A hosting company in Israel was hacked last week. The entire server was comprised of WordPress (WP) websites that were down.
To be protected from future attacks (cases in which the server is up and running, but your site has been hacked and is no longer ‘live’), you should consider examining the:
- Client-side, and
So, let's start by providing you the detailed information:
- Update your WP version to the most recent version.
- Update your plugins.
- Review the theme’s files and search for any fishy code pieces.
- Block the internal API access.
- XML-RPC should be blocked for external users.
- Install security plugins: WP Engine, Wordfence Security, and Jetpack.
- Change your admin URL (wp-admin must be changed).
- The ability to change the website’s code from within WordPress should be blocked — code should be edited only from the server’s files.
- Admin’s passwords must be changed to stronger passwords: abc123 is not an option; new passwords should be set to something like SJO9Y&QQ6MZd#yM.
- To discover any issues, scan your website weekly with WP Scan and WordFence.
- SQL injection defense.
- Make sure your website is HTTPS protected.
- Perform client-side security scans to avoid damaging information in the user’s fields.
- Avoid building SQL queries with user input.
- Prevent the importation of external files.
- Protect client-side from XSS attacks through input validation, string output, and encoding.
- Make sure all server-side sections are handled by the hosting company.
- Install an SSL certificate on the server-side.
- Enable the recovery of information, files, and databases from at least 3 days prior.
- Allow traffic to be routed to a ‘mirror’ site when your site is down or has been hacked.
- Ensure spam- and virus-filtering systems and the application firewall mechanism are installed successfully.