How to handle a WordPress Hack
(Last Updated On: January 25, 2019)

 

WordPress is the most popular content management system (CMS) used today. It is for this reason it tends to attract the most hacking attacks, with just over 70% of WordPress Sites hacked according to a 2016 study by Sucuri. If a hacker accesses your server, it becomes vulnerable to the entire hacking community. Fortunately, there are many ways and means of securing your WordPress website. So, while tiresome and annoying, a WordPress hack is not the end of the world.

Let’s take a look at actions that can rectify a WordPress hack and cut future attempts. A secure website is vital going forwards as loss of reputation and reliability will eventually kill your traffic.

 

What is WordPress?

Before we go any further it is worth confirming exactly what WordPress is and why it is so popular. There are literally millions of WordPress websites out there and because this is an “open source” platform there are new updates, plug-ins and themes emerging every day (there are also other open source CMS available). The open source nature of WordPress is integral to its growing popularity and perfectly illustrates the power of the masses. Many website’s use the open source software but host elsewhere on secure server optimised for WordPress – WordPress Hosting.  This allows subscribers to use an advance management panel, install 1-click apps like WordPress and other services from the Host. Plus you can increase your website’s performance with hassle free WordPress Hosting with high speed servers, unlimited bandwidth and Storage.

 

Notice of a WordPress hack

There are numerous ways you may receive notice of WordPress hack which include:

  • Irate messages from those receiving phishing emails connected with your domain name
  • Notice from your hosting company of unusual activity on your account
  • A warning from search engines such as Google that your account has been compromised and needs to be addressed
  • You are unable to log into your WordPress administration account

In many ways noticing a hack depends on the actions of the hackers. So it varies on how you might notice or be informed that your site has been compromised.

 

Malware scan

The first thing to do is run a malware scan of your website files to try and find how and when the hackers obtained access to your server. In many situations this will diagnose website issues fairly quickly. As soon as you have the results, begin the process of securing your website. Depending on the complexity of the hack,  a malware scan should highlight compromised files and the malicious access code used.

 

Check your activity log

All website host accounts will record activity on your server which can often show how the hackers obtained access as well as any phishing emails they may have sent out. You might be able to see the exact files that compromised  your site and take immediate action to remove it. When using WordPress, you will probably notice that malicious code can be injected into the base WordPress files, themes and plug-ins. With the help of your host company you should be able to identify the entry points and compromised files.

 

File edits

Each time a WordPress file is edited in any way the server will take a note of the date and time which will be listed next to the file extension. Therefore, in relatively straightforward WordPress hacks, where themes, plug-ins and WordPress-based files have been compromised, you should be able to sort by the latest edit date and then check the compromised files. You must also ensure that all “hidden files” are listed so that you can carry out a full review of your website coding.

In many cases WordPress hacks occur when website owners fail to update themes, plug-ins and forget to download the latest WordPress release. While the power of the open source WordPress content management system is enormous, you must ensure that you do the basics and utilise all updates.

 

Blocking access for the hackers

As we touched on above, there are various ways in which malicious code can be injected into various parts of your website. Some hackers will obtain server usernames and passwords, sometimes via phishing scams, and gain direct access to your Control Panel. There will also be website user hacks where members are able to login with varying degrees of access. Setting up a subscriber account is very easy; the site visitor simply creates an account. Unfortunately, using security flaws in plug-ins some hackers will find a way to increase member authority to that of admin which allows them access to raw code and the opportunity to inject malicious code.

 

It is essential that you remove all WordPress backend accounts with unauthorised access because very often this will be the simple entry point for hackers. Many people also choose to remove all subscriber accounts leaving just administrators. There are obvious benefits to having subscribers to your WordPress blog although this needs to be balanced with long-term security.

 

Fighting back to remove hacker access

Once you have more details about the hack, when it started, where it originated from and what is happening, it is time to start the fight back.

 

Changing passwords

As soon as you become aware of a hack the first thing you should do is change login passwords. This includes passwords to your WordPress blog CMS backend, Control Panel and direct server access. In theory, you should change your passwords on a regular basis and ensure that you do not use the same login details across various accounts you may have with other websites. Many people fail to realise that when using the same username and password on numerous accounts, hackers do not necessarily need to compromise YOUR website to get your login information. So, it is highly advisable that you use different usernames and different passwords across any online accounts you may have.

It is worth noting that changing passwords on its own is unlikely to secure your website as the vast majority of hacks will have found a backdoor entry. However, it is a useful starting point!

 

Removing malicious code

There are various ways and means of removing malicious code from your website files such as:

  • Manual editing
  • Update themes, plug-ins and WordPress files
  • Revert to an earlier backup

In many cases you may be able to manually remove malicious code and then run more malware scans to ensure your site is “clean”. It is also essential that all themes, plug-ins and WordPress files are updated to the latest versions. As we touched on above, as WordPress is an open source system this means that many individuals will be working on ways to improve security.

 

Reverting to an earlier website backup

In a worst-case scenario, you can revert to an earlier website backup which was saved before your website was compromised. Note, however, that new content and changes made after the backup date onwards would be lost. In some cases of complex hacking activity the only real option may be to revert to an earlier clean backup.

Once you have uploaded the backup it is essential that you update all plug-ins, themes and the underlying WordPress CMS code. At this point it may also be worthwhile undertaking a Google search to see if anybody else has had similar problems where specific themes and plug-ins have been compromised. While the hacking community tends to be a very tight-knit crowd, those looking to secure their websites also tend to share information regarding security, hacking routes and real-life advice.

 

Are hackers regaining immediate access?

You may come across situations where cleaning files, updating plug-ins, themes and WordPress code as well as changing usernames and passwords is just not enough. Before you can make all of the relevant changes the hackers are able to regain access and the process starts again. So, what can you do in this situation?

 

Password protect your website

If hackers regain access even after making the changes listed above then it calls for more actions. The last course of action must be to password protect your website. This means that your website will not be visible to search engines/general public while you address the problem. Obviously, when password protecting access to your website you should use new usernames and passwords. Don’t use passwords associated with the WordPress element of your website. Otherwise password protecting your site would be useless!

What this effectively does is create a barrier between the Internet and your file server. Unless a website’s visitor has the username and password they will not gain access to your website. This creates an environment in which you can update files, change passwords, carry out malware scans. You can even revert to previous backups without the hackers regaining access time and time again. In some instances, prior to additional password protection, hackers gained access through security flaws within themes/ plug-ins. Where this continues, you may need to consider deleting those plug-ins/theme files and replacing them with more secure options.

 

Summary

It is almost inevitable that at some point you will be the victim of a WordPress hack. The hackers may gain access through theme files, plug-ins or be able to set up access accounts and then upgrade to admin status. In a worst-case scenario you can revert to previous backup files. However, if the compromise continues then you may need to remove insecure themes or plug-ins.

If your website is hacked it is imperative that you take action as soon as possible. There is the possibility that your IP address might be blacklisted due to actions taken by the hackers. For example, if your account sent out of thousands of phishing emails. Through no fault of your own, you would be held responsible for these illegal communications. It is possible to remove an IP address from a blacklist. However, this can take time and cause serious issues for you in the short term. So, in summary you should always:

  • Install the latest WordPress, plug-in and theme updates
  • Change your passwords on a regular basis
  • Monitor activity on your website which may give you an early warning of unauthorised access
  • Work with your hosting company to reduce the impact of activity by any hackers

Only when you are sure that all security issues have been addressed, and malicious code removed, should you go live with your site again. Being the victim of hackers is not a welcome experience but it is certainly not the end of the world.