How I secure my WordPress websites after being hacked twice

WordPress 102 - How I secure my websites after being hacked twice
WordPress 102 - How I secure my websites after being hacked twice
Share now

This entry is part 4 of 5 in the series Computer Appreciation

The steps I take, after being hacked twice, has helped to keep my WordPress websites secure. Read my story to know how to keep your sites safe.

“Once bitten, twice shy” goes a popular English saying. Well, that is the number of times I have been hacked. Today, I will be sharing with you the steps I take to secure my websites these days.

But before then, let me tell you a story of how I was hacked.

Hack number one

My first website, (based on Joomla), which was launched in 2013, as a platform for sending bulk SMS. As usual with most startups, I was cash strapped and hence had to go for cheap hosting (one anonymous

The hack might have happened from my site’s end or from the hosting company.

I just woke one morning to see a mischievous message on the homepage of my site. I visited my hosting site and found the same message.

Unfortunately, the hosting company had no contact form or phone number. And to make matters worse, for more than a week, they didn’t contact me.

It was later on I realized that they were able to relaunch some of their sites after the attack. But the hosting website did not resurface again. I had to migrate.

I found another hosting company with better reputation, but costlier. I moved there after redesigning my website from bottom up, but losing customers in the process.

WordPress hacked. Infograph: Cloudways
WordPress hacked. Infograph: Cloudways

Hack number two

My second hack occurred in 2017. During these later stages, I was developing websites using WordPress. And since my feet were a little bit grounded, the whole site was not overrun by the hack.

RELATED STORIES  How to grow wealthy with blogging 101: First things first

I was able to notice the hack on time after observing unauthorized activities going on in the background.

For example, even though I was the sole admin, some users’ accounts were added which I didn’t add. Moreover, these users kept on reappearing even after deleting them.

In one occasion, I kept finding anonymous files and folders sprouting up in the root folder of one of my client. And in other case, I was locked out of the admin backend.

WordPress 102 - How I secure my websites after being hacked twice
WordPress 102 – How I secure my websites after being hacked twice

What did I do after retaking control of my websites?

I battled hard! I had to ditch the current states of the files, fall back to my backups and relaunch the websites.

After regaining control, I had to setup gatekeepers, firewalls, protocols and locks to protect my sites. These are what I do today. Learn from my mistakes.

Table of content

  • Good seeds
  • Fertile Soil
  • Good farming techniques

Good seeds

An often repeated technological term is “Garbage in, garbage out!” If you plant defective seeds, you will harvest defective yields.

If you want to blog or design a website, you need to select a platform that is secured, supported, well-known and easy to manuevre.

Nowadays, there are many content management systems (CMS) that comprises Joomla, WordPress, Drupal and Thunder.

But the most popular and most supported, with the most plugins that extend and secure websites is WordPress.

I had developed in Joomla before. Drupal on the other hand is difficult to learn.

 But I have never had the peace of mind and ease of development as in when I started developing with WordPress.

Hence, to me, you should plant WordPress on your hosting soil.                                                

The three major opensource CMSs - WordPress, Drupal and Joomla
The three major opensource CMSs – WordPress, Drupal and Joomla

Fertile soil

Even a good seed will suffer when planted on a bad soil. Hence, you need to make sure you host your websites with a trusted hosting company.

Website hosting is a tricky issue. Hence you need to check a web hosting company’s track record, security features, recommendations from users and ultimately its pricing before you leap to settle on one.

RELATED STORIES  How to insert image gallery into a WordPress post

From my interactions with several hosting websites and scanning through experts’ recommendations, I am going to give you a list of the most trusted hosting sites with the track record of good customer services, in the descending order of strength. Here you go:

  1. InMotionHosting
  2. SiteGround
  3. BlueHost
  4. HostGator
  5. Web4Africa

If you are coming from Nigeria or any of the Third World countries and funding is an issue to you, I will strongly recommend you take Web4Africa as a stepping stone.

Good farming practice

If you plant good seeds on a fertile land without taking care of your yield, you will not still get the desired harvest.

Hence, you will need to look after your WordPress site with all seriousness. Install all the needed security plugins, update all of the plugins regularly, monitor file changes, change admin directory, and much more.

Farmers use scarecrows to stop animals from ravaging their farmlands. There are security features you must add to your WordPress website after getting a strong host to secure it. These protective measures include:

  1. Security plugins: Install WordFence, Defender, iTheme Security and BPS Security plugins to beef up your sites’ protection. Make sure you check and add all the security features they recommended.
  2. Updates: Make sure you update all plugins, themes and the WordPress core as soon as updates become available. Most security lapses occur from outdated plugins. You can install JetPack plugin to help you auto-update your plugins.
  3. Choose which plugin you install: One rule of the thumb is to make sure that only UP-TO-DATE plugins and those with AT LEAST 4 STARS RATING are installed on your WordPress website. Moreover, make it a habit to install plugins found ONLY on plugins directory.
  4. Change admin directory: In addition to using strong usernames and passwords, it is highly recommended that you change your website’s admin login (that is, ‘’). Change the ‘wp-admin’ to something else. iTheme Security plugin will help you on this. Moreover, DON’T use ‘admin’ as your username.
  5. Monitor file changes: Some of the security plugins mentioned about will help you to monitor file changes and recommend appropriate steps to take. In addition to their works, make sure to keep an eye on your root folders for any foreign body and act swiftly.
  6. Use secured protocols: Adding SSL certificate to your website (using https instead of http) adds another layer of protection to your website. Add it to your site even if it is not an ecommerce.
  7. Use CDN: Adding your website to a content delivery network (CDN) like Cloudflare further buffers your site’s fortification.
  8. Trust in God: I know most of you might be asking “What has God got to do with website security?” Well, as a farmer, after sowing your seeds on a fertile soil and doing all the needful, you will still put your trust in God to give you a good yield.
RELATED STORIES  EDD 101: How to download a product from Memorila estore

Website security is a sensitive issue that might keep you awake at nights. Hence, to me, it will not be out of place to call on the Most High to further solidify the rings of security walls you built to fortify your WordPress website.

That is it, from me today. Until we meet next time, stay safe and keep your WordPress websites safer.

To your site’s security! Expect to hear from me soon.

Faruk Ahmed
Memorila – My ICT College

Series Navigation<< Gmail 103: How to force Gmail to fetch mails from your customised emailTop 10 best web hosting services: our review criteria >>

Share now

By Faruk Ahmed

Faruk Ahmed cut his teeth at National Review, a Kano-based magazine now rested, where he rose to become Operations Manager and then Business Developer and Strategist. He is a keen watcher of political events.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.