improve wordpress security

August 6, 2022

What, Why, and Hows of WordPress Security Keys

Do you want to learn more about WordPress security keys and salts?

WordPress uses security keys to protect your website against hacking attempts. You can use them more efficiently to improve WordPress security.

In this article, we will discuss what are WordPress security keys and salts and why you should use them.

WordPress security keys guide for beginners

What are WordPress Security Keys and SALTs?

WordPress security keys are an encryption tool that protects login information by making it harder to decode.

These keys act just like real keys and are used to lock and unlock encrypted information such as passwords, keeping your WordPress site secure.

Here is how it works.

Basically, when you log in to a WordPress website, your information is stored on your computer in cookies. This allows you to continue working on your website without the need to log in on each page load.

All information is stored in encrypted form by converting it into a string of alpha-numeric and special characters.

This encrypted data can be translated using WordPress security keys. Without the keys, this data is nearly impossible to crack.

These security keys are automatically generated by your WordPress site and stored in your WordPress configuration file (wp-config.php).

There are a total of four security keys:

AUTH_KEY
SECURE_AUTH_KEY
LOGGED_IN_KEY
NONCE_KEY

Apart from WordPress security keys, you’ll also find the following SALTs.

AUTH_SALT
SECURE_AUTH_SALT
LOGGED_IN_SALT
NONCE_SALT

Salts add extra information to your encrypted info which provides another layer of security to your encrypted data.

Why Use WordPress Security Keys?

WordPress security keys protect your website against hacking attempts by making your passwords secure.

For instance, a regular password with medium-level difficulty can be easily cracked using brute force attacks.

On the other hand, a password string like ‘7C17bd5b44d6c9c37c01468b20d89c35e576914c289f98685941accddf67bf32b49’ takes years to decrypt without knowing the security keys.

That’s why you should never share WordPress security keys with anyone and protect them as you would normally protect sensitive information online.

That being said, let’s take a look at how to use WordPress security keys to keep your WordPress site protected.

How to Use WordPress Security Keys?

Normally, you don’t need to do anything extra since in most cases WordPress will automatically generate and use security keys + salts on each new WordPress install.

You can view your WordPress security keys and salts by using an FTP client or the File Manager app in your WordPress hosting account control panel.

Simply connect to your website, and open the wp-config.php file. Inside it, you’ll see your WordPress security keys defined.

Security keys WordPress configuration file

However, depending on how you initially installed WordPress, your website may not have security keys defined at all.

If your security keys are empty, then don’t worry. You can easily add them manually by going to the WordPress Security Key Generator page to generate a new set of keys.

Next, copy and paste these keys inside your wp-config.php file, and you are done.

You can use the same method to delete your current WordPress security keys and replace them with new keys.

Note: When you replace the security keys, all users will be forced to re-login which is great for security.

Regenerate WordPress Security Keys using a Plugin

If you suspect that your website is hacked, then you need to regenerate WordPress security keys and change your passwords.

You can manually copy and paste new security keys as mentioned above. However, a much easier approach would be using a plugin. This way you can also set a schedule to automatically regenerate security keys regularly.

1. Update WordPress Security Keys using Sucuri

The easiest way to automatically regenerate WordPress security keys by using Sucuri. It is one of the best WordPress security plugins on the market that protects your WordPress website against common threats.

Simply install and activate the Sucuri Security plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit the Sucuri Security » Settings page and switch to the Post-Hack tab.

From here, simply click on the Generate New Security Keys button under the ‘Update Secret Keys’ section.

Note: Regenerating new security keys will log you out of the WordPress admin area and you’ll need to login again.

After that, revisit the Sucuri Security » Settings page and switch to the Post-Hack tab again.

Under the security keys section, enable the Automatic Secret Keys Updater by choosing a frequency (daily, weekly, monthly, yearly). Then click on the Submit button.

Sucuri will now automatically reset your WordPress security keys based on the frequency you have chosen.

2. Update WordPress Security Keys using Salt Shaker

This method is for users who are not using Sucuri and need to automate security key regeneration.

First, you need to install and activate the Salt Shaker plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Tools » Salt Shaker page to configure plugin settings.

From here, you can set a schedule to automatically generate security keys. You can also just click on the ‘Change now’ button to immediately regenerate security keys.

We hope this article helped you understand what are WordPress security keys and how to use them. You may also want to see our guide on how to fix common WordPress errors, or see our expert pick of the must have WordPress plugins for your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post What, Why, and Hows of WordPress Security Keys first appeared on WPBeginner.

