As if website hacking is not something new to you, to mention hacking of WordPress sites could just sound like another form of it. But you’re relying on the wonderful technology that WordPress provides to post, manage and display your website content could mean just being over –confident or outright ignorant about the perils that are already the matter of concern in the wide world of website design.
Any website is hacked for a variety of reasons; to steal information, to place spammy links, to feed on the traffic a particular website has to ones advantage and much more. This is not very different with hacking of WordPress sites too. WordPress works almost entirely on its plugins and a well devised database to create a system where dynamic content is a cakewalk for anyone, who owns a website, to manage. Hackers simply find the vulnerability in a plugin, insert a malicious code or code edit and gain access to the database that manages all content. There, they can place SQL codes to manipulate the website’s content and pretty much have your website under their control.
Why WordPress is a point of concern?
The turn of events, making a highly desirable and easy technology as WordPress, utilized for website designing from just being a blog building platform, to be a vulnerable target for hackers to break in to, is more of a recent development. The interesting facts related to this phenomenon are;
WordPress’s popularity has soared across the world and currently accounts for a huge share of websites built and maintained around the world.
Ease with WordPress in building websites has misled website owners to a false sense of security also. Most of this is seen among small businesses and startup companies who are also happy with the lesser investment it needs.
Following the last point, a large group of website owners don’t really religiously update their WordPress installations, whereby rendering themselves vulnerable to security loopholes that hackers utilize.
The third-party plugin developers are also risking their customers with plugins that has not been tested enough and neither been created with farsightedness.
Let’s try a more technical view of this scenario.
On a development level, bad coding can create vulnerabilities that hackers can use to their advantage
At the administrative level, applying poorly constructed passwords can make access to skilled hackers very easy
Plugins developed without a good amount of testing and a stable and fool-proof coding can compromise the website’s security on a whole
Website owners/managers who do not care to do regular WordPress updates puts themselves at great risk of falling prey to newer hacking attacks
So how do I safeguard myself?
It’s one thing to operate and manage WordPress modules at an operational level, where you essentially add and edit content for your website. When it comes to making your WordPress website safe from hackers, you definitely need to meet the experts and get things done. Nevertheless, you had better looked up for the following cues;
Are there pages in your websites failing to appear as expected?
Is your admin area failing to perform at any point?
Have you verified that new plugin that you have considered attaching to your website?
Are you getting a lot of spam emails lately?
If any of these cues turns on, it’s time for you to call for technical experts like hosting supporters to get your website checked. Few of the measures that can help in preserving your website are;
Take backup of your website data regularly
Change your passwords to stronger ones. The more mixed up and complex, the better
Use WordPress security keys. Your hosting support should know that in the file wp-config.php there is a place where you can enter encrypted security keys for information stored in your cookies. Go to https://api.wordpress.org/secret-key/1.1/ to generate your keys and update your wp-config.php
Delete plugins that cannot be trusted or those that are not in use anymore
If you can make out from the Error log file, it will tell you which file is causing the issue. You can replace or remove those files
It is best to upgrade your WordPress to latest versions. This also includes your Worpress theme
Check for file permissions and upload permissions
Use some security plugins like the ones listed below
All in One Security Firewall
iThemes Security (formerly Better WP Security)
Change WordPress Table prefix. This is something your tech support understands and can help you with
If you have any contact forms in your website, crosscheck with developers if that form is built with core CT standards.
WordPress has made building and maintaining websites a wonderful experience for you. But as much a great tool it is, it can serve you with its caliber when you keep it updated and well-maintained. Your diligence will pay off with your WordPress installation giving you the great advantage of seamless website performance for a long time into the future.
spam users which was registered. I used following Mysql commands for removing he wordpress users. query for Delete users by date wordpress Mysql
Some days before I enabled the my site registration as subscribers. In last seven days there are four thousand subscribers has been registered on my site. After reviewing the users and there server request logs I got to know about that was spam users which was registered to my site. WordPress is always easy target for spammers and hackers. I tried to use some code for remove the wordpress users but then later I used following Mysql commands for removing he wordpress users.
Delete users by date wordpress Mysql
When you create or register the user in wordpress that time some tables are filled by wordpress. Some entries will insert into wp_usermeta table and wp_users table. If you want to delete the bulk users then you need to delete user entries from wp_usermeta table first. You can use following SQL command for deleting the user meta entries from wp_usermeta table.
