6 steps to clean and harden your Wordpress website Security with the Free Sucuri plugin
If your WordPress website has been hacked, or you need to strengthen your security to prevent a hack, then this tutorial will be a good guide. There are several ways to harden your WordPress website security and you never will be able to discuss all in one short post as this one. Sometimes, implementing a combination of strategies can be a good option. In this post, we will look at steps that will help clean and strengthen the security of your website using the Sucuri security plugin.
This plugin will be useful to Identify, remove, and harden your site even after a hack. Sucuri has devoted years to helping WordPress administrators identify and fix hacked websites. We have put together this guide to help website owners walk through the process of identifying and cleaning a WordPress hack. This is not meant to be all encompassing guide, but if followed should help address 70% of known infections common with WodPress websites. A lot of the guidance is built on the use of the free Sucuri WordPress security plugin.
1.1 Install the Sucuri Plugin
You will begin by installing the free Sucuri plugin. If your WordPress site has been hacked, the free security plugin can help you identify which areas need to be cleaned.
Sucuri actively maintains a free WordPress security plugin with features to enhance security and identify indicators of compromise. This tool will help you perform most of the steps in this guide.
How to install the free Sucuri security plugin:
- Log into WordPress as an admin and go to Plugins
- Type Sucuri Scanner into the field.
- Click Install Now next to Sucuri Security - Auditing, Malware Scanner and Security Hardening.
- Activate the plugin.
1.2 Scan Your Site
You can use the Sucuri plugin to scan your site to find malicious payloads and malware locations. Finish all three steps instantly with this affordable, industry-leading WordPress security plans.
Clean Your Site
To scan WordPress for hacks using the Sucuri plugin:
- Log into WordPress as an admin and go to Sucuri Security Malware Scan.
- Click Scan Website.
If the site is infected, you will see a warning.
If the remote scanner isn't able to find a payload, continue with other tests in the section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.
If you have multiple websites on the same server we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We advise every website owner to isolate their hosting and web accounts.
The Malware Scan feature is a remote scanner that browses the site to identify potential security issues. Some issues do not show up in a browser, instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes remote and server-side scanners.
You will also want to read: WordPress Performance: How to Find a Slow Plugin
1.3 Check Core File Integrity
Most core WordPress files should never be modified. The Sucuri plugin checks for integrity issues in the wp-admin, wp-includes, and root folders.
How to check core file integrity using the Sucuri plugin:
- Log into WordPress as an admin and go to Sucuri Security > Dashboard.
- Review the Core Integrity section for the current status.
Any modified, added, or removed files could be part of the hack.
If nothing has been modified, your core files are clean.
Note: You may want to use an FTP client to quickly check for malware in directories like wp-content. We recommend using FTPS/SFTP/SSH rather than unencrypted FTP.
1.4 Check Recently Modified Files
You can identify hacked files by seeing if they were recently modified using the audit logs from the Sucuri plugin.
How to check recently modified files using the Sucuri plugin:
Log into WordPress as an admin and go to Sucuri Security > Dashboard.
Review the Audit Logs section for recent changes.
Unfamiliar modifications in the last 7-30 days may be suspicious.
Also read: Best Comment Plugin for WordPress Websites
1.5 Confirm User Logins
You can review the list of recent user logins to check if passwords have been stolen or new malicious users have been created.
How to check recent logins using the Sucuri plugin:
- Log into WordPress as an admin and go to Sucuri Security> Last Logins
- Confirm the list of users and the time they logged on.
Unexpected login dates/times could indicate a user account has been hacked.
General Guide to a Strong WordPress Website Security
Here are some 4 basic steps we have recommended as necessary to secure your WordPress website:
1. Use HTTPS Domains
A secure socket layer can make sure that the information traveling from your site goes directly to the person accessing it. These secured websites are often identified by the HTTPS in front of the domain name. This denotes the site is secured through encryption and is next to impossible to intercept. With SSL, you build customer confidence.
Encrypting the information sent to your visitors eliminates the risk of compromised data transfers. This keeps information safe from snooping while reducing the risks of stealing login credentials. In this environment, by using an SSL on your site, you are helping yourself as well as those who visit your website.
NOTE: Using the HTTPS solution for domains doesn't mean that you are hack-proofing your website. In fact, these focus more on encrypting data transfers from your pages to the visitor. However, it does prevent others from spying on that data transmission and accessing the visitor's login credentials. This information could be used to gain access to the site in order to find other exploits. It's like putting a curtain around an ATM machine. This would give privacy as well as stop someone from looking over a person's shoulder to see the pin code.
Also read: How to Find and Clean Backdoors in a Hacked WordPress Site
2. Index Pages In All Folders
Folders that do not have an index.html page will display contents such as other folders and file systems. This will show the average visitor what exactly is in your website's structure. If you're trying to hide an admin folder or other piece of information, these areas can give hackers a way to identify access points.
This is an easy hole to plug for the most part. A blank index.html will prevent browsers from stumbling across a folder without a page. You will want to check all of your folders to make sure there is a index available. If there isn't one, you can create this using text editor software such as Notepad. Save a blank document as index.html and upload it to the folder in question.
Most attacks are performed on those who are easy targets. Unless you operate a high-risk or very public website, most hackers will quickly give up on something that shows any kind of a resistance. Although this measure won't absolutely stop those who are determined to access your site, it does act as a deterrent. It's a bit like posting a sign in your lawn that says your home is being monitored. Most criminals will move on because the risk is too great for an unknown reward.
3. Routine Tests for Vulnerabilities
The more popular your website becomes, the greater the threat could be for security. By using a cyber-security organization or even security plugins to test your site's functionality, you can address exploits quickly. Usually, these companies and plugins have extensive tools and capabilities that are used to test the limits of your website. When considering the alternatives, having security measures such as these can be enlightening for finding its week points.
An extremely useful procedure is that of penetration analytics. Essentially, you'll hire a cyber security company or use high-end software with the sole purpose of hacking your own site. Since youam're in control during this procedure, there is less of a threat when discovering the holes in security. The resulting reports will show you the weak spots in your site and how to seal them up.
Validate All Code
4. Deny Access Through .htaccess
This had been one of the strongest approach to website security. The .htaccess file can be used to help eliminate access to your login page from any IP address other than your own. Although there are ways to circumvent this measure, it's still a very useful stopgap to prevent those looking for an easy target. This kind of a method is ideal for websites that use WordPress or other content management system. You can edit the .htaccess file with Notepad or use your online editing system such as that provided by cPanel. In the .htaccess file located in your admin folder, enter in the following:
order deny, allow
deny from all
allow from XXX.XXX.XXX.XXX
Also read: How to secure your website from attacks using the .htaccess file
In place of the X, use the connection IP address that is assigned to you b your Internet service provider. In the event you have others working on the site with you, simply add another allow from line under the first with their IP addresses as well.
The downside to this method is that you must keep it updated should your IP address change. Not everyone pays for a static IP address, and many ISPs will change the number you use once every eight days or so. One way to get around this problem is to only input the first two series of the IP address. For example, 123.456. This will allow you to continue accessing those pages from that specific ISP. You can use this method to protect your folders/directories by adding the code above in all folders. Remember that you have to create the .htaccess file before adding the above restriction through the htaccess file.