6 steps to clean and harden your Wordpress website Security with the Free Sucuri plugin

If your WordPress website has been hacked, or you need to strengthen your security to prevent a hack, then this tutorial will be a good guide. There are several ways to harden your WordPress website security and you never will be able to discuss all in one short post as this one. Sometimes, implementing a combination of strategies can be a good option. In this post, we will look at steps that will help clean and strengthen the security of your website using the Sucuri security plugin.


Also read: Common Problems with WordPress Websites and How to Fix Them

This plugin will be useful to Identify, remove, and harden your site even after a hack. Sucuri has devoted years to helping WordPress administrators identify and fix hacked websites. We have put together this guide to help website owners walk through the process of identifying and cleaning a WordPress hack. This is not meant to be all encompassing guide, but if followed should help address 70% of known infections common with WodPress websites. A lot of the guidance is built on the use of the free Sucuri WordPress security plugin.

1.1 Install the Sucuri Plugin

You will begin by installing the free Sucuri plugin. If your WordPress site has been hacked, the free security plugin can help you identify which areas need to be cleaned.
Sucuri actively maintains a free WordPress security plugin with features to enhance security and identify indicators of compromise. This tool will help you perform most of the steps in this guide.


Also read: Recommended Tips to Keep in Mind When Using WordPress Plugins


How to install the free Sucuri security plugin:


  • Log into WordPress as an admin and go to Plugins
  • Type Sucuri Scanner into the field.
  • Click Install Now next to Sucuri Security - Auditing, Malware Scanner and Security Hardening.
  • Activate the plugin.


1.2 Scan Your Site

You can use the Sucuri plugin to scan your site to find malicious payloads and malware locations. Finish all three steps instantly with this affordable, industry-leading WordPress security plans.

Clean Your Site

To scan WordPress for hacks using the Sucuri plugin:

  • Log into WordPress as an admin and go to Sucuri Security Malware Scan.


  • Click Scan Website.

If the site is infected, you will see a warning.

If the remote scanner isn't able to find a payload, continue with other tests in the section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.

If you have multiple websites on the same server we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We advise every website owner to isolate their hosting and web accounts.

The Malware Scan feature is a remote scanner that browses the site to identify potential security issues. Some issues do not show up in a browser, instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes remote and server-side scanners.

You will also want to read: WordPress Performance: How to Find a Slow Plugin


1.3 Check Core File Integrity

Most core WordPress files should never be modified. The Sucuri plugin checks for integrity issues in the wp-admin, wp-includes, and root folders.

How to check core file integrity using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Dashboard.


  1. Review the Core Integrity section for the current status.

Any modified, added, or removed files could be part of the hack.

If nothing has been modified, your core files are clean.

Note: You may want to use an FTP client to quickly check for malware in directories like wp-content. We recommend using FTPS/SFTP/SSH rather than unencrypted FTP.

1.4 Check Recently Modified Files

You can identify hacked files by seeing if they were recently modified using the audit logs from the Sucuri plugin.

How to check recently modified files using the Sucuri plugin:

Log into WordPress as an admin and go to Sucuri Security > Dashboard.

Review the Audit Logs section for recent changes.

Unfamiliar modifications in the last 7-30 days may be suspicious.

Also read: Best Comment Plugin for WordPress Websites

1.5 Confirm User Logins


You can review the list of recent user logins to check if passwords have been stolen or new malicious users have been created.


How to check recent logins using the Sucuri plugin:


  1. Log into WordPress as an admin and go to Sucuri Security> Last Logins


  1. Confirm the list of users and the time they logged on.

Unexpected login dates/times could indicate a user account has been hacked.

Also read: WordPress Maintenance Tasks You Need to Perform Regularly


General Guide to a Strong WordPress Website Security

Here are some 4 basic steps we have recommended as necessary to secure your WordPress website:

1. Use HTTPS Domains

A secure socket layer can make sure that the information traveling from your site goes directly to the person accessing it. These secured websites are often identified by the HTTPS in front of the domain name. This denotes the site is secured through encryption and is next to impossible to intercept. With SSL, you build customer confidence.

Encrypting the information sent to your visitors eliminates the risk of compromised data transfers. This keeps information safe from snooping while reducing the risks of stealing login credentials. In this environment, by using an SSL on your site, you are helping yourself as well as those who visit your website.

