Title: WordPress security? Last modified: August 20, 2016 --- # WordPress security? * [Kevin](https://wordpress.org/support/users/kevinkazoun/) * (@kevinkazoun) * [14 years, 3 months ago](https://wordpress.org/support/topic/wordpress-security-5/) * Hello, * Lately our website has been getting hacked A LOT. * I don’t really understand where I’m going wrong. * We use the latest version of WordPress * All file permissions are set to 644 and all folder permissions are set to 755. * We use the following security plugins: 6Scan AntiVirus BulletProof Security Secure WordPress Sucuri Scanner * They’ve all been configured to work correctly. * We’ve changed the database prefix * We’ve replaced the default admin username & password * We’ve run antivirus scans on all of our pc’s incase of a keylogger. * And still after all this, we’re still receiving base64 strings in our .php files( We did stop receiving Malware, so I guess our security has been upgraded slightly). * Some more solid tips on increasing security would be very much appreciated! Viewing 6 replies - 1 through 6 (of 6 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [14 years, 3 months ago](https://wordpress.org/support/topic/wordpress-security-5/#post-2618672) * > Lately our website has been getting hacked A LOT. * That’s not good. * > All file permissions are set to 644 and all folder permissions are set to 755. > … > And still after all this, we’re still receiving base64 strings in our .php > files (We did stop receiving Malware, so I guess our security has been upgraded > slightly). * Give these a read. You may (probably are) still be infected and haven’t deloused your WordPress properly. * [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) * [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress) * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Good luck. * [rwilki](https://wordpress.org/support/users/rwilki/) * (@rwilki) * [14 years, 3 months ago](https://wordpress.org/support/topic/wordpress-security-5/#post-2618777) * sounds like “they’re” still in your files somewhere. did you change the permissions, wordpress admin/password, and tables after the first time you were hacked? if so, go through all the links that Jan suggested. * Thread Starter [Kevin](https://wordpress.org/support/users/kevinkazoun/) * (@kevinkazoun) * [14 years, 3 months ago](https://wordpress.org/support/topic/wordpress-security-5/#post-2618787) * Hello, * Thank you for your swift responses. * Every time we got hacked I put back a backup from a few days earlier, i’ve never really bothered cleaning it up. * Sucuri Scanner didn’t even find the base64 codes last time, then when I went to check our theme files with the Antivirus plugin pretty much every file was infected, so I’m not really sure what I should and what I shouldn’t use anymore. * Is it possible to hack a site and place a script to activate and place base64 strings after a few days? because every backup I’ve placed back into the site has been clean, and a few days later it would be infected again. * [rwilki](https://wordpress.org/support/users/rwilki/) * (@rwilki) * [14 years, 3 months ago](https://wordpress.org/support/topic/wordpress-security-5/#post-2618788) * Have you done a completely clean reinstall of the entire wordpress structure? Not just your theme, but everything? Also, there could be some files either hiding on your server or in your database. I would also use phpmyadmin to see what’s in your database. Check to see if there are any new tables too… * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [14 years, 3 months ago](https://wordpress.org/support/topic/wordpress-security-5/#post-2618789) * > Every time we got hacked … i’ve never really bothered cleaning it up. * Restoring a couple day old backup just leaves you vulnerable. It’s why you still get hacked; you’ve not closed the door on the attacker. * Give those posts a read, they can really help you figure out what happened and what to do about it. * [rwilki](https://wordpress.org/support/users/rwilki/) * (@rwilki) * [14 years, 3 months ago](https://wordpress.org/support/topic/wordpress-security-5/#post-2618790) * Jan’s right. They were probably playing with your site before you became aware of it. That’s the problem. I’d start with a completely clean fresh install of wp 3.3.1 with new credentials, and take a look at your theme when you first installed it. * If it’s a free theme, I’d be very careful. If it was a purchased theme or you designed it yourself, then you might be OK but don’t use anything that you’ve downloaded recently from the server. Hopefully, you have a local copy that is original. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘WordPress security?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 6 replies * 3 participants * Last reply from: [rwilki](https://wordpress.org/support/users/rwilki/) * Last activity: [14 years, 3 months ago](https://wordpress.org/support/topic/wordpress-security-5/#post-2618790) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics