[Ultimate] 4,131 Word Guide: How to Fix Every WordPress Error, Bug, or Hacked Site

fix-wordpress-hacked No software application is without its kinks, and when you consider the fact that somewhere around 75 million websites depend on WordPress to host their content on a daily basis, it’s not surprising that users may run into the occasional site error.

More often than not, most problems can be solved with a quick HTML fix or a glance at the WordPress troubleshooting page. There are, however, a few common issues that take a little more persistence and brain power to get through.

I know that you may be thinking that these huge, security breaching problems could never happen to you, but that simply isn’t true. If it could happen to Mossack Fonseca, a top law firm that worked with politicians around the globe , it could easily happen to you if you don’t keep your WordPress website up to date and secure.

For the purposes of this article, we will focus on what to do if you’re hacked, as well as some common WordPress issues that you wouldn’t necessarily find in a FAQ page.

How to Search & Solve Any Issue

Fix WP Admin Problems

Fix Programming Problems

Fix WP Theme Problems

Fix WP SEO Problems

Fix WP Server Problems

Fix WP Server Security Issues

How to Fix a Hacked Site

How to search for the solution to your issue

There are dozens upon dozens of unique issues that WordPress users may run into on a daily basis. If your issue was not touched upon in any of the above examples, don’t worry. There is a high likelihood that another WP user has already had and fixed your problem themselves.We will use the “WordPress won’t let me log in” example again just to go a bit more in depth on the search process.

Step 1: Google your problem

wordpresssearchgoogle

As you can see, I already recently searched this issue as I was writing this article, so it popped up almost instantaneously for me. This search alone turns up nearly 4 million results! Now we have to sift through and figure out what’s good information and what isn’t.

Step 2: Read your results

wordpresssearchresults

I clicked nearly every single one of the top links so I could get a clear vision of what the general consensus was. There were many results, but it is important to note that Google offers the most relevant and popular information first, so you shouldn’t have to look TOO far before you get what you need.

Step 3: Check Stack Overflow for your answer

stackoverflow

Stack Overflow is a great — if not THE greatest– place for WordPress users to seek out their troubleshooting problems because it is a place where programmers come to answer questions. If you have a question, there’s a high likelihood that it has already been answered here.

Even if it hasn’t, someone will probably be able to answer it for you pretty quickly. Our search turned up 448 results, so we are in luck.

Step 4: Put it all together

stackoverflowanswer

If we combine what we learned from our Google search results with the highly educated answers we received from Stack Overflow, chances are that we’ve already figured out the cause of our problem and how we can now effectively solve it.

All that is left to do is put our newfound knowledge to good use and get back to making quality posts on WordPress. Good luck!

How to fix common WordPress admin problems

Locked Out of WP Admin

lockedout-wpadmin

So, you forgot your email… or password… or both, and can no longer access your account. You can’t simply click that ‘Lost your password?’ button and fix your problems either, because they require that you enter your email, which you no longer have access to.

Does this mean your site is lost forever? Not necessarily. There are a few things you can do to get your site back in no time.

How to change your password without an email:

Step 1: Log in to your cPanel and click on phpMyAdmin, which is located under Databases.

Step 2: Select your WP database and go to wp_users.

Step 3: Click the Browse button.

Step 4: Look for your username and click the Edit button.

Step 5: You will be able to reset your password by inserting a new value into the user_pass section.

Step 6: Click the dropdown menu under Function. Choose MD5, then click the Go button.

If you cannot access your cPanel, or if this troubleshooting tutorial doesn’t work for you, feel free to check out these pages for more help:

Resetting Your Password

How to Reset a WP Password

Locked Out Of WordPress Dashboard? Here’s A Simple Fix

Fatal Error Function is_network_admin Error

fatal_error

Any time the words “fatal error” are involved, people get a little bit nervous. Believe it or not though, this error is one of the least intimidating ones we’re going to discuss today.

It isn’t a problem with your theme or plugins, and I assure you that you haven’t been hacked or riddled with viruses. All it means is that your upgrade failed.

How to fix fatal admin error:

Step 1:Manually update. Seriously, that’s it!

Can’t Upload Images Error

cant upload images

Everyone likes a good picture in their blog. So just imagine the frustration if you’re trying to upload one to your site and you keep getting an error message that says something like “Unable to create directory uploads”.

There are two likely reasons for this error: either you have the wrong file permissions set on your upload folder, or you have an issue with your plugins.

