WordPress is the go-to platform for millions because of how easy and fast it is to create a professional-looking website. Unfortunately, its popularity also makes it a target for hackers.
Keep reading to learn how to rebuild your WordPress site if you get hacked.
WordPress Hacking is a Common Occurrence
The thriving WordPress community has produced a growing library of themes, plugins, and support discussions that in turn make WordPress an even better platform. As of May 2021, 42.4% of the top 10 million websites online are built on WordPress, according to W3Techs.
However, popularity has its disadvantages. The amount of websites running on WordPress has made it a prime target for hackers looking to find easy ways to exploit as many sites as possible.
Despite this, WordPress continues to be one of the best options for setting up a new website since the developer team and the community work around the clock to fix any vulnerabilities they find.
Even though a huge number of WordPress sites are hacked every day, very few of these are due to vulnerabilities on the core WordPress platform. Instead, hackers take advantage of other preventable issues.
WordPress Plugins & Themes Can Be Vulnerable
Vulnerable plugins and themes are one of the most common problems. Most third-party developers are well-intentioned and aim to fix any vulnerabilities on their product quickly to minimize the damage done, but sometimes this is not possible if the plugin is abandoned and unstaffed, or worse — if the vulnerability was introduced by a developer with malicious intent in the first place.
Even when using only reputable plugins and themes, all the work of these developers amounts to nothing if sites are not up-to-date. Websites running older WordPress versions, plugins, or themes are vulnerable to issues fixed in newer versions. They are also at a greater risk of getting hacked.
With all that said, an impenetrable door is only as good as its lock. If the passwords for your admin users are not long or complex enough, hackers will have no trouble guessing them by continuously trying out different passwords.
What to Do If Your WordPress Site Gets Hacked
My WordPress blog was hacked! Now what?
If your WordPress blog has been hacked, follow these steps to clean up and protect your site.
The first step is to determine the extent of the damage.
- Quickly browse your site to look for content changes and links or redirects to other malicious websites.
- Check the list of users to see if any new ones have been added.
- With your file manager or via FTP, check WordPress directory for any unusual files or directories, as well as inside the wp-admin and wp-content folders (plus the plugins and themes folders inside).
- Check any .htaccess or other configuration files to look for malicious code.
- If you are managing a server that hosts multiple WordPress sites, it’s a good idea to check some of them for any similar signs of hacking.
2. Damage Control
The most important thing at this point is to stop the situation from getting worse than it is.
Take a Full Backup Of the Site
Even though the site is compromised, we don’t want to lose any of the legitimate content on it. Taking a backup of the full website at this point will also let us try again with a different method if for any reason the cleanup does not go as expected.
Remember Your Visitors
If this is a live site, it will most likely still be receiving legitimate visitors who may be exposed to redirects or unwanted content placed by the hackers. Putting up an “Under Construction” page or a “We’ll be back soon” message is a great way to protect your visitors and the reputation of your website while you work on the cleanup.
Update Your Passwords
Changing the password for your WordPress admin accounts and your hosting control panel is an easy but important measure to stop unwanted activity after the cleanup. Even if the previous passwords weren’t cracked, the hacker will have most likely set up usernamess or passwords of their own, which may allow them back into the site even after it is cleaned up.
Using a long and complex password is the best way to ensure it is not cracked again. To minimize the chances of using a predictable password, a password generator is a great option.
All the important data on your WordPress site is stored in two places — the database, and the wp-content directory. Instead of manually looking for malicious code on each of the system files and directories outside of wp-content, it is faster to just delete all other directories and reinstall WordPress from scratch. This serves two purposes. It ensures that all files outside of wp-content are clean, and that WordPress is now on the latest version.
There is a possibility that there are malicious files inside of wp-content as well. It is recommended at this point to browse the list of installed plugins and themes and only leave those essential for the site to function.
When the reinstall is done and your wp-content directory is back into place, it is safe to bring the website live once again, disabling any maintenance pages you may have enabled.
If you are using cache to speed up your WordPress website performance (which you should consider if you aren’t), make sure to clear it as well to prevent any old content from being served after the site is up again.
After 1-2 hours you should use a free scanning tool like the one provided by Sucuri to verify that your infected WordPress site is clean. If it is still not clean, you will need to contact your hosting provider for assistance since there are more serious problems at play.
It is very useful to have older backups of the site at this point, since restoring back to a clean version of the site is sometimes the only option — even if some recent changes to the site may be lost.
How to Keep Your WordPress Site Safe From Getting Hacked Again
A few measures can go a long way when it comes to security. While there are many WordPress-specific tweaks that help achieve a well-rounded security strategy, mitigating most threats often boils down to a few key things.
Think About Add-ons
Anyone can create and publish their own WordPress plugin or theme. This makes for an impressive community of developers creating useful WordPress plugins. Unfortunately it also opens the door to vulnerable or malicious code. Before installing something new, check for its reputation and for any reviews about it, and consider if you would trust it to run on your WordPress site.
Make sure to remove or disable any plugins that you don’t need anymore. When possible, opt for alternatives that accomplish the same task without installing a new plugin on your site.
Stay Up to Date
Developers are always working to push new security enhancements to all aspects of your website — whether it’s plugins, themes, the base WordPress install, or PHP itself. In order to take advantage of these improvements, it is critical that you check for updates often or enable automatic updates when possible.
In some cases, updating right away is not possible, such as when your site is not compatible with newer PHP versions or when your hosting provider does not yet offer them. In these cases, reaching out to your developer or your hosting provider to address these issues is the most important step to follow.
Install a Security Plugin
There are many useful WordPress hardening options to prevent hacking that are not included with WordPress, such as password attempt limits, database monitoring, and changing the default admin login path.
However, using a security plugin like iThemes Security is an easy way to fortify the security of your site. All Nexcess hosting plans come with iThemes Security Pro built in for added protection.
It’s hard to overstate the importance of using secure, unpredictable passwords, but access security goes further than that. Make sure you don’t have more users with the “administrator” role than you really need.
If you frequently administrate your website from a specific location, consider limiting access to the wp-admin page to your IP address using your host’s configuration options or your WordPress security plugin.
If you need to be able to connect from anywhere, set up the security settings on your site to block IP addresses with a large number of failed login attempts in a short time.
Take Regular Backups
It is always a good idea to have backups going as far back as reasonably possible, not only in the case of a hacked website, but also to protect against accidental changes or software issues. If your hosting provider does not offer a backup solution of their own, you can still use services like VaultPress or BackupBuddy to perform backups from within WordPress.
Here are some helpful resources on backups:
Hacking is Common, but Preventable
Getting your site hacked is the worst, but can be prevented most of the time with adequate security measures.
Protect your site with a host that provides added layers of security — such as Nexcess.
Premium security tools, automated updates and backups, as well as always-on security monitoring mean that your website is protected on every line of defense.
Explore our WordPress hosting plans today to get started.
This blog was originally published in August 2016. It has since been updated for accuracy and comprehensiveness.