NOTE: Using the HTTPS solution for domains doesn't mean that you are hack-proofing your website. In fact, these focus more on encrypting data transfers from your pages to the visitor. However, it does prevent others from spying on that data transmission and accessing the visitor's login credentials. This information could be used to gain access to the site in order to find other exploits. It's like putting a curtain around an ATM machine. This would give privacy as well as stop someone from looking over a person's shoulder to see the pin code.

Also read:  How to Find and Clean Backdoors in a Hacked WordPress Site


2. Index Pages In All Folders

Folders that do not have an index.html page will display contents such as other folders and file systems. This will show the average visitor what exactly is in your website's structure. If you're trying to hide an admin folder or other piece of information, these areas can give hackers a way to identify access points.

This is an easy hole to plug for the most part. A blank index.html will prevent browsers from stumbling across a folder without a page. You will want to check all of your folders to make sure there is a index available. If there isn't one, you can create this using text editor software such as Notepad. Save a blank document as index.html and upload it to the folder in question.

Most attacks are performed on those who are easy targets. Unless you operate a high-risk or very public website, most hackers will quickly give up on something that shows any kind of a resistance. Although this measure won't absolutely stop those who are determined to access your site, it does act as a deterrent. It's a bit like posting a sign in your lawn that says your home is being monitored. Most criminals will move on because the risk is too great for an unknown reward.


3. Routine Tests for Vulnerabilities

The more popular your website becomes, the greater the threat could be for security. By using a cyber-security organization or even security plugins to test your site's functionality, you can address exploits quickly. Usually, these companies and plugins have extensive tools and capabilities that are used to test the limits of your website. When considering the alternatives, having security measures such as these can be enlightening for finding its week points.

Penetration Attempts

An extremely useful procedure is that of penetration analytics. Essentially, you'll hire a cyber security company or use high-end software with the sole purpose of hacking your own site. Since youam're in control during this procedure, there is less of a threat when discovering the holes in security. The resulting reports will show you the weak spots in your site and how to seal them up.

Validate All Code

Preventing cross-site scripting can save your visitors a great deal of trouble. This is done when someone visits a page that has been injected with a JavaScript payload. This payload can contribute to a variety of problems such as impersonating a user through the use of cookies or play into remotely activating things such as webcams and microphones. Have security software routinely check your website can eliminate the threat of XSS attacks such as these. By making sure the coding is constantly legit, you can improve online privacy protection for your visitors.


4. Deny Access Through .htaccess

This had been one of the strongest approach to website security. The .htaccess file can be used to help eliminate access to your login page from any IP address other than your own. Although there are ways to circumvent this measure, it's still a very useful stopgap to prevent those looking for an easy target. This kind of a method is ideal for websites that use WordPress or other content management system. You can edit the .htaccess file with Notepad or use your online editing system such as that provided by cPanel. In the .htaccess file located in your admin folder, enter in the following:

order deny, allow
deny from all
allow from XXX.XXX.XXX.XXX

Also read: How to secure your website from attacks using the .htaccess file

In place of the X, use the connection IP address that is assigned to you b your  Internet service provider. In the event you have others working on the site with you, simply add another allow from line under the first with their IP addresses as well.

The downside to this method is that you must keep it updated should your IP address change. Not everyone pays for a static IP address, and many ISPs will change the number you use once every eight days or so. One way to get around this problem is to only input the first two series of the IP address. For example, 123.456. This will allow you to continue accessing those pages from that specific ISP. You can use this method to protect your folders/directories by adding the code above in all folders. Remember that you have to create the .htaccess file before adding the above restriction through the htaccess file.

Share this post

Comments (1)

  • Naman Modi
    Naman Modi

    Websites get hacked on a daily basis due to less or lack of security. It is important to check websites for malware. Eventually, the owners lose time and money fixing a problem that could have been easily prevented. I can comfortably say Sucuri is the best and most cost effective to secure your website. For $199 / year, it is the best insurance you can buy for your online business. Don’t take chances, since government websites can be hacked, so can yours no matter how safe you think you are. However, it’s much better to find out that your website firewall is hacked from a monitoring service rather than finding out from your users or better yet from Google when they blacklist your website. Look out for other Sucuri reviews for greater understanding of the service.

    December 31, 2018 at 00:59 AM

Leave a comment

Powered by Simple Blog