many sites get hacked WITH security plugins.
Almost all hacked happen because of exploits in software. Security plugins offer no protection against that.
You want to keep your site protected, keep your software updated.
Besides no using admin/pass.👍2
Raef » Russ
, I just recently cleaned an infected website that was repeatedly infected because the backdoor was outside the standard WordPress installation. So yes, security plugins only know what they know and nothing outside of that.
Russ » Raef
That may be true for SOME plugins, but not all. Wordfence also scans files outside your WordPress installation.
It's rather like a bad builder blaming the tools when the house falls down…
Andreas
Wordfence scanner is okay but not the best. It's also a pile of bloatware.
Security plugins offer very little protection. Hackers and scans don't waste time on those. They focus on the exploits. Why, because that's the fastest way to hack a site, t.
So if your software is not updated, it's not if, but when you get hacked.
Security plugins, (unless offer an update feature), are useless against those attacks.
I see this everyday. I host thousands and thousands of websites. I'm fixing numerous per week.
All the ones that are hacked, are the ones that are outdated. And guess what, most will have a security plugin, and people think they are safe. They are not. All they get is a false sense of security.
I heard it all. I have this plugin, I have CloudFlare I have a private server yada yada yada. They all have the same thing in common… Outdated software.
You are free to believe what you want. I have done and seen this too many times.👍1
Jordan
Dealing in absolutes will always bit you in the ass. Even with updated plugins, you can still be hacked. Time to report and resolution is sometimes weeks for a plugin affected by a vulnerability. You're better to look at using modsec rules.
Mamet
1) update plugin a must.
2) get CoudFlare.
3) change login from wp-admin to something else.
4) get Wordfence or itheme Sucuri free plugins just to check file permissions and 404s.
Roger
Once hacked there are often files left over that function to reinfect the site.
To properly recover, all infected files must be removed, all rogue admin accounts removed from the database, passwords changed, and vulnerable themes and plugins replaced.👍6
This may satisfy you: Speed up Your WordPress Website and Avoid Plugins | Add This Script to .htaccess
Rahul
Mostly because of the hosting company your are on. Some have good security and some have terrible. I have been in this situation. Which host are you using?👍😢4
Russ
Are you actually keeping your plugins and themes and WordPress core up to date?
Have you checked that all your plugins are all still being maintained and updated? If a plugin has been abandoned and has not been update din a long time, then it likely has vulnerabilities.
Do You have a security plugin installed?
thanks. There is a couple of abandoned plugins. I will delete all of them.
Russ » Phebey
That will likely be the cause of your problem.
I would suggest installing Wordfence, which does more than just scan for malware.
It will scan your system for vulnerabilities, and check for abandoned plugins as well as plugins which have been removed from wordpress.org, it is also a web application firewall and will detect and from intrusions, injections, brute force logins etc and will block IP's which attempts anything dodgy.
It also has the option to scan files outside of WordPress.
Additionally you should make sure that the hosting providers malware scan is enabled in your hosting control panel so pickup any other malware that might be at play. Any decent host should have this option.
If you want a (non free) solution that automatically removes malware, try Malcare: https://malcare.com?src=0A82E8.
This may satisfy you: To do SEO for WP Sites without Plugins Rankmath or Yoast
Alex
Get rid of any plugins that haven’t been recently updated by the developer, or ones that are obscure and don’t have many reviews. Always use the minimum number of plugins required to run the site properly. Less plugins = less risk.
Rohin
– Update Plugins and themes.
– Try to keep one site per cPanel. We have 200+ sites and we took a wise decision last year to purchase WHM panel and now have 1 site per cPanel and also have hosted some sites on Gcloud and AWS servers too which are highly secure.
– Make sure you config.php doesn't allow editing. This is where most of the SQL injections happen.
– If you have more than 5 sites then I recommend you to use a management system like mainwp where you can update everything in just 1 click from within the system only. Their paid add-ons will allow you to solve the config.php issue too as they have advanced code addon.👍1
Ron
Two-factor authentication (2fa) + auto update of plugins + wordfence.
Pierre
just set everything to 644 , your config.ini must be outside of your wp install or set to 444 , will be first step , hacker shouldn't be able to write anything into a file.
Jaan
Your sites get hacked again probably because of your backups. Only real way to get rid of your hacking issue is to reinstall your site, keep your stuff up to date and make sure you have downloaded your plugins from an official source. Also, your host can’t protect you if you use plugins or themes with vulnerabilities. Also, deleting hacked files will not help because you never know how your site was hacked in the first place or which files are hacked.👍1
This may satisfy you: My Website Fell After the Latest Google SE Algorithm Update Then I Use Yoast SEO, but Mine Cannot Rise on the SERPs Yet