Web Hosting

What to do if Your WordPress Site is Hacked

Breaking in. Websites are being hacked more often every day.

Not only do you owe it to yourself to take every precaution you can to keep the hackers out, you owe it to your customers, friends and everyone who visits your sites.

It’s your responsibility to the web as a whole, not just protection for yourself.

I’ve had malware dumped on my machine when visiting a compromised site. It took me an age to clean up my machine and, however good that site was, I wouldn’t dream of visiting it again unless I knew the owner, and completely trusted that it had been cleaned up.

Not only that, the search engines know when your site has been compromised and they immediately remove it from their indices, thereby stopping your search engine traffic dead in its tracks.

The first rule of protection

So the first rule in protecting yourself is to ensure you always have a clean version of your site fully backed up.

I carry the last two full site backups (for every site) on my machine, and every other backup ever done is on my external storage.

At a minimum I do a full site backup once a week, and a database backup after every article is published. If I make any changes to the sites, other than new or updated articles, I do an additional full site backup.

If you’re not familiar with the options for backing up WordPress, there are more details here.

To fail to backup is to ask for trouble.

How do I know my site has been compromised?

Many times it will be obvious, because your site will be defaced, you’ll get a warning from your Internet security application when you view it in your browser, or it will re-direct visitors to another site. But a lot of times it won’t be.

On this site I have SiteLock installed.

SiteLock scans this site every day for malware, SQL injections, XSS scripting and viruses. It also scans all outgoing links from this site to see if any of them lead to compromised sites, based on data that it gets from Google and StopBadWare.org.

If it finds any vulnerabilities, including in sites that I’ve linked to, I’m alerted and given 72 hours to sort out the problem.

It’s a fabulous service and allows me to display that badge at the top right, immediately under the opt-in box.

But there’s a cheaper way to check your sites, assuming you have a full Internet Security protection suite on your machine (such as AVG Internet Security): visit your own sites each day.

If your site has been compromised your Internet Security application will alert you with a big red box and lots of exclamation marks.

And, of course, you can set up a Google Webmaster Tools account and check the Malware link each day.

So what do I do if my site has been compromised?

If you have a good backup routine the answer is simple:

Delete your entire site and empty all the tables in your database. Then re-install it from the most recent clean backup, and you’ll know which one that is as long as you’ve been checking your sites each day.

That’s both the quickest method of cleaning up your site (you can be up and running again in an hour or so) and the most thorough.

This site contains over 2,000 files. Going through that lot to find the ones that have been compromised and cleaning them individually is just not practical.

Deleting everything and re-installing it is the surest way of cleaning everything up.

If you’ve not been doing regular backups the best way to restore your site is to ask your hosting provider to restore it from their most recent backup.

They should be doing regular backups as part of their service, and it would be worth finding out what their backup schedule is.

The difficulty with this option is that you can’t be sure whether the last backup they did was of the clean site – especially if you’re not checking your sites each day.

If you don’t have that option then you’re left with trying to hunt down the corrupted files and cleaning them individually – and for that you will probably need a professional service such as SiteLock.

There are others, of course, and a Google search for something like ‘clean up a hacked website’ will bring you some results to check out.

Finally, once your site is clean again, you should ask Google to review it, because it will almost certainly have been flagged as compromised. You can do that through your Google Webmaster Tools account

How do I prevent my site from being compromised again?

The first step is to change all your login details

Log in to your re-installed WordPress site and create a new user with administrator privileges, giving it a different user name and password from what you used before. You can use letters, numbers and symbols for your username, just as you can for your password.

Log out and check that the new login works OK, and then delete the user you previously logged in as.

Be sure to go to your profile and change the Nickname to something different from your Username. If you don’t, your username will be publicly visible on all your posts.

Change your cPanel and FTP passwords

Some hosting providers use the same password for cPanel access and FTP. While this is not the greatest it does at least mean you only need to change one password.

If you have separate logins for your hosting control panel and FTP accounts, be sure to change the passwords on both.

Switch from using FTP to SFTP

FileZilla handles SFTP as well as it does FTP, so if your current FTP client doesn’t do SFTP then switch to FileZilla.

Check your machine for malware

If you have keyloggers or other malware on your machine it could be passing your FTP (and every other) login details back to miscreants. Malwarebytes is a great solution for this.

Ensure all your software applications are up to date

Check that any forms you’re using on your site are running on the latest version of their software. Opt in forms and contact forms both offer ways in for hackers, and the form providers should (and generally do) release updates as soon as vulnerabilities are discovered.

Of course, it goes without saying that all software applications, meaning themes, plugins, WordPress core, shopping cart applications and anything else, are always fully updated.

Check and correct your file and folder permissions

The WP-Security-Scan plugin is a good and easy way to do that.

Further reading

There’s some more reading on WordPress security here.

Just a word of caution: if the database tables on your existing WordPress site have the wp_ prefix, changing it to something else (as suggested by the WP-Security-Scan plugin and referred to in that article on setting up a new site) is high risk.

Setting up a new WordPress site with a different table prefix is very smart, but if your existing site already has the wp_ prefix you’re probably safer leaving it as it is, unless you’re a wiz with MySQL databases.

What other options are there for fixing a compromised site and what other security steps do you follow? Leave a comment!


Martin Malden.

Web Hosting