I created a "shallow" thread about preventing your WordPress sites from getting hacked or being injected with malicious codes one time which surprisingly, many found to be very valuable and helpful. This time around, I will share my experience with the method I adopted after my websites were hacked severally.
I will also be sharing the plugins I used in securing my website, all of which I downloaded from Babiato here. Note that this applies to corrective and preventive sites. In order words, if your site has been hacked or you just would love to secure your site to prevent it from being accessed by hackers.
First, the needed plugins, where to download them on the forum and how necessary they are for the purpose of securing your website like a Pro:
WordFence Pro:
WordFence Pro is needed for the sake of this process in order to be able to clean your website in the event that it has been hacked. For the record, WordFence's purpose is a whole lot and almost similar to Defender Pro, if not more. However, WordFence will be restricted to malware detection, scanning and removal or repair of hacked files. The free version can also work but it skips some parts of the scan process.
To use it, first, download the plugin from the link above, set it up and navigate to the scan page to scan your website. Allow the scan to be completed. If it catches malwares or malicious codes, repair the files and folders they were injected into or delete them if they are not the default WordPress files or folders. After this is done, click "UPDATES" under "DASHBOARD" and reinstall the latest version of WordPress. When this done, you are ready to move on to the next phase.
PS: WordFence is a very solid plugin but the alerts sent when there is a brute force attack can be annoying, which is why we only need WordFence for malware scan and fixes.
Defender Pro:
Defender Pro is a super solid plugin and most of what you will do to secure your website lies with this plugin. When you have installed it, start with the security recommendations:
1. Disable File editor (You want to make sure hackers that find a way into your site's backend do not inject or lace your root files with terrible codes that will destroy your blogging or business career).
2. Disable XML-RPC (This is the most crucial thing to disable on your WordPress website. If you don't disable it and follow all the steps on this thread, your site will still get hacked. Disabling the XML-RPC will make sure hackers cannot communicate remotely with your website and brute force your site. I shared a code on the other thread to include in your function.php file but with Defender Pro, you do not need the code. The plugin handles it just perfectly.
3. Update old security keys (WordPress Salt and Security Keys are a big deal for those who are neck deep in security. Thankfully, with Defender Pro, you can effortlessly change your WordPress SALT and Security Keys every 30, 60, 90 days and so on. The plugin does it automatically, meaning you don't have to revisit it every time. You can learn more about WordPress SALT and Security Keys here.
4. Login Protection (Here, you can ban certain usernames such as the generic "admin", "user" or "administrator" usernames and set them to "permanent" such that if anyone tries those usernames, they are banned permanently, unlike that of WordFence where you have to manually mark and place blocked usernames in a ban.
5. User Agent Banning (I didn't know this was a big deal until I started using Defender Pro. For anyone who knows, user agents such as MJ12Bot, AhrefsBot, SEMrushBot,, and DotBot are all used to hack websites and eat up your server's resources. Typically, this is included in AISEOP but free to use here. You can also whitelist search engine bots from the list of bots to exclude from querying your site.)
6. Mask Login Area (You should activate this under "Tools" in Defender Pro. The default login area of WordPress sites is .com/wp-admin. Anyone who gets this login area can launch attacks of any any kind. However, if the login area is masked (for instance, example.com/nutricionales, only those who know that "nutricionales" is the extra link added to your site will and can access the page. With WordPress, if they don't know your login area, it is nearly impossible to manually hack your website.)
PS: Be sure to write the new login URL somewhere you won't lose it.
7. Security Headers (For extra layer of protection, you can turn on security headers. I personally recommend turning on X-Frame Options, X-XSS Protection, leave it at "Sanitize" and Enable X-Content-Type Options, particularly for sites that allow users upload gifs, images through comments or other places.
That should be all concerning Defender Pro!
Perfmatters Pro:
If your website has been hacked before, you'll agree that you experience slow response time, no matter how hard you try. You can use Perfmatters to optimize and speed up your site. Don't get tempted and turn on every feature. Some of them may end up hurting your site more than they can help. The most important is that YOU SHOULD NOT DISABLE YOUR RSS FEEDS OR REMOVE RSS FEED LINKS. If you do and you use Google News or Opera News, your site will suffer a terrible set back.
You should hide your WordPress version, disable emojis (if you are not using some fancy theme that requires emojis to work), Disable Embeds, Remove jQuery Migrate, and some other features that are not useful to WordPress.) Save this when you are done and that's it with enhancing your site's security and optimizing your site speed. You can use Perfmatters alongside a cache plugin.
What to Note!
Just because your site is fully secure does not mean you should not update your plugins and themes constantly. As a matter of fact, they are part of the ongoing process of securing your website. If you feel your site was at some point compromised, go ahead and change your database password, DirectAdmin or cPanel login details and finally your site's password. Remember to update your details in the wp-config file. With all of these is place, your site is FULLY SECURED! DO NOT USE THE RECAPTCHA ON DEFENDER PRO ON YOUR LOGIN PAGE. YOU WILL GET LOCKED OUT OF YOUR SITE!
As earlier mentioned, WordFence is a packed plugin. The downside is the crazy alerts. You're more likely to get locked out of your site easily if you make a mistake.
Defender Pro towers above plugins such as WP Hide Security Enhancer Pro and Hide My WP. I have used them in the past and I hate them because they do not exactly keep your .htaccess file simple. What's worse is that your site could go down if you rename your .htaccess file or want to generate a new one to troubleshoot a problem, which invariably means that you will be required to go through the same steps all over again.
All the best with adding that 100% layer of security!
I will also be sharing the plugins I used in securing my website, all of which I downloaded from Babiato here. Note that this applies to corrective and preventive sites. In order words, if your site has been hacked or you just would love to secure your site to prevent it from being accessed by hackers.
