How To Secure WordPress (and recover from a hack)

Show Notes

April 19, 2016

Securing WordPress – and recovering from an attack

(Mike will be calling in from the car for the show)

Securing WordPress

  • Backup your entire site on a regular basis. Don’t forget. Also it’s good to put that file somewhere other than your server.  I store mine over on Amazon S3
  • Update, update, update.  Plugins, Themes, and the core.  The safest version is generally the newest version.
  • Speaking of that, hide your Version. Make sure you are not broadcasting the version of WP that you are using.
  • Always use secure and different passwords.
  • Use a secure username (not admin)
  • Display your name as something other than your login name.
  • Don’t use wp for your database username
  • Limit login attempts
  • Use security plugins (like sucuri, wordfence)

Recovering from…

Malware or Hacking


  • What was the last thing you were doing?  Messing with a plugin? Messing with theme files?


  • If it was editing, adding or deactivating a plugin… start by Deactivate all your plugins. If you can’t get to the plugins in your dashboard, go in via FTP.
  • Go to wp-content and find the plugin folder and rename it.
  • Did that fix it? Now start by adding back your plugins one by one.

Theme Files

  • Were you messing with the functions.php?  Usually via FTP upload a good version of the functions.php file (or whatever file you were last in.)
  • Did that work? Now always use a child theme and modify that instead of the parent.

Other stuff

  • Sometimes you don’t know what messed up – but something certainly did.
  • When this happens start with the plugins. Rename the plugins folder via FTP – if that fixes it, it’s a plugin.
  • If that doesn’t fix it – do the same with your themes folder – did that fix it? If it did, your problem was a theme. Like the plugins, start by adding them back one at a time.
  • “Error establishing a database connection”? It’s probably a bad wp-config file
  • If you still have a problem – try reinstalling WordPress.  If it’s a core file issue, sometimes this will work.
  • Check your .htaccess file. Using FTP, rename it. Did that fix it? If it did, by resaving your Permalinks, you’ll generate a new version of the file for your site.
  • It also should be mentioned – is it just a server issue? Is you host down? Is the WSOD cached? It might not be you at all.

Plan B

B is for Backup.  Simply restore a backup. That’s why you had the entire site regularly backed up and stored somewhere in the first place – right?  If you did, you could be just a click away from back to normal.


Remove WordPress version information by adding these lines to your themes functions.php file (Admin Panel -> Appearance -> Editor -> functions.php

function smedge_remove_version() {
 return '';
 add_filter('the_generator', 'smedge_remove_version');

Speak Your Mind