subscribe: Posts | Comments

WordPress Website Hacking

WordPress Website Hacking

Thousands of websites have been hit.  You wake up one day and your website is gone.  Your beautiful website is replaced with the words "you've been hacked" and strangely haunting music begins to play on your page.

You call your web host in a panic: but for many its too late.  You waited too long and the back up copy has already been overwritten with the corrupted copy.  The web host is barely sympathetic and blames YOU for running a low security website.

Now you have to start from scratch rebuilding weeks and months (if not years) of creative work.

Most of these hackings are random events.   However for those websites that have been specifically targeted by an angry hacker – even the experts have a hard time defending you.

What are the smart things you can do?

1. Ask your web host how to use the back up features in Cpanel to regularly download an entire backup of your website onto your computer.   This can be used to restore your work if the web host's own backup gets overwritten by a hacked copy.  Do not keep a backup on your website!  After downloading your copy – delete it from the server.

2. When you build your website keep a text document of each article and page along with images and relevant files neatly organized in appropriate folders on your computer.  This can be used to rebuild your website in the worst case scenario.  

3. Sometimes after repeated hackings its better to simply delete the entire website and start from scratch as important components of the website automation have been compromised permitting repeated access by the hacker.

4. Login to your WordPress backend no less than once per week and update all the plugins and moving to the latest version of WordPress.  After updating the plugins: do a reinstall of WordPress once again.  (This only takes one click.)

5. Never leave the original default "admin" username in place.  Always change it to something that is hard to guess.

6. Remove all WordPress themes that are not in use. 

7. Keep a relationship with your theme provider so you can update to the latest versions when they become available.

8. Regularly change your Cpanel and WordPress passwords.  Always use a mix of upper and lower case letters, numbers and special characters such as @, %, # etc.  Stay away from dictionary words.  Try building an acronym that only has meaning to you.

More Advanced:

10. Set permissions on wp-config.php to 400 using your secure ftp program or the Cpanel file manager.  400 allows only the file "owner" to "view" but not "write" or "execute."  "Group" and "World" users are not allowed any access whatsoever: their boxes should be all unchecked.

How to change permissions In Cpanel:

  1. Login to your Cpanel
  2. Click on File Manager and select "show hidden files" and go to "web root".
  3. Click on the wp-config.php file and the select "Change Permissions".
  4. Uncheck all the boxes except "read" under "owner".
  5. Click the "Change" button at the bottom to complete the process.

11. Realize that your computer may have a trojan that permits another party to spy on whatever you are typing.  Not only is this potentially bad for identity theft: but it causes a slow web surfing experience and wears out your computer much faster.  Ironically childrens' game websites and fun Facebook apps are often a source of these destructive trojans.  Most mainline Antivirus programs do a terrible job of defending against this type of virus.  For expert help with removal visit


CashBoxHosting takes Extra Steps

Choose a web host that keeps double back ups of your website content.   (CashBoxHosting takes this step.)

468 ad

Leave a Reply