First, the needed plugins, where to download them on the forum and how necessary they are for the purpose of securing your website like a Pro:
S/N | Plugin Name | Purpose | Comment | Download Link |
1 | WordFence Pro | Malware scanning, detection and removal | IMPORTANT! | WordFence Pro Download |
2 | Defender Pro | Mask login page, harmful bots banning, XML-RPC disabling, disabling file editor, updating old security keys, user agent banning, IP banning, login protection. | IMPORTANT! | Defender Pro Download |
3 | Permatters Pro | Site speed optimization and tune up. | RECOMMENDED! | Permatters Pro |
4 | Sucuri | File change detection | OPTIONAL! | WordPress Repository |
WordFence Pro:
WordFence Pro is needed for the sake of this process in order to be able to clean your website in the event that it has been hacked. For the record, WordFence's purpose is a whole lot and almost similar to Defender Pro, if not more. However, WordFence will be restricted to malware detection, scanning and removal or repair of hacked files. The free version can also work but it skips some parts of the scan process.
To use it, first, download the plugin from the link above, set it up and navigate to the scan page to scan your website. Allow the scan to be completed. If it catches malwares or malicious codes, repair the files and folders they were injected into or delete them if they are not the default WordPress files or folders. After this is done, click "UPDATES" under "DASHBOARD" and reinstall the latest version of WordPress. When this done, you are ready to move on to the next phase.
PS: WordFence is a very solid plugin but the alerts sent when there is a brute force attack can be annoying, which is why we only need WordFence for malware scan and fixes.
Defender Pro:
Defender Pro is a super solid plugin and most of what you will do to secure your website lies with this plugin. When you have installed it, start with the security recommendations:
1. Disable File editor (You want to make sure hackers that find a way into your site's backend do not inject or lace your root files with terrible codes that will destroy your blogging or business career).
2. Disable XML-RPC (This is the most crucial thing to disable on your WordPress website. If you don't disable it and follow all the steps on this thread, your site will still get hacked. Disabling the XML-RPC will make sure hackers cannot communicate remotely with your website and brute force your site. I shared a code on the other thread to include in your function.php file but with Defender Pro, you do not need the code. The plugin handles it just perfectly.
3. Update old security keys (WordPress Salt and Security Keys are a big deal for those who are neck deep in security. Thankfully, with Defender Pro, you can effortlessly change your WordPress SALT and Security Keys every 30, 60, 90 days and so on. The plugin does it automatically, meaning you don't have to revisit it every time. You can learn more about WordPress SALT and Security Keys here.
4. Login Protection (Here, you can ban certain usernames such as the generic "admin", "user" or "administrator" usernames and set them to "permanent" such that if anyone tries those usernames, they are banned permanently, unlike that of WordFence where you have to manually mark and place blocked usernames in a ban.
5. User Agent Banning (I didn't know this was a big deal until I started using Defender Pro. For anyone who knows, user agents such as MJ12Bot, AhrefsBot, SEMrushBot,, and DotBot are all used to hack websites and eat up your server's resources. Typically, this is included in AISEOP but free to use here. You can also whitelist search engine bots from the list of bots to exclude from querying your site.)
6. Mask Login Area (You should activate this under "Tools" in Defender Pro. The default login area of WordPress sites is .com/wp-admin. Anyone who gets this login area can launch attacks of any any kind. However, if the login area is masked (for instance, example.com/nutricionales, only those who know that "nutricionales" is the extra link added to your site will and can access the page. With WordPress, if they don't know your login area, it is nearly impossible to manually hack your website.)
PS: Be sure to write the new login URL somewhere you won't lose it.
7. Security Headers (For extra layer of protection, you can turn on security headers. I personally recommend turning on X-Frame Options, X-XSS Protection, leave it at "Sanitize" and Enable X-Content-Type Options, particularly for sites that allow users upload gifs, images through comments or other places.
That should be all concerning Defender Pro!
Perfmatters Pro:
If your website has been hacked before, you'll agree that you experience slow response time, no matter how hard you try. You can use Perfmatters to optimize and speed up your site. Don't get tempted and turn on every feature. Some of them may end up hurting your site more than they can help. The most important is that YOU SHOULD NOT DISABLE YOUR RSS FEEDS OR REMOVE RSS FEED LINKS. If you do and you use Google News or Opera News, your site will suffer a terrible set back.
You should hide your WordPress version, disable emojis (if you are not using some fancy theme that requires emojis to work), Disable Embeds, Remove jQuery Migrate, and some other features that are not useful to WordPress.) Save this when you are done and that's it with enhancing your site's security and optimizing your site speed. You can use Perfmatters alongside a cache plugin.
What to Note!
Just because your site is fully secure does not mean you should not update your plugins and themes constantly. As a matter of fact, they are part of the ongoing process of securing your website. If you feel your site was at some point compromised, go ahead and change your database password, DirectAdmin or cPanel login details and finally your site's password. Remember to update your details in the wp-config file. With all of these is place, your site is FULLY SECURED! DO NOT USE THE RECAPTCHA ON DEFENDER PRO ON YOUR LOGIN PAGE. YOU WILL GET LOCKED OUT OF YOUR SITE!
As earlier mentioned, WordFence is a packed plugin. The downside is the crazy alerts. You're more likely to get locked out of your site easily if you make a mistake.
Defender Pro towers above plugins such as WP Hide Security Enhancer Pro and Hide My WP. I have used them in the past and I hate them because they do not exactly keep your .htaccess file simple. What's worse is that your site could go down if you rename your .htaccess file or want to generate a new one to troubleshoot a problem, which invariably means that you will be required to go through the same steps all over again.
All the best with adding that 100% layer of security!