April 29, 2022

12 Signs Your WordPress Site Is Hacked (And How to Fix It)

We are often asked, how do I check if my WordPress site has been hacked?

There are some common telltale signs that may help you figure out if your WordPress is hacked or compromised.

In this article, we’ll share some of the most common signs that your WordPress site is hacked and what you can do to clean it up.

Signs to look for when your WordPress website is hacked

1. Sudden Drop in Website Traffic

If you look at your analytics reports and see a sudden drop in traffic, even though Google Analytics is set up properly, then this could be a sign that your WordPress site is hacked.

A sudden drop in traffic can be caused by different factors.

For instance, malware on your website may be redirecting non-logged-in visitors to spam websites.

Another possible reason for the sudden drop in traffic could be that Google’s safe browsing tool is showing warnings to users regarding your website.

Each day, Google blacklists around 10,000 websites for malware and around thousands more for phishing. That’s why every website owner needs to pay serious attention to their WordPress security.

You can check your website using Google’s safe browsing tool to see your safety report.

2. Bad Links Added to Your Website

Data injection is one of the most common signs of a hacked WordPress. Hackers create a backdoor on your WordPress site which gives them access to modify your WordPress files and database.

Some of these hacks add links to spammy websites. Usually these links are added to the footer of your website, but they could be anywhere. Deleting the links doesn’t guarantee that they won’t come back.

You will need to find and fix the backdoor used to inject this data into your website. See our guide on how to find and fix a backdoor in a hacked WordPress site.

3. Your Website’s Homepage is Defaced

This is probably the most obvious one as it is clearly visible on the homepage of your website.

Most hacking attempts do not deface your site’s homepage because they want to remain unnoticed for as long as possible.

However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some may even try to extort money from site owners.

4. You are Unable to Login into WordPress

login error username not registered on site

If you are unable to login to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.

Since the account doesn’t exist, you would not be able to reset your password from the login page.

There are other ways to add an admin account using phpMyAdmin or via FTP. However, your site will remain unsafe until you figure out how the hackers got into your website.

5. Suspicious User Accounts in WordPress

If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete.

However, if you don’t remember allowing user registration and still seeing new user accounts in WordPress, then your site is probably hacked.

Usually the suspicious account will have the administrator user role, and in some cases you may not be able to delete it from your WordPress admin area.

6. Unknown Files and Scripts on Your Server

If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.

To find the files, you need to connect to your WordPress site using an FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.

Usually, these files are named similarly to WordPress files so that they can hide in plain sight. To recognize them yourself, you will need to audit the file and directory structure. However, deleting these files will not guarantee that they won’t return.

7. Your Website is Often Slow or Unresponsive

All websites on the internet can become the target of random denial of service or DDoS attacks. These attacks use several hacked computers and servers from all over the world using fake IP addresses.

Sometimes they are just sending too many requests to your server, while other times they are actively trying to break into your website.

Any such activity will make your website slow, unresponsive, and unavailable. You can check your server logs to see which IPs are making too many requests and block them, but that may not fix the problem if there are too many or if the hackers change IP addresses.

It is also possible that your WordPress site is just slow and not hacked. In that case, you should follow our guide to boost WordPress speed and performance.

8. Unusual Activity in Server Logs

Server logs are plain text files stored on your web server. These files keep record of all errors occurring on your server as well as all your internet traffic.

You can access them from your WordPress hosting account’s cPanel dashboard under Statistics.

These server logs can help you understand what’s going on when your WordPress site is under attack.

They also contain all the IP addresses used to access your website, so you can block suspicious IP addresses.

They will also indicate server errors that you may not see inside your WordPress dashboard and may be causing your website to crash or be unresponsive.

9. Failure to Send or Receive WordPress Emails

Hacked servers are commonly used for sending spam. Most WordPress hosting companies offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.

If you are unable to send or receive WordPress emails, then there is a chance that your mail server is hacked to send spam emails.

10. Suspicious Scheduled Tasks

Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to setup scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.

A hacker can exploit cron jobs to run scheduled tasks on your server without you knowing it.

To learn more about cron jobs, see our guide on how to view and control WordPress cron jobs.

11. Hijacked Search Results

If the search results from your website show incorrect titles or meta descriptions, then this is a sign that your WordPress site is hacked.

Looking at your WordPress site, you will still see the correct title and description.

The hacker has again exploited a backdoor to inject malicious code which modifies your site data in a way that it is visible only to search engines.

12. Popups or Pop Under Ads on Your Website

These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads.

