What to do if my WordPress site is constantly hаcked, shells appear?
And I associate this with hosting, which I switched to a few months ago. The previous host did not have such problem.
All plugins are updated on time. I even hired a professional to set everything up and close the holes. Still, the problem has not been completely resolved.
Maybe there is some good antivirus for the site or a working protection against hаcking?
There are no permanent antiviruses in the understanding of desktop ones, on hosting there can be scripts.
But holes can be both in WordPress and in plugins, and especially in the theme.
If it is old and with some additions, then most likely they enter through it.
In fact, the "leakiness" of the server is actually the least of all, if, of course, it does not have some kind of self-written panel, and the level of access from any user to any neighbor, then yes.
But I think such competition would not survive.
Ways to protect a WordPress site from hаcking:
I have already given an analogy, if there is a door, then there must be a lock, if your password is simple, there is no lock in this case, or, more precisely, the attackers have a key.
Therefore, it is recommended to create complex passwords without fail, and, ideally, do not save them anywhere, but only remember them. It is also recommended to periodically change passwords from everything, especially if your web site has already been hаcked.
Here we mean complex passwords for accessing the administrative panel of the site, for accessing web hosting control panel, for accessing the personal account on web hosting, for accessing the database, in other words, the password in all these cases must necessarily be complex.
A complex password is at least 8 characters, which will necessarily contain numbers, large and small letters, and, of course, special characters.
Remember, always use complex passwords, both for web site and for everything else where a password is required, since a simple password, for example, consisting of 3-4 digits, can even be manually selected in a couple of minutes.
The current version of WordPress, a secure template and a minimum of plugins
In this item, I have included everything related to your site's scripts, these are the WordPress scripts, the template, and plugins, all of them should not initially contain malicious scripts, and should not contain "Holes", i.e. all doors should be closed.
If there is a vulnerability in the scripts, then a hаcker can use it to hаck your web site, i.e. enter through the door in the scripts.
In order to close these doors, or at least close them in time, it is necessary to constantly update WordPress, immediately when the update comes out, this applies to both templates and plugins.
I repeat, there should be no malicious scripts initially, so download WordPress only from the official site, do not use free templates, they may contain vulnerabilities, and some hidden links, and everything like that.
Use a minimum of plugins, if you do not have a plugin involved, then delete it, i.e. first deactivate it, and then delete it (plugin files that are simply deactivated remain on the server).
In other words, you should have an order in the scripts, i.e. you should have only what you really need, and all this should be with the current versions. If you have a mess of scripts, a hаcker will have more opportunities to find a way to hаck your site.
3. Changing the administrator login
Many people set an administrator login to log in to the WordPress web site management console, for example, "Admin" or something similar, and this fact simplifies hаcking, since an attacker does not even need to look for an account with administrator rights. He can simply start the selection of passwords for the Admin account.
If the administrator's login is changed (and it is better not to call it that initially), it will be a little more difficult for the hаcker, so a new item is added to his tasks – to find out the username of a user with administrative rights. Also, many automated hаcking scripts are configured specifically for such logins.
In my opinion, the easiest way to change the administrator login is to change it in the database using phpMyAdmin, thereby you do not have to delete it and create it again.
To do this, you need to run phpMyAdmin, select the desired database and execute the following SQL query, which changes the administrator login and administrator username.
UPDATE wp_users SET user_login = 'NewLoginAdmin', user_nicename = 'newadminname'
WHERE user_login = 'Admin'
wp_users – a table in which the credentials of web site users are stored;
Admin is the current login of the administrator;
NewLoginAdmin is the new login of web site administrator (you, accordingly, invent and substitute your own);
newadminname is a new username with administrative rights (you invent and substitute your own value for this field).