How to fix upload error:

Step 1: Deactivate each plugin one by one to rule out any conflict. If one of your plugins is the issue, get rid of it.

Step 2: Temporarily set up a default theme to make sure your theme isn’t causing the problem.

Step 3: If it’s neither a plugin nor your theme, you need to edit the file permissions for your upload folder.

Step 4: Set your permissions to 755 for folders, and 644 for files.

If you’re not sure how to edit file permissions, check out these links:

Changing File Permissions

WordPress File Permissions

Overlapping Admin Menu Error

Imagine that you just ran an update so you’d have the most recent version of WordPress. You’re now protected from the bulk of security threats and everything is going great, right? Wrong. You log in to your Admin page and the menu looks all out of sorts. Words and links are overlapping one another, some have disappeared entirely, and others are simply impossible to click.

What do you do? In reality, this isn’t an issue with WP at all, but rather the browser you are using to run the site on.

How to fix overlapping admin menu error:

Step 1: Head into your Chrome browser, then go to Chrome://flags/#disable-slimming-paint.

Step 2: Enable the “Disable slimming paint” option.

Step 3: Make sure that nothing else that has to do with slimming paint is enabled, otherwise this will not work.

How to fix common WordPress programming problems

The White Screen of Death

whitescreenofdeath

This is both one of the most common problems among WordPress users and one of the most unsettling. To log into your site and see nothing but a blank screen, especially after all of the hard work you have put into your website, is nothing short of terrifying.

Much like the ‘ring of death’ that all XBOX players know of, the ominous ‘white screen of death’, which has quickly taken on the nickname ‘WSOD’, is rarely a good sign.

Fortunately, this usually means that you’ve encountered a simple database issue, and it is a problem that can be easily fixed as long as you know what you’re looking for.

How to fix the WSOD:

Step 1: Isolate the problem. The WSOD is usually caused by a plugin, so let’s start there.

Step 2: Access the root of your WP installation via FTP, and go to /wp-content.

Step 3: Locate the “plugins” file and rename it to something else, like “old_plugins”.

Step 4: Check to see if your site works. If it does, one of your plugins is at fault.

Step 5: Add one plugin at a time from “old_plugins” to a new folder titled “plugins”, checking with each addition to see which plugin is the culprit that causes the WSOD.

Step 6: Once found, delete the faulty plugin.

If no plugins appear to be at fault for your WSOD, I recommend that you check out the following helpful, more in depth tutorials:

4 Actionable Tips to Fix the White Screen of Death

How to Fix the White Screen of Death

7 Mistakes That Cause the White Screen of Death

Scheduled Maintenance Error

scheduled maintenance

WordPress says they are down for scheduled maintenance. No big deal, right? You can just come back later. But what happens when you come back later and they’re still down for maintenance? And then you come back again and they’re still not letting you on? And after that? This is one long break, huh?

Sometimes, WordPress forgets to remove the .maintenance file, leaving you with that obnoxious error and an inability to update your site.

How to fix scheduled maintenance error:

Step 1: Head into your blog base folder. It’s the same folder that contains your WP-admin folder.

Step 2: You should see a .maintenance folder in there. Delete it, and your problem is solved.

How to fix common WordPress theme problems

Theme Install Failed

theme install failed

Installing a new theme for your site can often feel like opening presents on your birthday. Because of this, there are few things worse than opening your ‘present’ and seeing that pesky ‘Theme Installation failed’ screen with the error ‘The theme is missing the style.css stylesheet’ on the screen.

Although your first instinct may be that you’ve been duped, that usually isn’t the case.

How to fix “Stylesheet” error:

Step 1: Locate the theme on your desktop, unzip, and open it.

Step 2: Make sure all of your files are there, then zip it again.

Step 3: Upload via WordPress OR upload unzipped file via FTP.

This fix seems very straightforward, but if you need some more guidance you can check out any of these links:

Theme is missing the style.css stylesheet error

Solving Broken Theme Issues

How to get rid of ‘Stylesheet is missing’ error

Theme Doesn’t Look Like Demo

theme_demo

In a perfect world, every theme homepage looks exactly like its demo, and there is never any confusion in installation. Unfortunately, we don’t live in a perfect world. Themes are fickle little things, and one accidental click of your mouse can change the entire look of a theme you just spent your good, hard earned money on.

More often than not, these issues are caused by a static page issue, so it’s an easy fix.

