What to Do if Your WordPress Website was Hacked
If you think your WordPress website has been hacked, you’re not alone.
The only real big downside to using WordPress is that because it is the most popular website content management system in the world, it is also the most targeted by hackers. Unfortunately, no matter how many security measures are taken, there is no way to guarantee that your site won’t be hacked. But the benefits of WordPress far outway the risks when it comes to security, and there are many things you can do to minimize the risk of your website getting hacked.
Why Would Someone Want to Hack My Website?
A lot of people don’t worry about their website getting hacked because they think “no one would want to get into my website. there’s nothing of value there.”
The fact is, the reasons sites get hacked run the spectrum from unethical search engine optimization tactics to full-on cyberterrorism. Every website is at risk, no matter how teeny or “unimportant” you think it might be.
Watch this video by Google about how and why your website might have been hacked:
How Do You Know if Your WordPress Website Has Been Hacked?
In the most obvious cases, your website might actually be replaced entirely with the hacker’s website or calling card. Other visual clues that your website is hacked is that the website design is very messed up or looks different than it did before.
To find out if your WordPress website contains malware, run your website through Sucuri’s free website security check.
Another way to find out is to create a free Google Search Console account. Google is usually pretty quick at detecting sketchy business, but first, you need an account.
Note that these two options won’t catch the sneakiest of hackers, but they will catch the lazy ones!
More subtle hacking will embed links that go to an external website that shouldn’t be there (these are common with pharma hacks). To check for a pharma hack type “site:yourdomain.com” into Google and see what the results look like. Of course, replace “yourdomain.com” with your actual URL. If you have been victim of a pharma hack, the results will often contain references to “Viagra” or “Xanax.”
If you can’t tell if your website has been hacked, it’s time to hire a professional WordPress developer or security company to investigate.
How Could My WordPress Website Have Been Hacked?
Here are some of the most common things that could cause your site to get hacked:
- You inadvertently downloaded spyware on your own computer and someone hacked into your site that way (if your emails have been hacked recently or if you notice anything else peculiar on your computer in your internet browser or otherwise, this is likely the case). Spyware on your computer can record your keystrokes and then use your user name and password to get into your site.
- Your web hosting server was hacked (this is more likely if you are using shared hosting, which most small businesses use).
- Your WordPress site was hacked from a brute force attack (a robot was able to guess your username and password) or other attack. If you are using “admin” as your user name and/or you’re not using a secure password (more than 8 characters + upper and lower case + number + other character + no full English words or names) this could have been the case.
- Your WordPress site has an insecure plugin or outdated software. This is the most likely case if it has been more than a few months since you have updated your WordPress software / plugins / themes.
What to Do If Your WordPress Website Was Hacked
If your site has definitely been hacked, here are the steps you can take:
Contact Your Website Developer
If you had your WordPress website developed by a professional, get in touch with them and let them know what’s going on. If you have a regular monthly care plan with them, your contract may include malware removal or “unhacking” your website. If not, they may be able to help you navigate the cleanup for a fee.
Scan Your Computer
You will need to scan your own computer for an infection. Do you have virus protection software on your computer? If so, run a scan. If not, we recommend this free malware scanner: https://www.malwarebytes.org/
Contact Your Website Host
If you scan your computer and nothing unusual pops up, you should also contact your website hosting company to inform them in case one of their server’s was hacked. They can check if the infection is server-wide. If it was an attack on the server, your host may clean up your website for free. And they will take the necessary steps to prevent the site from being hacked again in the same way.
Check Your Passwords
If your host does not report a widespread problem, you may have been brute force attacked. To prevent this in the future, make sure you have secure user names and passwords that aren’t easily guessed by robots or humans. If you are using the same password for many accounts, change them so each is unique and strong (containing at least one capital letter, one number and one character). Remember, don’t use any whole words. Once the website is cleaned up, change all the passwords to your website accounts and any other important accounts like your bank account just to be safe.
Check Your Website for Outdated or Unreputable Software
Most of the website hacks we have seen is because people didn’t update their WordPress software. The code on your website (the WordPress software, plugins and themes) is constantly being updated with security patches as new threats are identified. Consider deleting plugins that don’t come from a reputable author or that are no longer supported and replacing them with currently supported plugins from reputable authors. If any of your plugins are “deactivated”, delete them.
Clean Up the Hack
Without hiring a digital forensics expert, you will probably never know what happened to cause the hack of your WordPress website. But no matter what the cause, you need to clean it up, remove any malicious code from the site and protect yourself in the future.
Without cleaning up your website, you risk getting added to the “known spammers list” or a “blocklist.”
The best place to start is to revert to a backup of the website and scan it for malware. Do you, your website designer, or your web host have a backup of your WordPress website, including files and database? We always recommend built-in frequent backups to prevent loss of work (like blog articles that you might have written since your last backup).
You should change your WordPress passwords and authentication keys. You may want a developer to help with this step. You should also update all your website themes, core files, and plugins.
If your host has Sitelock or Sucuri, buying that software will not only help detect threats, but you can upgrade to have them fix the hack for you to make sure your site is safe.
It’s a good idea to check if your website was blocklisted. Here is a great FAQ article that discusses this and other things: http://codex.wordpress.org/
We HIGHLY recommend adding more stringent security measures on your website to help prevent attacks, which will take a developer’s help. Below is a list of security measures we always include on our websites to help prevent attacks as in #4:
- ensuring the user name admin is never used
- using a safe version of jQuery
- using strict file permissions
- blocking suspicious looking information in the URL
- hiding WordPress version numbers
- not allowing users without a user agent to post comments
- ensuring the administrator’s user ID is not 1
- changing the URL of the login page
- changing the WordPress database table prefix
- not displaying user’s names publicly
- preventing php uploads
- blocking non-English characters in the URL
- and preventing directory browsing
Going forward, keep your WordPress updated once a month to protect your website from hackers. Consider a WordPress website care plan us if you would like to put your mind at ease and have experts help.