If you are reading this post is either your WordPress website has been hacked, or you are researching for information on how to prevent your WordPress blog from being hacked — either way, you will find the solution here.
I want to share my experience on my blog got hacked, and what I did after that.
Let me start the story!
Waking up from a nap – I decided to check on my blog to see if there is any comment I need to reply to.
On login into my WordPress dashboard, I saw 23 trackbacks, all from a post. That was massive; I have never seen such.
The post in question looks strange to me; then I decided to take a view on it. The post was dropped 2 hours ago.
I was shocked because I know nothing about it. Neither did I approve any guest post with that title.
Immediately I opened my WordPress security plugin “Wordfence“, click on live traffic; I scrolled 2 to 3 hours back to see past traffic activities.
To my greatest surprise, there was an administrator login, which is not mine.
The admin login details are of one I created weeks back when I was testing a WordPress “role plugin” functionality.
Oh my God! I didn’t delete that admin user when I was done testing.
So someone logged into my blog as an admin! What did he do? I asked myself.
How could I be so careless not to delete a second administrator which I created with a weak password?
I discovered only a post titled “For what reason the new technologies and-the electronic data rooms can be beneficial for everyday life and our business” was added to my blog. I quickly deleted it and deleted the admin credential too.
I wasn’t much scared because I have an auto backup plugin called Updraft Plus, so I can restore my blog up to 5 previously stated weekly intervals from my Google Drive, which I did.
But come to think of it how did the unauthorized admin get my password? Was it a Brute force attack?
Whichever way he got the password does not matter, the fact is that I could have prevented it up to 95% by using a stronger password, or by using some tricks which I will explain in this post.
Now I won my blog back. I as well changed my passwords making them stronger.
What surprised me the most was how the unauthorized post got 23 trackbacks (backlinks).
Imagine some of the articles that were linking back existed 2 to 3 years ago. Can anyone explain this?
Two months later, I stumbled into a backlink checker called ZigStat, which includes those backlinks. There were 11 Dofollow backlinks
I may have been lucky in my case, but this does not mean that preventive measures should not be taken.
The hacker may have deleted my blog posts, how am I even sure he didn’t download an XML file of my contents.
How to Prevent WordPress Site from Hackers
1. Have a solid Password
Most hackers penetrate WordPress via weak passwords.
They can develop software that can auto guess up to 1,000 passwords in less than a minute using brute force attack; you can imagine what an hour’s guess will be like.
A mixture of Alphabet, Numbers, and Special Characters is the strongest password one can ever have.
You can as well include both capital and small letters in the alphabet for better results.
2. Backup your WordPress site regularly
Regular backup of your WordPress site will help in a long way.
No matter the techniques you are using to secure your WordPress, it is still vital you back it up most, especially your database.
The backup will be your last alternative if any hack penetrates.
3. Keep WordPress on the Latest Version
Always make sure that your WordPress is the most version. Once a new version is available, you will get the notice on your admin dashboard.
Every new version of WordPress creates patches to seal up loopholes for stranger security.
This is very important, don’t just set up your WordPress website or blog and abandon its update. Research has shown that over 71% of hacked WordPress websites, was last updated over 6 months ago.
To be on the save side, simply sent your WordPress to auto-update, so you won’t have anything to worry about.
4. Install a Good WordPress Security Plugin
WordPress has lots of free and premium plugins for security. Most of these security plugins scan your WordPress site and protect it against brute force attacks.
I recommend Wordfence, but you can still research to find even a stronger security plugin. The one better than Wordfence if it exists.
5. Enable 2-factor authentication
Using 2-factor authentication (2FA) in your login page will go a long way to protect your WordPress from unauthorized logins.
In this case, the user will provide login details in two various components. The admin will decide what those two will be.
It may be a regular password followed by a secret question, a code, a mathematical answer, a set of characters, etc.
By default, WordPress does not have 2-factor authentication. You can download a plugin such as the Google Authenticator plugin to create such functionality.