How to fix theme demo problems:

Step 1: Go to the ‘Template’ option under ‘Page Attributes’ and look to see if there is a Home or Homepage template option.

Step 2: If so, create a page using this template.

Step 3: Go to the ‘Reading’ option in your settings and set it as the static page option.

A few helpful links:

How to create a static front page

The Beginner’s Guide to Setting Static Front Pages in WordPress

How to Create a Regular Static Website Using WordPress with Optional Blog

Sidebar Below Content Error

sidebar_content

This is a weird one to get, but also incredibly common. You may think that your theme is completely ruined and there is no salvaging it, but that’s not the case. It’s usually a simple HTML or CSS error in your theme, like an unclosed div element somewhere.

Think about what you’ve added to your theme recently. If there is a plugin or some other HTML change, the fix is going to be an easy one.

How to fix sidebar error:

Step 1:Use a tool like W3 Validator and see if your HTML is the cause of the error.

Step 2: Chances are that it is. Once you see where your problem lies, you can go about changing it. This is the easiest way to go about fixing it.

If your HTML coding isn’t the issue and W3 returns no errors, you probably have a proportions issue. For help in fixing this, check out any of this link:

Sidebar jumping below content

How to fix common WordPress SEO problems

Ugly, Long Permalink URLs

search_friendly

Here’s the thing about WordPress: despite the fact that it is used by so many bloggers around the globe, many WP-run sites still aren’t search friendly. This not only hurts their chances of being seen by a new audience, but it’s extremely harmful to their SEO results.

Fortunately, this can easily be remedied so long as the site owner uses keywords in their permalink structure.

How to fix the search friendly default error:

Step 1: Go to Options, then select Permalinks from your WP Admin panel.

Step 2: Scroll to the Custom text box and enter the following EXACTLY (without the quotation marks, of course): “/%category%/%postname%/%post_id“

For more detailed information on permalinks, including what they do and how they work, check out the following post:

Using Permalinks

Improper Meta and/or H1 Tags Error

seo_pack

Believe it or not, you need a unique set of meta or H1 tags for every single page on your website. EVERY SINGLE ONE. This includes, but is not limited, to blog post titles, descriptions, and keywords. If you don’t use a unique set for every single type, your post will get duplicated and you’ll get in trouble.

There are a few ‘basic’ rules of thumb you can stick to in order to make sure that your work passes those frustrating WP guidelines, and we’ll talk about them here.

How to fix improper meta and H1 error:

Step 1: Use only 5-7 words for a title, 3-4 keyword search phrase, and less than 250 words in a description. If you stick to these guielines, you should be safe.

Step 2: Download the All In One SEO Pack plugin, as it is extremely helpful with SEO on WordPress.

How to fix common WordPress server/hosting problems

Memory Size Exhausted Error

phperror

Is there anything worse than getting a memory error when you’re trying to work on your website? No, probably not.

This error usually pops up when a PHP file is processing more than its allotted limit. It could be for a number of reasons, ranging from too many plugins to a memory-sucking site theme. Whatever the case, you need to be able to increase the memory of your site if you want it to be accessible and error free.

How to increase PHP memory in .htaccess:

Step 1: Configure your .htaccess file and add the following line to it: “php_value memory_limit 64M”.

Step 2: If you are running 32M, try changing it to 64M. If you are already running 64M, try 128M.

You can also change your PHP memory in wp-config.php and PHP.ini. Because a lot of this depends on the method you are going to use to increase your PHP, I will leave a few helpful tutorials here:

How to Increase Your PHP Memory Limit

Increase PHP Memory

How to Fix Allowed Memory Size Exhausted Error in WordPress

Error Establishing A Database Connection

error establishing database

There is no single fool-proof reason for getting this error. It could be because your login credentials were changed, but it could also be because your servers are down.

Most often, it’s some kind of server error.

How to fix database connection error:

Step 1:Head into your WP-admin and see if you are getting the same error there that you are on your site.

Step 2: If you are getting the same error message, there is most likely a problem with your server. I recommend calling your host. They are more equipped than anyone to figure out what’s going on, and if it’s something that they can fix they’ll let you know.

Step 3: If you are getting a different error message in your WP-admin, you may need to repair your database.

