Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked
I was away from my computer when I received this text: “FYI: Your website’s been hacked. Might want to fix that.” Which, obviously, is the precise moment my stomach decided to hit the floor and my body broke into a cold sweat.
I’d just published an article on another popular WordPress blog about “How to Customize WordPress like a Web Design Pro” and I knew my site was getting a lot more traffic than usual. Hence, the text. But to make matters worse, I’d also just had a big client meeting for a new consulting gig and the guy in charge of hiring me was planning to look at my website that night.
With new visitors pouring in and an important potential client investigating my professionalism, I had no website. I had worse than no website! My domain was a plain black background with atrocious, bright red, block letters declaring, “ThIs SiTE iS thee B^tch uff Syrian Hackkkk3rsS!!!!!!!! Wee RuuuLE!!@!”
As you can probably imagine, my first thoughts were, “FFFuu-aaantastic.”
I mean really, what a horrible thing. To realize something you’ve put so much time, effort, money and emotion into has been replaced by some 13 year old’s idea of a good joke; and at the worst possible time. Or porn. Or a get rich quick scheme. Or anything other than the site you built to represent your brand to the world.
If that’s why you’re reading this post, go ahead and skip down to the “What to do if you’ve been hacked” section and get yourself sorted out. The rest of us are going to look at how most WordPress installs become compromised in the first place, what to do if you’ve been hacked, and how to prevent it from happening again in the future.
Even if you’ve never had WordPress security issues before, I can assure you–you don’t want to start. So let’s begin by looking at both general security vulnerabilities and then specifically at those unique to WordPress.
For the “average” WordPress user, there are two main security vulnerabilities that I’d classify as “general” which really have nothing to do with WordPress itself.
- Your local network/machine
- Your shared hosting provider
Local Network/Machine: When it comes to your local network/machine, you simply need to keep things clean and up-to-date. It’s a good idea (especially on a Windows machine) to regularly run a full malware and anti-virus scan. And keep that software up to date! Including your router’s settings/firmware. If you’re not keen on investing in anti-virus software, you can use this article to help you locate and delete infected files.
Shared Hosting Provider: Next, you need to check with your shared hosting provider. The hack may have affected multiple sites and not even originated with your install. That’s not extremely important if you still ended up getting hacked, but in those instances it can be a small comfort to know you haven’t been specifically targeted. And on a practical note, you should be aware of whether or not your host is responsible or a shoddy theme/plugin, etc.
In the instance I described above of my own experience, it was my shared host that had been initially compromised. A script was then used to quickly check all WordPress installs on my shared server, replace the wp-config.php files and place that lovely message on the home page of each site.
Thankfully, as far as WordPress hacks go, it ended up being pretty mild in the end. That didn’t change the fact that I nearly had a heart attack when it happened, but at least it was fixable. All I had to do was dig into one of my backups, restore my wp-config.php file via FTP and delete a few files in my themes/plugins folders that looked out of place. Though just to be safe I did end up doing a completely new install. And I began looking for a new host.
Security Vulnerabilities in WordPress
While there are numerous ways in which a WordPress site can be vulnerable to attack, the following four weak spots are most commonly at fault when a WordPress site is hacked:
- Weak usernames/passwords
- Theme or plugin bugs
- Not updating WordPress core and themes/plugins in a timely manner
- Jerks who hack WordPress sites
On Weak Usernames/Passwords: You may or may not have noticed but as of WordPress 3.8, the standard “password strength detector” forces you to create something extremely strong. This is undoubtedly part of the WordPress Foundation’s efforts to help reverse this particular statistic. The takeaway being: ditch the “admin” username and go as difficult as possible with your password (mixing letters, numbers and letter-case throughout). It’s not worth keeping it simple if that also gets you hacked. Just write it down (if you have to) and above all, keep it private. To learn more about how weak usernames/passwords can lead to a hacked site, just check out this article on WordPress “brute force attacks”.
