Security

What to Do if Your WordPress Website was Hacked

If you think your WordPress website has been hacked this Halloween, don’t get spooked.

The only real big downside to using WordPress is that because it is the most popular website content management system in the world, it is also the most targeted by hackers. Unfortunately, no matter how many security measures are taken, there is no way to guarantee that your site won’t be hacked. But the benefits of WordPress far outway the risks when it comes to security, and there are many things you can do to minimize the risk of your website getting hacked.

If your site has definitely been hacked, the best place to start is to revert to a backup and scan it. Do you, your old designer, or your web host have backups of your files and database? We always recommend built-in frequent backups to prevent loss of work (like blog articles that you might have written since your last backup).

Watch this video by Google about how and why your website might have been hacked:

Here are some of the most common things that could cause your site to get hacked:

  1. You inadvertently downloaded spyware on your own computer and someone hacked into your site that way (if your emails have been hacked recently or if you notice anything else peculiar on your computer in your internet browser or otherwise, this is likely the case). Spyware on your computer can record your keystrokes and then use your user name and password to get into your site.
  2. Your web hosting server was hacked (this is more likely if you are using shared hosting, which most small businesses use).
  3. Your WordPress site was hacked from a brute force attack (a robot was able to guess your username and password) or other attack. If you are using “admin” as your user name and/or you’re not using a secure password (more than 8 characters + upper and lower case + number + other character + no full English words or names) this could have been the case.
  4. Your WordPress site has an insecure plug-in or outdated software. This is the most likely case if it has been more than a few months since you have updated your WordPress software / plugins / themes.

Here are the steps you can take:

You will need to scan your own computer for an infection in case #1 was the cause. Do you have virus protection software on your computer? If so, run a scan. If not, we recommend this free malware scanner: https://www.malwarebytes.org/mwb-download. If you detect a trojan or spyware program on your computer, get it removed immediately, and then change ALL  the passwords to any websites you use once your device is clean.

If you scan your computer and nothing unusual pops up, you should also contact your host to inform them in case one of their server’s was hacked (#2). They can check if the infection is server-wide. If it was an attack on the server, your host may clean up your website for free. And they will take the necessary steps to prevent the site from being hacked again in the same way.

If your host does not report a widespread problem, #3 could be the cause. Make sure you have secure user names and passwords that aren’t easily guessed by robots or humans.

Most of the website hacks we have seen is because people didn’t update their WordPress software. The code on your website (the WordPress software, plugins and themes) is constantly being updated with security patches as new threats are identified. Consider deleting plug-ins that don’t come from a reputable author or that are no longer supported and replacing them with currently supported plug-ins from reputable authors. Keep your WordPress updated at least every three months to protect your website from hackers. If you have ecommerce on your site, you’ll want to update your software every month.

No matter what the cause of the site hack (and sometimes you may never know what happened), you should change your WordPress passwords and authentication keys. You may want a developer to help with this step. You should also update all your website themes, core files, and plugins. If any of your plug-ins are not activated, delete them.

If your host has Sitelock or Sucuri, buying that software will not only help detect threats, but you can upgrade to have them fix the hack for you to make sure your site is safe.

It’s a good idea to check if your website was blacklisted. Here is a great FAQ article that discusses this and other things: http://codex.wordpress.org/FAQ_My_site_was_hacked

We HIGHLY recommend adding more stringent security measures on your website to help prevent attacks, which will take a developer’s help. Below is a list of security measures we always include on our websites to help prevent attacks as in #4:

  • ensuring the user name admin is never used
  • using a safe version of jQuery
  • using strict file permissions
  • blocking suspicious looking information in the URL
  • hiding version numbers
  • not allowing users without a user agent to post comments
  • ensuring the administrator’s user ID is not 1
  • changing the URL of the login page
  • changing the WordPress database table prefix
  • not displaying user’s names publicly
  • preventing php uploads
  • blocking non-english characters in the URL
  • and preventing directory browsing

You need a web developer for many of the above measures, unless you are very familiar with cPanel, MySQL and/or phpMyAdmin.

Check with your host to see if you had purchased any kind of warranty from your security protection plans from your host? If so, they may fix your website up for free. If not, contact us to get a quote on cleaning up your site and making it more secure.