These popups do not appear for logged in visitors or visitors accessing a website directly.

They only appear to the users visiting from search engines. Pop-under ads open in a new window and remain unnoticeable by users.

13. Core WordPress Files Are Changed

If your core WordPress files are changed or modified in some way, then that’s an important sign that your WordPress site is hacked.

Hackers may simply modify a core WordPress file and place their own code inside it. They may also create files with names similar to WordPress core files.

The easiest way to track those files is by installing a WordPress security plugin that monitors the health of your core WordPress files. You can also manually check your WordPress folders to look for any suspicious files or scripts.

14. Users Are Randomly Redirected to Unknown Websites

If your website is redirecting visitors to an unknown website, then that’s another important sign that your website may be hacked.

This hack often goes unnoticed as it does not redirect logged-in users. It may also not redirect visitors accessing the website directly by typing the address in their browser.

These types of hacks are often caused by a backdoor or malware installed on your website.

Securing and Fixing Your Hacked WordPress Site

Cleaning up a hacked WordPress site can be incredibly painful and difficult. This is why we recommend you let experts clean up your website.

We use Sucuri to protect all our websites. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

It comes with 24/7 website monitoring and a powerful website application firewall, which blocks attacks before they even reach your website. Most importantly, they clean up your website if it ever gets hacked.

If you want to clean up your site on your own, then take a look at our beginner’s guide on fixing a hacked WordPress site.

Keeping Your WordPress Website Secure from Future Attacks

Once your website is clean, you can make secure it by making it extremely difficult for hackers to gain access to your website.

Securing a WordPress website involves adding layers of protection around your website. For instance, using strong passwords with 2-step verification can protect your WordPress admin area from unauthorized logins.

Similarly, you can block access to important WordPress files to protect them or set WordPress files and folder permissions correctly.

For more details, see our ultimate WordPress security guide which will walk you through all the steps you should take to make your WordPress site secure.

We hope this article helped you learn the signs to look for in a hacked WordPress site.

You may also want to see our guide on how to get a free SSL certificate, or our expert comparison of the best business phone services for small business.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 12 Signs Your WordPress Site Is Hacked (And How to Fix It) first appeared on WPBeginner.

June 26, 2019

How to Disable PHP Execution in Certain WordPress Directories

By default, WordPress makes certain directories writeable so that you and other authorized users on your website can easily upload themes, plugins, images, and videos to your website.

However this capability can be abused if it gets in the wrong hand such as hackers who can use it to upload backdoor access files or malware to your website.

These malicious files are often disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to every aspect of your website.

Sounds scary, right?

Don’t worry there is an easy fix for that. Basically, you’d simply disable PHP execution in certain directories where you don’t need it. Doing so, any PHP files will not run inside those directories.

In this article, we will show you how to disable PHP execution in WordPress using the .htaccess file.

Disabling PHP Execution in Certain WordPress Directories Using .htaccess File

Most WordPress sites have a .htaccess file in the root folder. This is a powerful configuration file used to password protect admin area, disable directory browsing, generate SEO friendly URL structure, and more.

By default, the .htaccess file located in your WordPress website’s root folder, but you can also create and use it inside your inner WordPress directories.

To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ directories.

Simply create a blank file on your computer by using a text editor like Notepad (TextEdit on Mac). Save the file as .htaccess and paste the following code inside it.

<Files *.php>
deny from all
</Files>

Now save the file on your computer.

Next, you need to upload this file to /wp-includes/ and /wp-content/uploads/ folders on your WordPress hosting server.

You can upload it by using an FTP client or via File Manager app in your hosting account’s cPanel dashboard.

Once the .htaccess file with the above code is added, it will stop any PHP file to run in these directories.

Using this .htaccess trick helps you harden your WordPress security, but it is not a FIX for an already hacked WordPress site.

Backdoors are cleverly disguised and can already be hidden in plain sight.

If you want to check for possible backdoors on your website, then you need to activate Sucuri on your website.

Sucuri is the best WordPress security plugin on the market. It scans your website for possible threats, suspicious code, malware, and vulnerabilities.

It also effectively blocks most hacking attempts to even reach your website by adding a firewall between your site and suspicious traffic.

Most importantly, if your WordPress site gets hacked, then they will clean it up for you. To learn more, you can check our Sucuri review because we have been using their service for years.

We hope this article helped you to learn how to disable PHP execution in certain WordPress directories to harden your website security. If you are looking for a complete guide, check out our ultimate WordPress security guide.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Disable PHP Execution in Certain WordPress Directories appeared first on WPBeginner.