Even if you try your utmost best, chances are hackers will find a way to hack your site. Following our WordPress security article, I’ll show you five things you should do right after you find your site to be hacked. Some of those things you should probably do before it even happens!
1. Understand what just happened
Your site has been hacked. There are a number of ways this can happen. It might be due to poor maintenance (more on that later), or due to bad plugins. Regardless of what the cause is, you’d better prepare yourself. Your website is on WordPress, and because of the huge user base WordPress has, hackers like WordPress as well. I think my personal website is under brute force attack a couple of times a day. Don’t even get me started on the site you are reading now. This isn’t an invitation, but please realize that hackers try to hack your website all the time. You are no exception.
Tony Perez did a webinar about how websites get hacked earlier this year:
A few things that might lead you to believe you’re suffering a hack might include:
- Google has blacklisted your website;
- Google search result pages show “This site may be hacked”;
- Your host has disabled your site;
- Customers notify you via their local AntiVirus applications;
- Your website is not behaving correctly or generating odd errors.
There are some free tools available to help you in the process, like the SiteCheck Scanner.
Knowing what happens and realizing that you are vulnerable, is half the battle. Please read our WordPress security article and monitor your website at all times. On top of that, you might want to install a web application firewall and a local application security plugin.
2. Harden WordPress
There are a lot of things you can do, but at least address the following:
- Generate new security keys for WordPress. These are in your
wp-config.phpfile and you can generate these here. Copy/paste in your
wp-config.phpfile, save the file and step 1 is done.
- Reset your user passwords. Somehow, the hacker managed to hack your site. In a brute force attack, the method is just to guess your username (please don’t use ‘admin’) and password. After a hack, change all passwords just to make sure. Use a unique password with a complex structure. It’s always best to use a randomly generated password instead of a human generated one. Combine upper/lowercase, use special characters and numbers. WordPress helps with that these days. Use a password manager like 1Password or LastPass to store your passwords.
- Reinstall the core. Post-compromise, we highly recommend you always remove and reinstall the WordPress core manually. Do not use the update/reinstall feature via your dashboard. Instead, use your favorite FTP/SFTP client and manually replace the files. Attackers like to embed their files deep in your file structures, and a very common place is within the core directories (i.e.,
- Reinstall your plugins. Of course, that sounds drastic. But if you want to make sure no malicious code remains on your website, do a fresh install and hope all the additions and insertions of the hack disappear. We follow strict security guidelines here at Yoast and have our software reviewed by Sucuri on a regular basis. That’s still a best-effort, by the way, but it makes sure we can immediately address any vulnerabilities. All things considered, it’s our job as a plugin developer to do our very best. Unfortunately, not all plugin developers are as strict in this as we are. So reinstalling your plugins might be a good idea.
3. Keep your website up-to-date
Keeping your site up-to-date sounds like SEO advice: “Dynamic content makes your website rank better”. But please keep in mind that a healthy technical install really protects your website from hacks. Personally, I stay away from plugins without updates in the last two years. There is a reason WordPress.org tells you that. Hackers target vulnerabilities in older versions of WordPress. The version of your WordPress install is in your WordPress readme.html file (so remove that), and sometimes even right in your source code.
The bottom line is to keep both plugins and WordPress up-to-date at all times. Note that this advice goes for activated and deactivated plugins, as these are just as vulnerable. Make sure to update all of your software (after cleaning up your website) after a hack. This way you’ll have all the latest security updates and makes you less vulnerable. Nevertheless, we regularly find sites running old versions of WordPress and plugins.
4. Restore a backup after the hack
Valentin Vesa of Sucuri pointed me to this when discussing the subject with him. Create a backup strategy. Please don’t be the guy that installed Backup to Dropbox or Backup Buddy and has never restored a backup. Make sure you can. Monitor your backups. Store your backups offsite. Plus, you have to test your backups now and then, to make sure all is right. At the moment, one of our favorite backup services is BlogVault.
Solid backups make it possible to quickly restore your website after a hack. It might cost you a few updates, but at least you’ll keep your site up and running. After restoring a backup, follow up on advice number three of this list and make sure to update your WordPress install and all of your plugins.
5. Don’t try this at home
Don’t take security lightly. In most cases, it’s a trade of its own. You are probably not the most capable person to take care of it. Webmasters, web agencies, and business owners have other qualities that matter. If you hire a security company like Sucuri to take care of your website security business, you can focus on the things you are good at.
And yes, quality security services cost money. But think of all the time you are saving not having to worry, or dealing with a hack yourself. To make it even better for you, Sucuri has a nice offer for our readers:
All the more reason to prevent your site from being hacked, instead of dealing with security after the hack is already done!