It’s a sad and unfortunate reality that any website—large or small—can get hacked. And because of the overwhelming popularity of WordPress around the globe, when a bug or flaw in the security protocols is discovered and disseminated, WordPress sites become very attractive targets to unscrupulous individuals who now have literally millions upon millions of pages on which to wreak havoc, driving away important site traffic and harming your most loyal subscribers and visitors. You can also find that your site is suddenly suffering in search engine rankings, which can be a hit to your reputation. And, in worst case scenarios, can stand the chance of losing all your site data.
When your site is hacked, it’s of course a great idea to call in an expert who can identify the leak, find the damage and repair your site quickly so you can be back up and running in no time. However, professional help costs bucks, and for small site owners the cost can quickly become more than they can bear. Happily, though, there are also some important steps the everyday website owner or administrator can take once they find out their site has been compromised. Here are a handful of simple actions the WordPress layman can initiate to help in the aftermath of hack.
- While you’re remaining calm (easier said than done for many) first identify and document everything you know about the hack. Determine if you can still log into your admin panel; see if your site is being redirected to another URL; search your pages for links that you don’t recognize; and investigate whether or not search engines such as Google are marking your site as “insecure.” Having this list of problems will be vital later on in the process. And of course change your passwords immediately, before you begin to attempt any fixes.
- Next, check in with your hosting company, many of which have user support staff that are experienced in dealing with hacks, especially considering they are well-versed in their own hosting environment and have most likely seen these issues before. Follow their instructions and, in some circumstances, the host will clean up the problem for you and recommend measures you can take to avoid a future hack.
- Now it’s time to start restoring your site from the backups you hopefully have been making since the day your site went live. If you update your pages daily, try to find the most recent backup available—unfortunately you may still lose the most recent posts, comments etc., but you should be able to restore the majority of your data.
- Examine your site and delete any inactive themes or plugins, as this is often where hackers locate the “backdoor”—the place where they were able to bypass authentication safeguards and access the server covertly—that allowed them to compromise your site in the first place. Then scan your site completely for any and all hacks using a free plugin such as Sucuri WordPress Auditing or Theme Authenticity Checker. They will tell you the integrity of your most important core files and, ideally, show you were the malware that allowed the hack is hiding (the most common spots are in themes and plugin and upload directories).
- Once the aforementioned plugins find the hack, you can either manually remove the malicious code or replace the corrupted file with the original file via a fresh download of all WordPress files; this will overwrite the affected ones. Repeat this step for all theme files, plugins etc.
- Next you should check “User Permissions” by looking in the users section to ensure only you have admin access to the site. If a user appears there that you don’t recognize, delete them immediately. Then change your security keys, which encrypt your passwords when you log in. This will disable “cookies” so that, if a hacker is still logged in, they’ll lose access to your site. Add the new security key to your “wp-config.php” file.
- If all these steps have worked and you don’t feel the need to call in an expert, as a last and final step change your passwords again. And be sure to change them for every section you access via a password: at your main WordPress log in; at the cPanel/FTP/MySQL; and anywhere else that is password protected. And be sure that, when you change your passwords, you use strong ones that are hard or impossible for a hacker to guess, i.e. a random combination of letters (both upper and lowercase), numbers and symbols.