This is a very complicated issue with a lot of variables, so I don’t suggest doing anything without talking to your server first. That being said, if you want to try your hand at figuring this out on your own, you can check out any of these tutorials:

How to Fix the Error Establishing a Database Connection in WordPress

How To Fix “Error Establishing A Database Connection” In WordPress

Fixing The Dreaded ‘Error Establishing a Database Connection’ in WordPress

How to fix common WordPress security issues

Internal Server Error

internalservererror

Just about every single internet user on planet Earth has come across an Internal Server Error at one point or another. Unfortunately, their frequency doesn’t make them any less annoying, and it definitely doesn’t make a site maintainer’s life any easier.

These pesky errors can deter people from going to your site and cost you valuable visits, but it’s actually a very easy fix once you know what to look for.

How to fix internal server errors:

Step 1: Log in to your site using FTP and rename your .htaccess file something else, like htaccess_old. Once renamed, try reloading your site.

Step 2: If this works, your .htaccess file was corrupt.

Step 3: Go to your Settings page in your Admin screen, then click Permalinks.

Step 4: Reset your permalinks. This will generate a new .htaccess file for you and fix the issue.

If your .htaccess file is not the issue, there is a good chance that it’s either a problem with your plugins or your PHP memory limit. To see how to fix these issues, check out any of these tutorials:

How to Fix the Internal Server Error in WordPress

The Ultimate Guide to Solving Internal Server Errors in WordPress

Fixing The 500 Internal Server Error in WordPress

Broken Links Error

broken link error

Have you ever clicked a link on your website and had it take you to a broken link instead of where it’s supposed to go? This can be confusing, time consuming, and downright frustrating if you can’t figure out why your link won’t go where it’s supposed to, even after you check and double check that the URL is correct.

Don’t worry, it’s usually an easy fix that’ll have your website running smoothly in no time.

How to fix broken link error:

Step 1: Double check your URL. I know “wordpress.com” looks correct, but that’s not TECHNICALLY the correct url, is it? Make sure that your urls start with “http://www.” before the domain name. Believe it or not, it does make a difference.

Step 2: Check to make sure the site you are linking to does in fact still work. You can easily manually plug the site into your own address bar to check. If it does, you probably typed the URL incorrectly into the WP link bar. If it doesn’t, the website is down and no amount of trying on your end is going to fix it.

Step 3: Consider downloading Broken Link Checker, a link checking plugin for WordPress. It will save you a headache in the long run.

If you want to fix or remove broken links from your WordPress site without installing yet another plugin, check out this helpful tutorial on how you can do so:

Fix Broken Links

How to fix your site if it was Hacked

fix-hacked-wordpress

Getting hacked is every website owner’s worst nightmare. I wish I could say that it never happens, but that would be a blatant lie. The truth is that as soon as you become a presence on the world wide web, you become vulnerable to cyber hackers and their malicious attacks.Whether your site is being used to spam with useless information or you are the victim of a virus doesn’t necessarily matter — the attacks hurt your site and its reputation all the same.

As a matter of fact, according to Forbes, nearly 30,000 websites are infected with malware on a daily basis in 2013. By 2015, we learned that nearly 1 million new malware threats were released on a daily basis.

Let that sink in for a second or two.

Daily. Basis.

Way back in 2011, in a survey by ComputerWorld, it was estimated that 90% of businesses have been hacked at one point or another.

Five years later, I don’t think those numbers have changed all too much. If anything, they just may have increased.

Just a few days ago, the Armscor website was hacked by the well known group that refers to themselves as Anonymous. Thanks to the hack, over 64MB of data was leaked to the public.

If it can happen to them, it can happen to anyone.

As safe as WordPress is, and as hard as WordPress employees try to keep their users protected, there is no way to completely protect from vulnerabilities.

WordPress plugins make up for more than half of the WordPress vulnerabilities count at 54%. That’s a scary thought.
Although you can never know for sure just what caused a hack, you can familiarize yourself with the most common techniques and take steps from preventing that from happening to you.

These are the steps you need to take today to prevent your site from being hacked.

Step 1: Identify the problem

Before you can begin to fix the issue, you need to know exactly what is going on with your hacked site. Can you still log in to your site? Is it being spammed with irrelevant links? Is Google saying your site is insecure? Try to find out as much information as you possibly can, as this will be helpful with your next step.

Step 2: Change your passwords and contact your host

changepasswordwp

If you are involved with a hosting company, it’s always a good idea to go to them first and foremost. They are basically trained to deal with this sort of thing, and their knowledge will probably far exceed yours.

