Online Security for Beginners – How to Fix a Hacked WordPress Website
14 Dec, 2017
The Internet is a wonderful place to share ideas, learn new things, and communicate with people around the world but unfortunately, some troublemakers like to cause problems. It’s sad to say it but if you run a website, there’s a good chance someone may eventually try to hack it.
It can be stressful when your site goes down as it has a big impact on your business and your ability to connect with your audience. WordPress, Drupal, Joomla… it doesn’t matter what platform you use. Any site can be hacked. This can cause you to lose search engine rankings, expose your visitors to viruses, damage your reputation due to redirects to unsavoury sites, or worst of all, cause you to lose all the data on your site. Luckily, there are ways to recover.
Before we go into the step by step process of how to restore your hacked WordPress site, let’s look at the ways you can protect yourself first.
A Little Protection Goes a Long Way
Before we start, here are a few things you can do to help prevent your WordPress website from being hacked in the first place:
- Use a good WordPress Hosting company. OMG can help with that but if you’re doing it on your own, here are a few of the best ones.
- If you can afford it, it’s definitely worth using managed WordPress hosting. Yes, it’s more expensive but it’s also secure and allows you to focus more on creating great content.
- Have a solid backup solution for your WordPress site. BackupBuddy is one of the most popular and longest running options.
- Finally, use a strong web app firewall to protect your site. Often hosting sites will offer this. It’s definitely worth it.
If you haven’t been hacked, odds are you’re already doing one or more of these but since you’re reading on article on how to fix things, we’re going to assume you need some help. Let’s look at how to repair your hacked WordPress site.
Plan A – Have a Professional Take Care of it for You
If you’re serious enough about what you’re doing to build a website for it, then you should also take your page’s security seriously as well. And unless you’re up to speed with servers and code, odds are you’re better off letting a professional protect your site.
If a hacker targets your webpage, they can hide scripts in its coding that allow them to come back again and again. We’ll show you how to clear some of those out but again, unless you totally know what you’re doing, you might not get them all. Having a security pro handle it means you’ll have peace of mind knowing they’ve cleaned out any and all malicious scripts.
Plan B –Fix a WordPress Hack Yourself
Maybe you can’t afford a security professional or perhaps you just prefer to take care of things on your own. Either way, here’s a step by step tutorial on how to deal with a hack:
Step 1. Identify the Hack
Once you realize you’ve been hacked, there are a few things you can do right off the hop. The first is to remain calm! Next, run through this checklist:
- Can you login to your WordPress admin panel?
- Is your WordPress site redirecting to another website?
- Does your WordPress site contain illegitimate links?
- Is Google marking your website as insecure?
It’s also crucial to change your passwords before you start cleaning things up. We’ll do that one more time at the end of this too.
Step 2. Check with your Hosting Company
Most decent hosting providers are extremely helpful when you get hacked. They deal with this kind of stuff all the time and since they know the hosting environment through and through, they’ll be able to lead you through the repair process. Start off by contacting them and listening to their instructions. They might even be able to fix the hack for you!
Step 3. Restore from your Backup
One of the most important rules when it comes to doing anything on the computer is back things up! If you’ve already backed up your WordPress site, you might be able to restore it from an earlier version before the hack occurred. If so, you should be set.
The drawback to this is that you run the risk of losing blog posts, new comments, etc… basically anything that was done between the backup and the hack will be lost. If you don’t have a backup or don’t want to risk losing content, you can try to remove the hack manually.
Step 4. Malware Scanning and Removal
First, go through your site and delete any inactive WordPress themes and plugins. This is often where hackers hide their way in so removing those essentially shuts the door to them.
Next, install the Theme Authenticity Checker (or TAC). This is a free plugin that searches the source files of your installed themes to look for malicious code. If it finds any, it’ll show you exactly where it is so you can remove it. This is what that looks like:
Now you can do one of two things: manually remove the code or replace that file with the original file.
By replacing the files, you’re essentially overwriting any corrupted ones with fresh WordPress files. One thing to remember is that if you made any changes to your WordPress theme codes, you’ll end up losing those customizations.
Step 5. Check Your User Permissions
This one is easy. Open up the users section of WordPress and double-check the users listed there. If you see someone someone who isn’t you or someone else you’ve made a site admin, delete them.
Step 6. Change Your Secret Keys
WordPress generates a set of secret keys to encrypt your passwords. This is great but if a hacker stole your password and is still logged in, they’ll remain logged in after all this because their cookies are still valid. To disable those, you need to create a new security key and add it to your wp-config.php file.
Step 7. Change Your Passwords AGAIN
Yeah, yeah, we did this in step one. Now we’re doing it again! Change your password for WordPress, cPanel/FTP/MySQL, email… basically anywhere you used that password needs to be updated. And make sure you use a strong one! None of that “1234” or “password” stuff. Here’s a good resource on how to create a strong password.
If there are multiple admins for your site, have all of them change their passwords too.
Securing Your WordPress Site Against Future Attacks
There. Everything should be back to normal and you can go back to running your site as usual! After all that, I’m sure you’re taking security a little more seriously now, right? If there’s one thing you do going forward, please, please, PLEASE get a good backup solution for yourself. You need something that’ll back your site up daily. Another great tip is make sure your themes and plugins are always up to date. And remember that checklist from the beginning of the article? Try a few of those and see what a difference it makes.
We really hope this has helped you get your WordPress site back online. If you’re still struggling or have decided you’d rather let an expert make your site more secure, get in touch with OMG today! We promise we’ll deliver a site that not only secure, it’ll wow your audience as well!
Liked this blog post? We don’t have to part ways just yet! Sign up for our monthly newsletter that is totally spam-free and 100% awesome. You can expect links to our favourite (and most valuable!) blog posts, tips about tech, Google, and other things, plus the latest news we want to share with YOU, our favourite person ever.