How to Prevent Your Website From Being Hacked & Other Malware Issues 🛡

The Hosting Provider is rarely the weak point. The weak point is that you did not keep up with Wordpress security updates or you bought a theme or plugin that was no longer maintained. :white_check_mark:

  • Secure each computer that has admin access to your website - anti-virus, anti-malware, etc.

  • Install the free Bulletproof Security plugin. Your main defense is your .htaccess file and many of the other “security” plugins do NOT adjust this file accordingly.

  • Use SFTP never FTP

  • Use LastPass or a similar utility to generate and save a unique complex password for EACH website you access with a username and password. Then run the LastPass Security Check to identify which sites are using the same password and then CHANGE them.

  • If you have multiple domains make sure EACH DOMAIN is installed in its own cPanel (you can do this with subdomains too). Then make sure the cPanel password is unique for EACH DOMAIN. Otherwise, if your cPanel password is hacked, the hacker will have access to ALL your domains (especially if you have used free Addon domains).

  • Make sure you always have a recent full backup, know where it is and how to do a restore BEFORE you need to.

  • Take advantage of all security features offered by your DNS registrar to SECURE YOUR DOMAIN NAME.

  • Use two factor authentication whenever possible.

WordPress Guide

Step 1.

Update Wordpress whenever a new update is released. It’s your site, take care of it. Updating is done via the Dashboard and is easy to do.

Step 2.

Update all plugins and themes as well. I advise logging into your dashboard once a day for less than 1 minute and you can stop most hacks except for the rare zero day exploit

Step 3.

Get an easy to remember and secure password. I told people to assemble 3 random objects on or near their desk line them up and snap a photo of them. In my case now my random objects would be cup, hammer and remote. I would move them into an easier to remember order so it would be remotecuphammer. then to make it a bit harder I would put sequential numbers in the middle of each word and then follow that with a 4 non sequential numbers I find interesting and will remember (that is not a birthday of you or your child or anyone else you know) so remote0cup1hammer1215. I know have a photo of a hammer tv remote and a cup as well as sequential numbers and a non sequential date that I find easy to remember. Do something like this but do not chose remote0cup1hammer1215 as your actual password.

Step 4.

If you have command line access to your site do a Maldet security scan. You can ask tech support at your webhost for assistance. We did this part for free but now some hosts charge for any kind of clean up at all.

Step 5.

If evidence of hack still exists like a message appears or a automatic redirect happens then grep or “search” for the keywords in your webhostng directory so if it says “[email protected] by Mr. [email protected]” then do a search for that term and edit it out whenever it appears. If there is a redirect to like pilland p-orn dot com then check your htaccess for redirects and if it still appears then do a search of all your files. I have seen hackers destroy a whole database and fill it only with redirects to other websites. if that is the case then you will have to ask your web host to restore your database to a pre-hacked version.

In short, your webhost is not to blame but they can help you. Also be sure to take off-site backups of your site and pay attention to it daily. I’ve had people who were hacked who had no idea when they were hacked because they never paid attention and web hosts keep backups at most for 2 or maybe 3 months and it is in the fine print that if no viable backup exists, you will be out of luck.


The most important thing I have ever done to protect my Wordpress site from hacker to follow some simple ticks here i may suggest you-

  • Set up website lockdown and ban users
  • Use 2-factor authentication
  • Use email as login
  • Rename your login URL
  • Adjust your passwords
  • Protect the wp-admin directory
  • Use SSL to encrypt data
  • Add user accounts with care
  • Change the admin username
  • Monitor your files
  • Change the WordPress database table prefix
  • Back up your site regularly
  • Set strong passwords for your database
  • Protect the wp-config.php file
  • Disallow file editing
  • Connect the server correctly
  • Set directory permissions carefully
  • Disable directory listing with .htaccess
  • Update regularly
  • Remove your WordPress version number

Exactly, Good to see you pal after a very long time! :slight_smile:

The best strategy for securing your WordPress website is to implement a layered security approach.

Protect your domain name :
Domain Name System Security Extensions (DNSSEC)

Protect server communications :
Domain Security (TLS/SSL)
HTTP Strict Transport Security (HSTS)

Protect your website :
Use a reverse proxy to filter all traffic to your server
Use a Web application firewall (WAF)
Implement secure access to lockdown login

Protect your server :
ModSecurity web application firewall (WAF) for Apache web server
Secure hosting – avoid shared hosting if possible
Avoid hosting your email and web on the same server
Use SSL/TLS for email and unique passwords for each account

Protect WHM/cPanel :
Limit access and permissions
Install each domain AND sub-domain in it’s own cPanel (so if one is compromised, others aren’t affected)
Keep WHM/cPanel updated to latest stable release

Protect remote file access and email :
Avoid ftp and use either cPanel File Manager or Secure FTP (SFTP) plus secure your email

Protect WordPress :
Keep WordPress updated to the latest release version
Limit plugins and themes, less is more in terms of security
Keep all plugins and themes updated to the latest release version
Whenever possible, opt for premium plugins and themes that are regularly updated and supported
If a plugin is no longer used, don’t just deactivate, delete it
Install a reputable WordPress security plugin
BACKUP – schedule regular automated backups. Keep at least one copy on server and one copy off server

Friendly Websites