DELETE wp_usermeta FROM wp_usermeta, wp_users WHERE wp_users.user_registered > '2013-11' AND wp_users.ID = wp_usermeta.user_id;
After deleting the user meta entries from table then remove users from wp_users table using following command
DELETE FROM `wp_users` WHERE `user_registered` > '2013-11';
Note: Before deleting the users from wordpress database, take the Database backup. Take the worpdress backup and restore on local box. Make sure your DB backup file is perfect.
Do not delete users from wp_users at the first. First delete user meta from wp_usermeta then execute the next command.
While running wordpress site, save Ram usage is always great idea and you can easily improve the site performance by simple wordpress theme tricks.
We mostly use the get_permalink(), get_the_title() methods in our wordpress theme. Do not pass the post ID as parameter.
if you’re doing a get_permalink or get_title() call with Post id, 8 out of 10 times you’ll need to more of that post than just the permalink, so this isn’t really a problem.
save Ram usage
Post object is actually already slightly faster than calling get_permalink with $post->ID (in get_post it then only sanitizes and adds to cache, it doesn’t fetch new data), but the real benefit comes when you add a variable called filter in the $post object, setting it to “sample”. Now you decide whether that post object is going to be cached or not and which variables it contains.
Pass the $Post object instead of Post ID.
Do not use the Custom fields. Your server need to fire extra custom quries on Mysql server.
If your are using $wpdb->get_results or new WP_Query( $args ) then add the order by.
Recently one of my wordpress site is hacked which is on wordpress. There is something wrong happening on server. We fixed issue with some steps, we given full steps for fixing issue. Due to disk I/O notification and CPU usages notification email I got to know.
If wordpress site is hacked then how to fix issue
There is something wrong happening on server.
First thing I did which is checking the apache access logs and error logs. I was getting per second 100 request from some IP addresses.
I stoped apache server and I took my database and filesystem backup. Deleted my admin username and added new administrator with new username.
You should use the Better WP Security wordpress plugin. This is very useful plugin.
# BLOCK BAD IPS
<limit GET POST PUT>
Allow from all
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
Deny from 184.108.40.206
Deny from 220.127.116.11
Deny from 18.104.22.168
But above code was still not helpful to me because disk I/O and apache process was taking time to sending the request to 403.
Then I blocked the IP Address on My Linux server using following commands.
iptables -A INPUT -s 22.214.171.1249 -j DROP
iptables -A INPUT -s 126.96.36.199 -j DROP
iptables -A INPUT -s 188.8.131.52 -j DROP
From last two months WordPress Under Huge Attack by Malicious Botnet. Hackers are using thousands of individual computers and IP addresses. The botnet goes for the most obvious hack attempt: target sites with admin as the username , and will try to access that site’s password with a combination of thousands of possible passwords.
The WordPress site currently powers over 60 million websites and read by over a quarter of a billion users every month.When survey website W3Techs conducted a survey, it was found that 17% of the world’s websites are powered by WordPress.
While the attack may only succeed a small percentage of the time, the attack could result in hundreds or thousands of compromised servers when averaged over tens of thousands of sites powered by WordPress software.
We can use the following article for changing the admin username
Update wordpress version
WordPress founder Matt Mullenweg advises that if you do these first three “you’ll be ahead of 99% of sites out there and probably never have a problem.”
Use the Better WP Security plugin
As most WordPress attacks are a result of plugin vulnerabilities, weak passwords, and obsolete software. Better WP Security will hide the places those vulnerabilities live keeping an attacker from learning too much about your site and keeping them away from sensitive areas like login, admin, etc.Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site.
I did so much R&D about installing and updating the wordpress plugin without using ftp access. I got very nice trick to solve this issue. When you are using the shared hosting or VPS server for wordpress site hosting. You always face issue for installing the wordpress plugin or wordpress theme. It issue happen when you do the the wordpress updation. Using following simple steps you can install the wordpress plugins and themes without giving the ftp access.
update wordpress plugins without ftp access
I always did the wordpress plugins and theme updation. So every time providing the ftp credentials are really panic. So I am always using following steps for doing wordpress up-gradation.
First you need to add the following code in your wp-config.php file.
WordPress will try to write a temporary file to your /wp-content directory. If this succeeds, it compares the ownership of the file with it’s own uid, and if there is a match it will allow you to use the ‘direct’ method of installing plugins, themes, or updates.
Now, if for some reason you do not want to rely on the automatic check for which filesystem method to use, you can define a constant, 'FS_METHOD' in your wp-config.php file that is either 'direct' 'ssh', 'ftpext' or 'ftpsockets' and it will use method. Keep in mind that if you set this to ‘direct’ but your web user (the username under which your webs server runs) does not have proper write permissions, you will receive an error.