On Theme or Plugin Bugs: Occasionally, even extremely popular premium themes/plugins will have an unexpected security flaw. In which case, it’ll most likely be big news in the WordPress blogosphere in short order. However, a lot of headaches can be avoided by simply reading up on the plugins you’re installing, before you install them. Stay away from free themes/plugins when they are not from the official WordPress Directories. Also, try to stick to themes/plugins with four and five star ratings. And to be on the safe side, just Google this: “[insert plugin name] security” and make sure nothing alarming shows up.
On Not Updating WordPress Core and Themes/Plugins: It’s understandable that if your site is highly dependent on the functionality of a few plugins, that you’re going to want to wait until they’re compatible with the newest version of WordPress before you update your core. However, when it comes to high quality and reliable plugins, they will almost always have an update within hours or days of the WordPress core release–if it’s needed at all. As a rule of thumb: if you see that an update is available, backup your site and run it.
On Jerks Who Hack WordPress Sites: One might think pointing this out is redundant, but I wanted to list it anyways. It’s important to remember that there are jerks out there (as well as misguided wannabe’s with malicious scripts) just waiting for you to slip up. So stay vigilant, follow the best practices below, and you should be ok.
What To Do If You’ve Been Hacked
In the event that you have been hacked or think you’ve been hacked, follow the steps below:
- Regardless of how it happened, you’ve been hacked. Take a deep breath. Stay calm. Don’t do anything rash.
- First things first, clean up your local machine (run anti-virus) and update everything.
- Next, log into your hosting account and check with them to see what’s going on. Make sure that you’ve actually been hacked. It may simply be that they’re experiencing a service outage for your site. If you are definitely hacked, as I was, then send them a support message asking if they can trace what happened and what caused it.
- While you’re in there, change all of your backend passwords (FTP/SFTP/MySQL) and the passwords for everyone who has access to your site.
- Ideally, you’ve recently backed up your site and can walk through a simple restoration tutorial, like this one. If that is not the case, then now would be the time to begin backing everything up. Check out Kevin Muldoon’s recent post on VaultPress for this particular how-to.
- Close any backdoors the hacker may have left and secure your wp-config.php file.
- Update everything.
- Change your passwords again, just to be safe.
- Consider a premium security solution such as managed WordPress hosting and/or Sucuri. ManageWP is another good option for those who would like to keep their shared hosting, but want some added security and support.
- Finally, be sure to follow all applicable WordPress security best practices in the future (listed below).
Wrapping Up & Moving Forward: WordPress Security Best Practices
So that was unpleasant. What can you do to make sure you never have to go through that again? Follow these WordPress security best practices:
- Always update WordPress core, themes, and plugins right away.
- Back your site up daily; either via your host or one of the many trusted WordPress backup plugins such as VaultPress, BackupBuddy, BackWPup, BlogVault, etc.
- Never use the default “admin” username.
- Create a unique and difficult password that contains upper-case and lower-case letters, numbers and symbols. Avoid any permutations of your name or the name of your site. The more random the better.
- Secure your wp-config.php file.
- Hide your username.
- Hide your version of WordPress.
- Limit login attempts.
- Disable file editing in the dashboard by adding the following to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true);
- Install WordPress File Monitor Plus to receive notifications every time your files are edited.
- Always use SFTP when logging in to your site via an FTP client or your hosting panel.
- And once again, consider a premium options such as managed hosting, Sucuri or ManageWP. Peace of mind is surprisingly valuable!
- Or, if you’re up for some advanced DIY security, check out this definitive guide to WordPress security.
My Personal Recommendation
Personally, I would much rather spend my time creating content than messing around with the database side of WordPress. Which is why my personal recommendation is to hire professionals! I use premium, managed WordPress hosting via WPEngine and they take care of everything. I don’t even have to bother with any of the plugins I’ve linked above. They automatically back up my site, manage security, and in the event that I am still somehow hacked, they will fix it for free.
Sure, I pay a premium for their service, but if that means I never have to deal with being hacked again–I’m ok with that. Plus, having a blazing fast (and secure) site allows me to do more business with greater peace of mind.