WordPress websites and websites using other CMSes like Joomla, Drupal etc can be hacked or can face attack if the clients don’t follow the below precautions.
Due to this hackers can control your WordPress website to send spam or place malicious code on computers to steal passwords.
To avoid this, we recommend all our clients to keep their WordPress & other CMSes along with plugins & themes updated all the time.
You can follow steps highlighted here to protect your Hosting & CMS from above mentioned attacks:
1) Avoid installing plugins and themes that are not popular and without 4-5 star rating at WordPress.org (check for number of downloads and star rating before installing any plugin or theme).
2) Never install plugins and themes that are paid but are available for free and nulled at untrusted sites. Hackers often insert code in these themes and plugins that they can use to control your WordPress sites and send spam.
3) Always update WordPress & Plugins regularly.
4) Use strong passwords for WordPress, CPanel & Email accounts generated with combination of capital and small alphabets and numbers and special characters like *,$,#,& etc.
And regular update these passwords. Never save these passwords on your computer if your computer is not protected against malware and viruses. Its best to write the passwords on notebook or paper.
5) Use plugins like Wordfence to increase security of your WordPress.
6) Use Cloudflare to block vistors and IPs with bad reputation on various blacklists.
7) Use Caching plugins on your WordPress website to speed up loading of website pages and increase performance of your website.
8) Reinstall WordPress Installation, Themes and Plugins from scratch (by deleting everything and installing again) if our system has notified you about the possible infected files.
9) Constantly check for files on the server that look strange (Example: Look for unusual file names that are not found in usual WordPress/CMS files e.g:db11.php, sqlxx.php; check for files with full rights to server eg: files with 777 permissions) and files that have encrypted code in them.
You can check these files by sorting files by date. You will often find that recently updated files are mostly infected with malicious codes.
10) Follow the instruction in the guide by WordPress.org on hardening your WordPress: Codex
11) Delete unused themes and plugins from the server backend (you can find themes and plugins under /wp-content/ folder of your hosting account.
12) Look for recently updated PHP files under your account that may contain encrypted code. Delete those files or rename them to filename.php.infected and change their permissions to 000.
13) Never share your passwords with anyone.
14) Keep your computer protected with an antivirus software which you use to access your hosting account.
15) Disable new user registration and comments on WordPress if you don’t need that feature. But if it is required enable recaptha on that.
You must always follow the above instructions regularly to keep your website healthy, safe and secure.
Credit to: Domianking