Hacked WordPress Shared Hosting: Lessons Learnt


A few weeks ago, our shared hosting account on a famous hosting provider was compromised. The Wordpress websites were attacked by a virus which corrupted files with malware. The virus was even able to penetrate more than one sites (being shared hosting, they all share one Linux user) and do a bit of a damage. Now we use a mix of Wordpress and other open source programs for our contents but this article will help anyone using PHP.

Luckily, our Programmers were able to recover the hacked wordpress website and we were back on track.

Recommendations to secure hacked Wordpress on shared hosting account

  1. Change all passwords!

    And I mean all passwords. These include your Cpanel passwords, FTP passwords, hosting password and go on. Also, store the passwords in a safe location (Google Drive) instead of a text file lying around. Always generate long strong passwords instead of trying to be clever and come up with your own passwords. At The Right Software, we love thebitmill.com to our dirty work. Link given below.

  2. Keep your computers clean (Duh)

    This is sort of over-used cliché but viruses most of the time do generate from the local computer where they can steal information like FTP or Database passwords and broadcast. So always keep an anti-virus program installed and regularly updated. Plus it will keep your computer from slowing down as well.

  3. Never store FTP Passwords in FTP software

    We all use FTP to upload files. It’s convenient, it’s fast and it doesn’t ask questions (like git :)). Here's the catch though. In our convenience we save live passwords into FTP client like Filezilla or CuteFTP. This is a big no. These passwords are saved in flat files without any encryption and any resident malware will know the common paths to try and extract FTP passwords and use them to inject live site.

  4. Wordpress: Not all themes and plugins are created same

    We all look for bargain deals. Free Wordpress plugins and themes make our eyes glint. But please remember, plugins downloaded from third party sources (other than wordpress.org) don’t go through a security and compliance review. Therefore more susceptible to security breaches. Similar with themes. So always keep your wordpress version, plugins and themes updated.

  5. Apply steps devised by Wordpress itself

    Wordpress itself provides a handy list of steps to make it hard to crack. Do follow them and apply all of them. Link given below.

  6. Make regular backups online

    Make regular backups of your online websites as shared hostings don't provide this service except for last 24-48 hour backup and even that may already be tainted by the virus. So it’s better to keep your own backups. Hosting providers quarantine infected files so it’s better to not rely on them to bail you out.

  7. When in doubt, wipe the server clean

    With handy backups available and if you feel like the rot is too big, we advise you to clean up every domain account and start from zero with fresh passwords.

  8. Never mix production and development environments

    For small businesses, production and development machines are an extra cost. It’s better to deploy a one-time in-house server with a public IP than to use same hosting for live websites and showing client concepts.

  9. SSH is your friend

    Most shared hostings do provide SSH access so keep the file and folder access in check as outlined by Wordpress itself. 644 for files and 755 for folders.


This is not an exhaustive list but it will be a good start. You can add your bit in the comments below.

If you need help with cleaning up your shared hosting, send us an email. We'll be happy to do a quick review of the situation with you.


http://www.thebitmill.com/tools/password.html https://codex.wordpress.org/Hardening_WordPress  

Leave a Comment:

Contact us

Need a project quote or more information about our services? Use the form below for the fastest 8-12 hour response. Or you can pick a phone and call us or follow us on social media.

Please leave this field empty.

contact info
  • [email protected]
  • +92-336-4464320
We Are Social