WordPress Security Checklist

Here is a basic checklist of to-do’s when your WP web sites security has been compromised.

  1. Install Wordfence if you have not done so already
  2. Run scan
  3. Delete all infected files via Wordfence
  4. Change User logins (change admin to something else)
  5. Change DB pass
  6. Change FTP pass
  7. Change salts in WP Config (https://api.wordpress.org/secret-key/1.1/salt/)
  8. Delete unused plugins
  9. Delete unused themes
  10. Delete spam comments
  11. Exploit Scanner

 

Another way to stay on top of security threats is to host on a WordPress specialized host such as the one we use, WPEngine.com, which will alert you proactively to known threats.

Some further readings for experienced developers:
http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
http://www.elegantthemes.com/blog/tips-tricks/what-to-do-when-your-wordpress-website-has-been-hacked

If you have questions, feel free to write or call.

If you have not done so already, please feel free to opt-in to our newsletter here.