March Events

Get Involved!

Site of the month

february - jCodes

  • Join Administrata today and get 15 free posts!

    Register now and claim a free content order to boost your community activity instantly.

    Register Now

What are the most important security measures when it comes to a WordPress website?

Shortie

Shortie

Community Enthusiast
WordPress websites are popular but even with WordPress you can run into security issues if you do not know what to look out for or what to do an use to protect yourself against issues that could arise.

What would you say are the most important security measures anyone should take when it comes to a WordPress website?
 
If you’re running a WordPress site, security should be a top priority as once you start getting traffic, you’re also on the radar of bots and hackers. A lot of WordPress hacks happen because site owners get lazy or don’t know what they’re doing.


WordPress itself, themes and plugins, be sure update them regularly. Outdated software is a hacker’s playground.



If you’re still using admin as your username, change it now. Use strong, unique passwords or even better and enable two-factor authentication (2FA).



Brute force attacks happen when hackers keep guessing passwords. Use a plugin like Limit Login Attempts Reloaded to block multiple failed attempts.


Something like Wordfence or iThemes Security can help monitor for threats and block malicious activity.



Cheap hosting often means weak security. Go with a reputable host that providers firewalls, malware scanning, and automated backups.


Your wp-config.php file should also be locked down (set to 400 or 440 permissions) so no one can mess with it.




Don’t just set it and forget it. Use tools like Google Search Console, security plugins, and uptime monitoring services to stay ahead of issues.


At the end of the day, security isn’t a “one-and-done” thing, it’s an ongoing process. If you ignore it, you’re basically inviting attackers in. Stay on top of it, and you’ll save yourself a lot of headaches.
 
Great points! Security is indeed a top priority, and I unfortunately learned this the hard way earlier this year when my WordPress sites were targeted by hackers. It was a nightmare, but also a huge lesson.

Here's what happened:
In February, I woke up one morning to find that all my websites were completely inaccessible. I couldn’t even log in to the admin panels. Shortly after, I received a threatening email from a hacker demanding payment to 'fix' the situation they had caused. It was clear they had gained unauthorized access, injected malicious code and backdoors, and made my sites unusable.

The hacker had exploited outdated plugins and vulnerabilities in my theme to gain control. They installed malware that created hidden admin accounts and manipulated critical files, making it almost impossible to regain access without thorough cleanup. The most frustrating part was that even after I tried restoring from backups, the malware persisted.

Here's how I managed to take back control:
✅ Scanning for Malware: I installed Wordfence on the few parts of the site I could still access and ran a deep scan. The plugin helped identify numerous infected files and suspicious code injections.
✅ Manual Cleaning: I manually went through the wp-content directory and the wp-config.php file, comparing them to clean backups. The hackers had injected code in seemingly legitimate files, which I carefully cleaned.
✅ Deleting Backdoors: I discovered that the attackers had created hidden user accounts with admin privileges. After identifying them, I deleted those accounts and changed all passwords to strong, randomly generated ones.
✅ Reinforcing Security: I enhanced file permissions (especially wp-config.php) and installed additional security plugins for real-time protection.
✅ Setting Up Automated Backups: I arranged for regular automated backups with my hosting provider to ensure I could quickly restore my sites if needed.

The biggest lesson I learned? Never ignore security updates and always have strong, multi-layered protection in place. It's not just about keeping things running; it's about preventing complete disaster.

If you’re not actively securing your site, you’re basically leaving the door wide open for attackers. Trust me, going through a nightmare like this is not something you want to experience.
 
Nicole Greeny said:
Great points! Security is indeed a top priority, and I unfortunately learned this the hard way earlier this year when my WordPress sites were targeted by hackers. It was a nightmare, but also a huge lesson.

Here's what happened:
In February, I woke up one morning to find that all my websites were completely inaccessible. I couldn’t even log in to the admin panels. Shortly after, I received a threatening email from a hacker demanding payment to 'fix' the situation they had caused. It was clear they had gained unauthorized access, injected malicious code and backdoors, and made my sites unusable.

The hacker had exploited outdated plugins and vulnerabilities in my theme to gain control. They installed malware that created hidden admin accounts and manipulated critical files, making it almost impossible to regain access without thorough cleanup. The most frustrating part was that even after I tried restoring from backups, the malware persisted.

Here's how I managed to take back control:
✅ Scanning for Malware: I installed Wordfence on the few parts of the site I could still access and ran a deep scan. The plugin helped identify numerous infected files and suspicious code injections.
✅ Manual Cleaning: I manually went through the wp-content directory and the wp-config.php file, comparing them to clean backups. The hackers had injected code in seemingly legitimate files, which I carefully cleaned.
✅ Deleting Backdoors: I discovered that the attackers had created hidden user accounts with admin privileges. After identifying them, I deleted those accounts and changed all passwords to strong, randomly generated ones.
✅ Reinforcing Security: I enhanced file permissions (especially wp-config.php) and installed additional security plugins for real-time protection.
✅ Setting Up Automated Backups: I arranged for regular automated backups with my hosting provider to ensure I could quickly restore my sites if needed.

The biggest lesson I learned? Never ignore security updates and always have strong, multi-layered protection in place. It's not just about keeping things running; it's about preventing complete disaster.

If you’re not actively securing your site, you’re basically leaving the door wide open for attackers. Trust me, going through a nightmare like this is not something you want to experience.
Click to expand...
What did the email say exactly? Did they ask you for a bitcoin transfer or something? 🤔

What plugins/add ons were you using?
 
Yes, he had hacked my work email. The one that was connected to my website. The hacker sent me the message from my email to my email. It says something like this: I hacked your account, if you want it back, refund $600 in Bitcoin.
 
The number one thing you can do for security on WordPress, other than ensuring all admin logins have 2FA enabled, is to change the default login page from /wp-admin.php to another filename and thus make it that bit harder for someone to "find" the page easily and just start trying logins. Of course, you should never have a "default" username or password either, but that should be common sense for any semi-experienced website owner.
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top