To avoid your website being hacked, you should follow these recommendations:
- Keep up with updates of your CMS platform and its plugins (relevant information can be found on its official website) and always make sure you have the latest versions installed.
- Use only official themes and plugins offered by your CMS. Nulled versions of paid scripts are extremely likely to be infected.
- Use strong passwords, which contain at least 8 characters: numbers, uppercase and lowercase letters. Weak passes are very easy to crack.
- Make sure you have antivirus software installed on your computer and it is always up-to-date.
- Use only current version of your browser.
- Do not store your passwords in FTP Client as viruses often attack FTP Clients.
- Establish correct rights for your website catalogs and files. Try not to use ‘777’ rights as these attributes grant any user full access (read, write and execute) to catalogs and files of your account. ‘777’ rights should be used only if they are essentially important.
- You can deny all requests to the xmlrpc.php file, using the following .htaccess rules: Block WordPress xmlrpc.php requests<Files xmlrpc.php>order deny,allowdeny from all</Files>
If you found out that your website has been infected or you were notified about a malicious software detected in your account, do the following:
- Check if there are any viruses detected on your computer. Delete the malicious software. You can restore your website using its backup copy if necessary.
- Update your CMS, all plugins and extensions to the latest stable version.
- Update passwords to your hosting account and database user, FTP passes to all additional accounts and your website admin pass.
The most frequent causes for a website to be infected are: Your website might become a hacking target
- Vulnerabilities of CMS platform you use;
- Vulnerabilities of your CMS extensions (plugins, themes and modules) you have installed;
- Viruses that come from your computer.
As a rule, attackers hack wesites in auto-run mode with the help of software developed for these purposes. Once your website is hacked, it has a malicious code in its files, that is why it is important to keep your CMS platform and all your plugins updated.
Changing your WordPress login page URL
Everyone knows the standard WordPress login page URL – just need to add /wp-admin or /wp-login.php at the end of your domain name.
That is the reason why such pages become the object of brute force attacks.
To protect your site from such attacks it is recommended customizing your login page URL.
An easy way to change this URL it is to use a free version of Protect WP-Admin plugin.
Please note, we do not recommend using WP Cerber plugin for this purpose, since this plugin uses very strict blocking rules, which may block even legal login attempts. Furthermore, WP Cerber plugin is not compatible with AliDropship plugin now – it may cause 403 error when importing products with AliDropship Google Chrome extension.