Post Mortem on Securing WordPress

Share on facebook
Share on twitter
Share on linkedin

A couple of days ago we were hit with one of the shared hosting mass infections going around. It took us nearly 8 hours to fully recover.  It was very frustrating, but it was a learning experience. Here are some of the points we now take to heart when securing WordPress.

It’s Your Site – Own It!

Don’t depend entirely on your hosting company to secure your particular installation – even if it was done through their control panel. Once we were made aware of the issue and notified GoDaddy, they responded quickly and cleaned our installation. We’ve always appreciated their response and Wednesday’s was no exception.

There isn’t one web application that is 100% secure. The WordPress community responds quickly to fix discovered issues. However, if you are going to deploy any web application over the internet, then you need to be responsible for ensuring that it is properly patched and all precautions are taken to lock it down.

Read, Research and React

If you need help, don’t be afraid to ask! There are several competent WordPress consultants available. We spent a day or so reading, diving into code, testing plugins, etc. before we felt comfortable locking down our installation. Here’s a brief synopsis of what we did:

  • We changed all of our passwords: blog authors and administrators, FTP passwords, and MySQL passwords. We used a password generator to make them strong.
  • We changed our WordPress secret keys.
  • Had an outside firm scan our site for malware.  We used Site Security Monitor acquired by Web Site Defender. We were pleased with their quick turn around and glad to know that the GoDaddy Team removed all the malware!
  • Took database backups from two different sources. First, we used the WordPress Database Backup plugin and downloaded our backup. Next, we went in through our control panel and performed a backup using phpMyAdmin.
  • Conducted a security scan of our WordPress installation. For this stage, we chose the WP Security Scan plugin from Semper Fi web design. We were pretty much “in the green” except for a couple of items that were corrected by following guidelines suggested in the WordPress Codex.
  • We installed WordPress exploit scanner, Antivirus for WordPress, and WordPress File Monitor. Each of these great plugins will help us be a bit more proactive.


In closing, we learned a great deal this past couple of days. We still believe in open source software and will continue to use and recommend WordPress. We will, however, be a bit more diligent about locking every web application down as much as possible. We monitor Secunia’s Advisories on WordPress so we can be as proactive as possible.

If you were affected by these recent attacks, we’d like to know how quickly you were able to recover. Please drop us a line (we’ll keep your information confidential) and let us know. If you need assistance, please don’t hesitate to reach out. If we can’t help you we will work with you to find someone who can.

stay informed!

Subscribe to receive exclusive content and notifications