Tell them all that you have been able to figure out on your own and get their advice. More often than not, they will be more than willing to help you out.

It is EXTREMELY important that you change your password immediately. You want the hacking to stop, so it is important that you cut them off as soon as you find out that you have been attacked.

Step 3: Restore a backup

backupbuddy

This can be a frustrating step if you haven’t established a backup procedure prior to getting hacked. Luckily, a lot of servers provide automatic backups (including WPEngine), so check your web host if you don’t have a backup in place.

When your computer starts to fail out on you, people always recommend that you restore your settings. It really isn’t much different for your WordPress site. Once you have been invaded by a hacker, there isn’t much you can do besides restore your backups.

If you have a backup plugin (one of the most popular on WP is Backup Buddy), all you have to do is restore to the last backup you have before the attack, and you’re in the clear.

For some step by step help, check out this tutorial.

If you don’t have a backup program in place, or if you don’t want to risk losing posts you’ve made since your backup, this may not be the solution for you.

Step 4: Scan for Malware

sucurisecurity

Now it’s time to do some serious cleaning up. Start by deleting any and all inactive plugins and themes on your site. Chances are that this is where the hacker is hiding out.

For more information, check out this detailed tutorial on how to find the culprit. Next, make sure to secure your .php file to make it so this can’t happen again.

Once your files are secured, it’s time to run a malware program. Sucuri Security comes as highly recommended plugin.

Step 5: Change your secret keys

keygenerator

Here’s the thing: even if you change your password, your hacker will remain logged in until you change your secret keys because their cookies are still valid. In order to give them the boot, you need to create a new set of secret keys.

To do this, check out the WP key generator here, then update your wp-config.php with the new ones.

Step 6: Update WordPress & change passwords (again)

updatewordpress

Now that you’ve hopefully been able to remove the virus, prevent the hacker from getting back in, and secured your site a bit more, you’re almost done!

Make sure to update to the latest version of WordPress so that you are able to stay more secure. I would also change my passwords one more time, just to make sure you’re starting off with a fresh hacker-less slate.

Top 10 most common hacks you should familiarize yourself with:

1. SQL Injection

hacker1

What is it? This technique is most often used to manipulate a website’s database and steal their logged usernames and passwords. It is most commonly used on websites like WordPress, which makes it a legitimate vulnerability for bloggers.

The SQL injection preys on improper coding. Once the SQL is injected into any log in form, the information can be tracked, logged, and manipulated to the hacker’s content. They then have near unlimited access to your site’s complete database.

See, most log in forms look something like this when they are in code:

hacker2

The interpretation comes when the username and password are entered respectively, and the interpreter will decide whether the user can and should be logged in based on the information they have inputted.

However, in the case of an SQL injection, the hacker will change that code to look something like this instead:

hacker-3

The addition of the “OR 0=0” is the main difference here. In other words, this code change basically says, “allow users in whose usernames are xx or if 0 equals 0.

No matter who you are or where you are from, 0 will always equal 0. I think we can all agree on that. So it’s no surprise that the hacker will be granted access.

How can you fix it? Fixing these kinds of attacks is about as easy as removing all of the vulnerabilities in your website. If that seems like a simple task to you, then great! If it seems like something that could potentially make you want to rip the hair out of your head, don’t worry.

In doing some research on the subject, I noticed that the most common practice to rid yourself of this vulnerability is to head over to your .htaccess file in WordPress and add a few lines of code.

If you are uncertain as to how to find your .htaccess file, look here.

These will prevent the harmful code from being interpreted at all, thus cutting your hacker off almost instantaneously.

You can find the code, which was written originally by ESecurityPlanet, below.

hacker-4

2. File Inclusion

What is it? Two different file types are included in this vulnerability: Local and Remote.

Local file inclusion, which is usually referred to as LFI, is a vulnerability in which local files (or files on the current server) are included in an attack through either a script on the server or the use of user supplied input without validation.

Remote file inclusion, or RFI, is similar in nature, but it includes an entire remote file. These vulnerabilities are most often caused by PHP, notably the include and require statements in the code. More often than not, hackers will take advantage of novice site owners who don’t recognize the full capability of programming, and use their ignorance to include malicious coding into the variable.

For example, let’s say that a site has two photo options in it: kittens and puppies. For the sake of this argument, let’s pretend that the code looks something like I’ve included below.

hacker-5

The site owner intends to use those two photos only of kittens and puppies, and includes those in a PHP. The reason this is an issue, however, comes when a hacker can access these files.

