How to Fix Your Hacked WordPress Site
You lovingly spent time and effort to set up your WordPress site. Unfortunately, at the time you weren’t educated with regards to how to secure your site. And now your site has been hacked.
Don’t worry, all is not lost. Depending on your host and a variety of other things, this may be a simple task to reverse. But before we delve into the process of fixing your site, let’s deal with what you want to do in the future to ensure this doesn’t happen to you again.
It’s also a good idea to understand some of the basic vulnerabilities of WordPress. A lot of these are very simple things you can address as soon as you regain complete control of your site.
The first thing I’m going to recommend you do is not something that is WordPress specific. This is a security measure that can protect you at all times while online.
Use a VPN
A VPN, or virtual private network, is a service that provides anonymity while online. It ensures that all traffic remains untraceable and that all data flowing back and forth is encrypted. Using the best VPN is a marvellous way to protect yourself and your WordPress site. It won’t provide 100% security but is an excellent layer of protection that you may want to build upon.
There are a variety of services available, with many different levels of features. If you are unfamiliar with a VPN, I would suggest that you start off with a VPN free trial.
Use Strong Passwords
One of the first things you do when setting up a new WordPress install is choose a username and password. Make sure the password you generate is a strong password. I typically go for at least 14 characters, and those characters should include letters, both upper and lower case, numbers, and symbols.
If your site has been hacked, one of the most common means of doing so is by a brute force attack. Weak passwords and an admin name that has not been updated from the default make it very easy for the bots that drive brute force attacks to access your site.
Install a Security Plugin
There are quite a few excellent security plugins. Some are far more complex than others and will require an amount of time to set up and customize for your site. However, once that’s done, it’s pretty much set and forget. Although you will need to update it whenever updates are available.
A security plugin is an excellent, all-around way of tightening your WordPress security. Most will include a firewall, will scan your files for any changes made, will scan for malware, protect you from brute force attacks, and notify you when any sort of security threat is detected.
Depending on the level of protection you want, you may want to go for one of the free options, or you may want to choose a premium security plugin.
Fixing Your Site
Now it’s time to try to fix your site. Depending on how bad the hack is, you can either attempt to fix it yourself or get the help of a professional. Note the second will cost you.
Either way, the first thing you need to do is identify the hack. Determine the following:
- Are you able to log in and access your WordPress admin panel?
- Does your website redirect to another website?
- Are you seeing illegitimate links on your website?
- Has Google indicated that your website is insecure?
With this information, you’ll be able to proceed. However, before you do anything else, change your password.
Connecting with your hosting company is the next step. Believe me, you’re not the first person to have ever been hacked, so hosting providers are quite familiar with dealing with the situation.
Follow whatever information your hosting provider provides as you may not be the only person affected by this hack if you are on a shared hosting plan. In some cases, you may not have to do anything further. Your host may step up and complete the job for you. Your host may also be able to tell you where the hack originated. This could prove to be useful information since you can use it to protect yourself against future attacks. Particularly if it was something like a backdoor attack via a vulnerable theme or plugin.
Once the hack has been identified and resolved, you will need to restore your WordPress site from a backup. Obviously, this will be a restore point taken before the hack which may mean you could lose some new content. If you don’t have a backup—you really should have a backup!—things are going to be trickier, especially if you want to preserve your content. You’ll have to manually remove the hack, so you may want to go the pro route here.
If you decide you want to attempt this yourself, you’re going to need to scan your WordPress site for any malware. The most obvious places to check are inactive or outdated plugins and themes, especially plugins and themes that didn’t come from a reputable source. Often times, hackers will place backdoors in these site add-ons. The scan will check your WordPress core files to find with the hack is hiding. Once the core files are checked, the scan will check themes and plugins.
Once you find the hack, you have two options. You can either remove it or simply replace the file where you found it.
Next, you want to make sure your user permissions weren’t changed, and that you, and only those you trust, have administrator access. From there you’ll want to change your secret keys and finally change your password again.
Now your site is up and running again and you have the tools to make sure it won’t happen again.