Skip to content

Distinguish of WordPress sites that are hacked

I would like to explain the distinguish that were most common among clients who were compromised by hackers.
If security measures are taken based on this, I think that the intrusion of hackers can be suppressed considerably.

The user’s password is a simple English word or a legal string

Logging in on the WordPress login screen can be done manually, but it is also possible for the hacker to repeat the login without resting 24 hours a day using hacking software.

The ID of a WordPress administrative user is easy to obtain. If the hacker knows the password, he will be able to log in as an administrator, and will be able to freely read and write files on the server.

Hackers take over administrative privileges using a list of hundreds of thousands of commonly used passwords that automatically repeat login enforcement.
In the latest WordPress, the password is automatically generated with a string that is difficult to guess, so using this string as a password makes it very difficult to take over administrative privileges.

There are vulnerable WordPress and plug-ins

Some versions of WordPress and plug-ins (which tend to target vulnerabilities in popular plug-ins) have vulnerabilities that allow hacker to fully control the site.

WordPress Doctor’s vulnerability scanner can check if a vulnerable WordPress or plug-in is being used, so if a high-risk vulnerability is detected, updated Is recommended.

WordPress Doctor Malware Scan & Security Plug-in

File permissions (write authority) are not set correctly

You can set the write permission for the server file so that it cannot be accidentally written from the outside. It is recommended to keep the following as a minimum for security.

root directory	0755
wp-includes/	0755	
.htaccess	0644
wp-admin/index.php 0555
wp-admin/js/ 755	
wp-content/themes/ 0755	
wp-content/plugins/	0755	
wp-admin/	0755	
wp-content/	0755
wp-config.php	0644

If the write permission for WordPress files and folders is 777 (writable with all permissions), security will be greatly reduced.

If you want to give stronger security to the site, you can make all files except wp-content / upload folder un-writable.

The unique key for authentication in wp-config.php is the same string or is not set

If the unique key part for authentication in wp-config.php is a simple character string as shown below, be careful.

define('AUTH_KEY',         'aaa');
define('SECURE_AUTH_KEY',  'aaa');
define('LOGGED_IN_KEY',    'aaa');
define('NONCE_KEY',        'aaa');
define('AUTH_SALT',        'aaa');
define('SECURE_AUTH_SALT', 'aaa');
define('LOGGED_IN_SALT',   'aaa');
define('NONCE_SALT',       'aaa');

This string plays an important role in security, such as making sure that WordPress posts and writing are made by a valid login user. Since it can be generated easily by accessing the URL with the description “Private Key Service”, it is recommended to modify it if it is like above.

Security plug-in has not been installed or settings are incomplete

If you have not installed WordPress security-related plug-ins, we recommend that you install it and enable as many settings as possible.

The importance of login lockdown and login capture


In order to prevent brute force attacks, which is a method of acquiring administrator privileges by repeating login enforcement, login lockdown (a function that prevents login enforcement after a few login failures) and login capture function It is effective to add to the wordpress.

This feature is provided by the above plug-ins and various other security-related plug-ins.

The backdoor has not been disinfected

Once a site has been hacked, often backdoors has not been disinfected even after the malware has been removed.
If this backdoor remains on the site even if you update WordPress or update the plug-in and install the security plug-in, hackers can easily install malicious files on the WordPress site in the future.

You can detect backdoor by using WordPress Doctor Malware Scan & Security Plug-in.