Why, you ask?

The inclusion of this one single line of code into that PHP will inject a remotely hosted file that contains malicious code. That’s all it takes.

How can you fix it? It may seem like a tedious task, but that’s because it is. The only way to completely guarantee that all local and remote file inclusion is held at bay is to remove all dangerous code from the variables.

What does this mean exactly? Manually go through your received input and only accept characters and numbers for file names, A through Z and 0 through 9. Any commas, periods, exclamation points, or other questionable symbols should be removed immediately.

Then, to prevent directory traversal, limit your application program interface to allow the inclusion of only one directory.

3. Brute force attacks

hacker-6

What is it? Just about the most common form of hacking comes from a brute force attack. It more or less means that hackers will continue to try to log in to an account by continuously trying passwords until they are able to get in. By using proxies, they are able to avoid that dreaded “you have attempted to log in too many times” screen that we’re all so reluctantly familiar with, too.

Let’s pretend for a moment that I want to hack Brad Pitt’s WordPress site, but all I have is his username ‘bpitt’. Perhaps I will first try the names of his wife and children. Then some of his popular movies. Then his mother’s name. Once I run out of options (or if I know nothing about Brad at all), I may even enlist the help of a password list.

These text files, created by hackers and shared among one another on popular hacking forums, include thousands of popular passwords all compiled together. With proxy in place, a program can run the .txt file until it finds a password match.

Once it does, I have cracked into Brad’s account.

How can you fix it? Fixing it is pretty darn easy, and takes no longer than five minutes. Change your password and don’t make it so easy! Although you may have originally believed that “coffee” was a difficult password to guess, it isn’t half as difficult as it should be.

Change your password to include at least one uppercase letter, one number, and possibly even a symbol. People are far more likely to guess “angelina” as Brad’s password than if it was something like “AngelinA993!”, don’t you think?

4. DoS attack

hacker-8

What is it? A DoS attack, better known as a “denial of service” attack, occurs when a hacker bombards a website with hundreds of requests in a short amount of time. These requests bombard the system and suck all bandwidth and resources from the site, leaving it with absolutely nothing to run on. In turn, the websites services are suspended and the site is shut down.

There are several different attack techniques, though most included a distributed attack in which the attack comes from more than one IP source. Typically, it comes from hundreds, if not thousands, of IP addresses and completely overloads the site in a matter of mere minutes.

Think of these attacks as a Black Friday sale. Hundreds of people gather around 1 door and wait anxiously to get out of the cold and into the toy store. As soon as the doors open, all 400 people run inside at once. The result is chaos, stampeding, and unrest. That’s essentially what a DoS attack is, simply in the cyber world.

How can you fix it? Your very first step should always be to call your hosting provider and let them know that your website is under attack. Their data centers have much higher bandwidth than you do, and they will be able to handle the attack with more ease and experience. Always do exactly what they tell you to do, as their first priority is to stop the attack from happening. If you don’t have your hosting provider’s help center’s phone number, make sure you get it BEFORE this happens, as every minute is valuable time that could be preventing this particularly nasty attack.

5. Cross Site Scripting

hacked-9

What is it? This vulnerability, more frequently referred to as XSS, enables hackers to bypass access controls and inject scripts into web pages that they shouldn’t have access to.

By accessing script, the hacker can add vulnerabilities directly to the victim’s links, leading users who trust the victim to click a link that actually leads to a vulnerability.

For example, if I have a website about all different kinds of flowers, someone can easily adjust the script so that a URL appears under the guise of my site. They will lure someone in with the promise of tulips or some other flower, then hide a malicious URL within the script. Site users then click the link, thinking they are getting information about tulips, and are instead taken to the malicious URL.

How can you fix it? Far and away the simplest way to protect yourself from XSS attacks is to pass all data through a filter. This will remove dangerous tags and keywords, CSS styles, HTML markups, and JavaScript commands that could lead to this sort of attack.

You can either filter your material on your own, or use a program to help you along. If you use Java, you may want to consider XSS Protect, which is hosted on Google code. It promises to filter all known XSS attacks from code. There is also HTML Purifier, which is another great option.

Unfortunately, there is no guarantee that safe text won’t be removed because it includes a questionable tag or keyword. There is no way to avoid this without doing your removals manually and using your own discretion.

For a complete guide on how to remove and prevent particularly nasty XSS attacks, check out this in depth tutorial by Acunetix.

