As a company who specialises in WordPress web design, we have seen a large increase in the number of people coming to us in need of help after their WordPress website has been hacked. WordPress is an amazing Content Management System (CMS) and is now powering over 30% of websites on the Internet. With this growing popularity so too comes a bigger appeal to hackers. WordPress is used so widely and has such an involved community of designers and developers creating themes and plugins. Because of this the number of ways for someone to ‘get into’ your website is greatly increased.
But why would they hack my website?
You might view yourself as a business with little or no useful information stored online to actually be of any interest to even warrant someone hacking you. A lot of hacking websites is not about targeting your business specifically. It is more to do with your site being an easy target and the process of finding an easy way in requiring only minimal effort on the part of the attacker.
Hackers have created automated bots which scour the web in search of known vulnerabilities in websites, plugins, themes, scripts, etc. If these bots find something of interest they report back to their owner who may then decide to break your website. Creating nasty search bots with instructions to focus on WordPress flaws makes sense to a hacker since, based on the number of sites running on WordPress, there is a high chance of them finding something they can use.
Steps to take if you’ve been hacked
Redirect site visitors to a temporary landing page
People visiting your website who see a warning stating it may be dangerous to visit or announcing it has been hacked (a lot of hackers like to post a message telling people who hacked the site), empty blank screen, etc. will not be good for business. Your online brand reputation may be damaged or it could be as simple as people looking for your contact details to give you a sale and they can’t get in touch and assume you have gone out of business.
A quick fix for this is to create a temporary landing page on a different server. By changing your website’s DNS A record you can point all site visitors to this temp site so at least you provide the basic information to them, and they also know you haven’t gone out of business.
Hosting packages are available by the month so you can just pay for one month and put up a single page stating your website is currently being worked on and provide people with your contact details.
Change your passwords
One of the first things you should do is change the locks to the doors. If you fixed your website but someone still had the passwords to login they could decide to hack you again and again whenever they feel like it. At a minimum the following passwords should be changed:
- FTP access
- Hosting control panel
- SQL database
- WordPress user accounts
- WordPress keys
Make a backup of the entire site root
Having a full backup of your site and database will mean at least if you make any major mistakes when trying to repair things you can at least get back to where you started. Make sure you backup the following:
- All files and folders in the root of the site (themes, plugins, uploads, etc.)
- XML export of content via WordPress admin Dashboard > Tools > Export
- Export of SQL database via PHPmyadmin
- Note the site settings such as permalinks, admin usernames and emails, reading settings, menus, etc.
Deactivate all plugins
Out of date plugins are a common way for attackers to gain access. Even plugins that are not active are still open to attack. Ideally, your site should use the minimum amount of plugins to do the job. If a plugin is deactivated, and not going to be used again, it should be deleted.
Make sure the plugins that are active are actually being used. We’ve seen e-commerce plugins installed on websites that are not selling anything online. These plugins generate code on the fronted a website. Hackers may see this code and think a site might store credit card information from e-commerce transactions.
Write down or take a screenshot of all plugins installed and their active/inactive states. The WordPress database holds your plugin settings so you can delete the plugins and reinstall them fresh later on.
Inform hosting company of your WordPress website was hacked
Be warned your hosting company may delete your files to prevent others systems/accounts getting infected. Which is why you made the full backup already right?
Ask them to confirm there is no breach or issue directly on your web server. A server breach is normally something outside of a website owners control and would have to be addressed by the hosting company directly.
If there is a server breach then you will have 2 options:
- Wait until the hosting company resolves the issue and gives you the all clear.
- Move to a different server. If you followed the first step in this post and created a temporary landing page with a new hosting package, you could create the site on that server.
You should already have a full site backup as a zipped file and a copy of the sites SQL database. If you are staying with your current web hosting service then you should remove all files in the root of the original WordPress installation. The only items required when migrating a WordPress website is the wp-content folder and the SQL database, so everything else can be deleted. Do bear in mind that hackers could have placed the malicious code inside any file in the wp-content folder too. In an ideal world you would delete every single item on the site and start fresh, but that may not be feasible for most sites.
If you are unsure about deleting files I’d recommend you talk to a WordPress expert who knows what should or should not be in a functioning website.
Download a fresh copy of WordPress
Having a standard and unedited copy of the WordPress system also allows comparison of files and folder structures with your current site, which helps spot anomalies or anything that shouldn’t be there or has been changed.
A fresh WordPress installation
Creating a brand new WordPress install is much safer than trying to filter through the previously compromised version. It doesn’t make a difference if you have a one-click install (provided by a lot of hosting control panels) or you install WordPress manually. The main thing here is to use as few files from the previous site as possible to minimise potential infection again.
Once the new CMS is done the next thing is to import the original content, images and settings. From the original site backup you can import the following:
- XML content file via Dashboard > Tools > Import > install WordPress importer. Be warned that we have found malicious code in XML files generated by hacked WordPress website.
- Site theme via FTP to siteroot/wp-content/themes/.
- Uploads folders via FTP to siteroot/wp-content/uploads/. The uploads folder is where WordPress stores all media files uploaded to the site.
- Edit settings to match the records you made from the original site
WordPress does not detect when you add files to the Uploads folder manually via FTP. Luckily there’s a great plugin to tackle this called Add from Server.
Test everything is working
Time to test your site for any issues carried over by running a security scan on your website looking for anything suspicious.
Since there are new ways to hack websites being discovered daily, it is safe to assume that online web security scanning services will not always catch every single potential issue on your website.
Next, navigate through the website and check all images, content, links, pages, etc. are working as expected.
How to prevent future website issues
Offsite and ongoing backups
A WordPress website backup service is like having an insurance policy for your website should the worst happen. Having a solid backup plan in place for your website will save a lot of hassle but more importantly, it will minimise the downtime of your website the next time something goes wrong.
Hosting companies are not immune to being hacked either, so your website backup should be stored in a different psychical location than your website files are.
Keep WordPress core and plugins up to date
Nearly every single WordPress system or plugin update includes some sort of security or bug fix. Not being up to date leaves you open to attack and provides an invitation to those seeking easy targets. Carrying out a monthly WordPress update should be part of your stay safe plan.
Improve your security online
Letting CloudFlare manage your sites DNS is a good first step. CloudFlare acts as a middleman between visitors and your website, stopping visitors it views as potential threats. You can also configure CloudFlare to block specific IP addresses or even entire countries.
A correctly installed and configured website firewall can prevent a lot of attackers from even getting to land on your website.
Managed WordPress Update & Security Service
We offer WordPress website care plans which cover everything your WordPress website needs including backups, updates, security scanning and hosting. The goal of this service is to help prevent your WordPress website being hacked. For more information or help getting your WordPress website back online, you can contact us on 012544000 or email@example.com