Discovering that your website has been hacked can be a very traumatic experience. It can have a great effect on your google ranking, make you an unwilling promoter of content that you do not endorse and in some cases result in loss of content and / or business.
Here I will run you through some of the vital steps to getting your website back online, and how to keep it secure in the future.
Change your passwords / usernames
The very first thing you should do. Changing your passwords and usernames should ensure that the hackers no longer have access to your website. This applies to your FTP account, your WordPress login and your MYSQL database login too. If possible you should get every WordPress user to change both their username and password.
Some WordPress hacks include new users being set up that gives the hacker a direct path into your website. If you notice any users you don’t recognise, delete them immediately.
Back up your files and data
If possible, always have a clean version of your entire WordPress install (including themes, plugins and WordPress core files) and keep this version up to date as possible. It is good practice that whenever a key change is made to your website (WordPress upgrade, plugin upgrade etc) to download everything again so that your clean version is also your latest version.
You should also be maintaining a regular backup of your WordPress database. It is unlikely that a WordPress hacker will actually be interested in your database, but should they get in and make adjustments or even delete data, you could be looking at a loss of years of work.
Download and re-install a clean version of WordPress, any plugins you need and, if possible, a clean template
If you do not have a back-up available, it is essential to download a clean install of your entire WordPress install and re-upload it. This includes your entire plugin directory and a clean template. If you have a custom theme in use, you will need to manually detect and clean all infected files.
Clean up all infected files
There is a very good plugin that enables you to identify all files that contain infected code, all files that have changed from their originals and all files that should not be in there at all. The plugin can be downloaded from here. Using this plugin, you should ensure you restore all files to their originals and identify and remove the hackers code from each infected file. The plugin helps you to not only identify infected files, but also where to find the injected code (normally <iframe> or <noscript>) within each file.
The final stage is to identify files that should not be there at all. WordPress hackers are very clever in that they give these files names very similar to WordPress core files. The files are normally placed in the core of your WordPress install. Here are the names of two common ones to look out for and delete:
- wp-apps.php
- wp-count.php
Download Better WP Security plugin
The best WordPress security plugin on the market in my opinion. The plugin enables you to change your default username to something other than “admin” (a very common brute force login attack used by hackers), automatically block bad hosts, block vulnerability scanners used by hackers along with an in-built firewall and 17 other security features. Download the plugin here.
Keep everything updated
Older versions of WordPress are more prone to attacks than newer ones. You should always ensure you have the latest version of your plugins and the WordPress system as a whole installed.
Delete unused themes
Unused theme files are a common way that hackers get into your system. They are unused and therefore, it can be safe to assume, not monitored either. Seen as you are not using these files, it makes sense to delete them.
Scan your local machine for viruses
Sometimes the reason your website got infected is due to a hacker gaining access direct from your local machine. Carrying out the above measures could be absolutely pointless if the computer you use to login is still compromised.
Request a site review from google
If your website has been hacked it will almost likely have been blacklisted too, meaning users will get a nasty “this website is a reported attack site” when they visit your website. Google typically re-crawls your website once a day, depending on the freshness of your content. To remove this site warning sooner you can manually request a recrawl by using Google webmaster tools.
Consider changing host
Whilst many WordPress system hacks are a direct result of the systems own vulnerabilities, some recent hacks have been because of server side vulnerabilities. Hackers are realising that they can spread viruses a lot quicker if they can hack into a server (and therefore hundreds and thousands of websites) compared to individual websites. You should ensure that your current provider is a reputable one that provides high levels of security, and if they are not, consider switching hosting companies. Remember, as with anything, you get what you pay for.
Useful resources
- Sucuri SiteCheck – Sucuri’s malware scanner is a free online tool that searches for malicious scripts or iframes and any general vulnerabilities. This helps to give you an indiciation to whether your site is clean or not, and if it isn’t, how close you are to restoring it.
- FAQ My site was hacked – Read up on this article delivered by WordPress themselves that gives detailed advice on how to deal with a hacked system.