6. Cross-Site Request Forgery

What is it? Cross-site request forgery is a vulnerability that allows hackers to force site users to perform actions on the site without their knowledge or consent. Typically, the attacker will coax a victim to click a link or download a picture on the website while logged in to a secure session.

After that link has been clicked and/or the picture has been downloaded, the attacker has full access to do whatever he or she wants under the user’s account for the remainder of the session. This is particularly dangerous on sites that store credit card information and the like, so it is imperative that site maintainers find and remedy these vulnerabilities immediately as to prevent their users from distrusting them forever.

How can you fix it? Implement and include the use of tokens in a user’s session. These tokens, which act as cryptographic values and are extremely difficult to guess, will be generated when a user’s session begins and will be related only to that particular user’s session. The token will then continue to be included in each and every request that the user names to ensure that it is indeed them doing the clicking on the website.

In order for the hacker to gain access to the session, they would have to know the token value of the hacked person’s session, which is near impossible to guess correctly.

For a complete tutorial on how to create tokens and add them to your site, check out this tutorial by WikiHow.

7. Unencrypted Protocols

hacker-10

What is it? Any time a protocol is unencrypted, you are leaving yourself and your users vulnerable to an attack from a hacker. They can take over your site and steal valuable information, such as usernames, passwords, and credit card information, in a matter of minutes.

How can you fix it? Make sure that you use Secure Sockets Layer, or SSL for short, which is the standard security encryption technology.

SSL provides a secure channel between the site maintainer and the user, preventing hackers from being able to get into the secure browser.

8. Clickjacking

hacker-11

What is it? Let’s take a look at the above picture, which I retrieved from Encoders.co.in. The user thinks they are posting a status to Twitter, but in reality they are clicking a link to a malicious site. More often than not, the user is typing on a transparent layer. They think they are seeing and clicking on a website, but they are actually clicking on an invisible layer on top of the website.

For example, let’s say that I believe I am entering my bank information. I enter my username and password, then click submit. In reality, there is an invisible layer and I have just provided my banking information to a third party site who now plans to use that information maliciously.

How can you fix it? Editing your .htaccess file to prevent clickjacking is entirely possible. There are three different options, all of which do three different things:

SAMEORIGIN will allow the page to be displayed in the frame on the same origin as the page itself.

ALLOW-FROM uri will allow the page to only be displayed in a specified origin.

DENY will prevent a page from displaying in a frame completely.

If you need to defend yourself from these attacks, enter the following code into your .htaccess file:

9. Broken authentication and session management

hacker-13

What is it? Authentication covers everything from managing active sessions to logging out When session management and site authentication are compromised, legitimate risks can be forged. All it takes is a site that improperly logs out for a broken authentication session management vulnerability to turn into a real problem and cause a string of issues such as compromised usernames and passwords, session tokens, and site keys.

If you think about it, many sites already take precautions to prevent these attacks. How often are you idle for a few moments, then told that you must reauthenticate your session? That is to prevent these kinds of attacks from taking place.

How can you fix it? Once again, this comes down to password controls. Requiring that your users make more complex passwords can easily prevent this breach from occurring on your site. Furthermore, you can include various other password input methods, such as password change controls and storage to prevent hackers from getting their hands on a user’s valuable information. Plugins like WordPress Password Policy Manager will require that your WP users have a strong password with various “rules” implemented.

10. Remote code execution

What is it? Remote code execution is when a hacker gains access to a victim’s computing device and makes changes, regardless of the distance between them geographically. More often than not, the hacker will include malicious code into the victim’s website and take complete control by removing the victim’s privileges altogether.

How can you fix it? This is a very serious issue, as it not only affects the victim’s website but their entire computer. There are several steps that must be taken to counteract this problem, and I highly recommend that users who fear they may be suffering from an RCE attack head oevr to Symantec’s site and read up on their tips to remedy this.

Some Tutorials to help if you’ve been hacked:

FAQ: My site was hacked!

What to Do When Your WordPress Has Been Hacked

Step by Step Guide to Fixing Hacked WordPress Site

How To Recover A Hacked WordPress Site

Nothing is worse than having your site hacked. I’ve been there, and want to help you avoid this happening to you, and also help you fix your site if it was hacked. In addition to fixing a hacked site, in this guide we’re covering every else that can go wrong on your WordPress site when it comes to speed, bugs, display issues, plugin issues and more.