- Code can be injected into WordPress MySQL, HTA access database.
- Files can be uploaded to the server that contain malicious code or PHP backdoor.
- Files already on the server, such as your theme files, can be modified.
- Users with administrative privileges can be added to your WordPress database.
- Numerous post & pages can be published containing spam code.
- Your site can be redirected to malware sites.
10 Best way to Protect WordPress site from getting Hacked1. Keep WordPress themes, plugins, and core up to date
Constant update of Core, Theme, Plugins are boring but there is reason developers release these update, most of these update covers new security updates. Old core, themes, plugins become obsolete quickly and make your site vulnerable against hacker.
2. Keep your server clean
Delete unused versions of WordPress on the server. It’s easy to forget these exist. Unused WordPress files, plugins, themes, etc., even if they are not being used, not active, not even associated with your current install can be exploited.
3. Run a WordPress security plugin
Security plugins take care of Admin Security, Blocks malicious URLs and requests, Blocks ALL automated spambot comments, Hides your WordPress Admin and Login page, Prevents brute force attacks on your login and any attempted automatic bot logins, Monitor login activity and restrict username sharing, with User Sessions Management, Review admin activity with a detailed Audit Trail Log.
4. Using better web hosting
Hosting companies like WP Engine, Site Ground, and Bluehost have your back when it comes to security. They routinely do security scans and will clean your hacked site for free. Though, you still can hirer Sucuri to avoid a newbie hosting company employee cleaning your site and missing something given this new 30-day Google ban.
5. Use strong passwords
You need unmemorable, long, difficult passwords, You can no longer use the same password on every internet account like use your dog’s name or favorite soft drink or band name. You should get a password tracking tool like 1Password to track all your passwords.
6. Check your plugins and themes for continued support
Don’t use plugins and themes that are no longer maintained. If your plugin or theme hasn’t been updated in a year or more, replace it. This can be a huge problem with themes. When you shop for a theme or plugin, look for a theme or plugins with current support requests that have been answered in a timely manner, good star ratings, and recent and frequent updates.
7. Don’t login on public WiFi networks
If you login to your WordPress site on a public network, you are essentially giving your login credentials away to anyone else on the network who might be running packet sniffing software. If you don’t have an SSL certificate installed on your site, then use a VPN to encrypt your traffic on the network.
8. Install an SSL certificate on your site
This encrypts the data you and users to your site transfer via the site, such as when submitting contact forms or using login in pages. Otherwise, data is transferred like a postcard in the mail, meaning anyone who’s looking can read it.
9. Protect your computer and home network
Run virus scans all the time specially if you run Windows. Be careful of the sites you visit. You can inadvertently give your WordPress login away through a keystroke tracking Trojan which will steal your passwords as you type them on your keyboard. Protecting your computer is often about not visiting websites that are distributing malware and ransomware.
10. Backup your site
While backups are not always all that helpful in recovering from a WordPress hack, they are essential for disaster recovery, especially when it comes to damage to your database which is where all your site content stored.