Nowadays, WordPress websites are notoriously lacking whenever it comes to privacy and security, and they are often the target of a WordPress hack. Be it because of the developer’s insufficient security measurements or the utilization of one of the bunch of plugins available (of which the security can’t be guaranteed).
With WordPress running on one to five websites on the Internet, it’s no surprise that they’re a target for both script-kiddies and experienced hackers alike. In 2013 around 90k WordPress websites were hijacked for utilization in a botnet. They’re a popular target for the trojan and malware.
This is why we have taken our time to detail some scenarios that could be taken to address the usual security holes or malpractices present in millions of WordPress websites and could help prevent a WordPress website hack.
Preventing WordPress hacks
Why is preventing WordPress hacks much more effortless than recovering from the damage?
The tiniest prevention is worth a ton of cure. This is not truer in regards to WordPress website hacks. WordPress websites are compromised just not by sophisticated and expert hackers however by bots only written to exploit known and essay vulnerabilities. These vulnerabilities are outdated plugins, weak passwords, obsolete themes, and low-quality web hosting.
When a website is hacked, the following resources could be affected:
- Files on the server, such as your theme files, could be modified.
- Files could be uploaded to the server, which could be containing PHP backdoors or malicious code.
- Code could be injected inside your WordPress database.
- Tremendous pages and post could be published containing spam code and malicious content.
- Your website could be redirected to the malware sites.
- Users with administrative privileges could be inserted into your database.
Having your website hacked could be a HUGE mess to fix. It could genuinely take hours and days to recover, and your SEO could take a massive hit if Google chooses to blacklist your website.
Luckily, preventing hacks is pretty easy, though it does need diligence.
10 Tips for Preventing WordPress Hacks
1 – Keep WordPress plugins, themes, and core up to date
It isn’t enough to login once a month or less to update. Exploits would occur within days or hours on vast numbers of websites as soon as they’re published. Our forgotten website that we didn’t update was exploited within a couple of hours of the Gravity Forms vulnerability being announced. You should update as soon as possible when there is an update.
For plugins that do not have front-facing functionality, you could utilize the Shield WordPress Security plugin to perform auto-updates for you. If you have multiple websites, then check out this post on on-site management plugins.
2 – Strong passwords
You must get a password tracking plugin or a tool like 1Password to track all of your passwords. You could no longer utilize the same password on all internet accounts and get away with it. You could not utilize your dog’s name or brand name, or special soft drink. You require long, complicated, unmemorable passwords.
We had two clients call us a couple of days ago because their Instagram, Gmail, or AppleID was hacked due to utilizing a weak password on every account and device. It’s pretty easy to utilize a password hacking program to discover what a password is. Our clients utilized passwords in both matters, which could be guessed by a password detection tool under one second!
You should test the strength of your existing passwords. And then, provide some serious thoughts to utilizing 1Password and make passwords that are complex, long, and obscure, and you have to change them frequently. With the help of 1Password, you have to remember one complex password.
3 – Keep your server clean
Delete unused versions of WordPress on the server. It is easy to forget these versions exist. Unused WordPress plugins, files, themes, etc., even if they’re not being utilized, not active, not even associated with your install, could be exploited easily. Delete delete delete. Run the tight ship.
4 – Protect your computer and home network
Run virus scans each time, especially if you are running Windows. Be careful of the websites you visit. You could inadvertently provide your WordPress login away only by a keystroke tracking Trojan that would steal your passwords as you type them on the keyboard.
Protecting the computer is often about not visiting sites that are distributing malware. However, even known websites, such as friend’s cooking blog, can be hacked. So, it should be best if you had some protection wherever you surf on the web.
For Windows:
- Avast! And Avira is both the best anti-virus applications.
- Be sure Windows Firewall is active.
For Mac OS:
- Scanning software is not needed, but Avira is the best option because it recognizes malware patterns with trojan and malware signatures.
- Turn on the Firewall in the Security & Privacy (System Settings). In the Firewall, check the box to Allow Stealth Mode. This will permit your computer to not be visible on the individual networks.
5 – Check your themes and plugins for the continued support
Do not utilize themes and plugins that are no longer available or maintained by the developers. If any plugin or theme has not been updated in a year or more, you must replace it. This could be a massive problem with themes. Tons of developers fly by night and do not stick around for more than a couple of months to support their plugins and themes.
When you buy a plugin or theme, look for a plugin or theme with current support requests which have been answered and solved on time, recent and frequent updates, and good star ratings.
Not all top-selling plugins and themes are the ideal themes or plugins, but they’re more likely to have updates and ongoing support. Read the comments for the high quality of response and tone. Look for enthusiasm, helpfulness, thoroughness, good articulation, quick response, and a positive attitude.
Premium themes often come bundled with third-party plugins. The theme developer might or might not offer timely updates for these bundled pre-installed plugins. For example, the Revolution Slider, a best-animated slider, which comes bundled with hundreds of themes on The ThemeForest.
A word about Revolution Slider
Besides that, The Revolution Slider had a significant security vulnerability in 2014. But, theme developers who packed it with their themes didn’t necessarily update the plugin when they have updated their themes.
As a result, tons of themes on The ThemeForest distributed a massively insecure plugin for months even after the vulnerability was discovered. Besides that, this vulnerability leads to the hundreds of thousands of sites being hacked and directing traffic to malicious websites.
The major upshot of all of this is just if you buy a premium theme that comes bundled with the premium plugins, like Layer Slider, Revolution Slider, Visual Composer, or others. You have to purchase these plugins SEPARATELY, so you could be notified of updates to plugins significantly and do not depend on a theme or plugin developer to keep you protected.
6 – Run a WordPress security plugin
We highly suggested the MalCare plugin by the makers of BlogVault. They’ve both a paid and free version. We love the most about their plugin because there are no customized options, which could be super confusing with any other security plugins.
All the malware scanning takes place on the cloud servers, so there isn’t any effect on your website’s performance. It runs a robust firewall and brute-force protection.
The premium version of the MalCare is not expensive, just $99/year, which is a bargain compared to other identical services. It should be best if you tried it out to know the full potential of this powerful plugin and let us know how it works for your website in the comments below.
We also like Shield WordPress Security by the iControlWP. We have utilized Wordfence in the past, and it continuously made errors in the error logs on multiple websites.
Other famous plugins out there could easily break your website or have you focused on “the security” measures, which do nothing for security when missing out on essential things like login protection.
7 – Install an SSL certificate on your site
SSL certificate will encrypt your and users’ data to your website transfer by the website, such as submitting contact-forms or utilizing login in web pages. Otherwise, your data is transferred like a postcard inside the form of mail, meaning everyone who’s looking could read it like plain text.
Having SSL integrated on your website permits you to login security (by HTTPS) while traveling. Many hosts provide this useful service for free, and you could utilize this Simple SSL plugin to force your entire content to use HTTPS.
8 – Do not log in on public WiFi networks
Suppose you are logged into your website on a public WiFi or a public distributed network. In that case, you’re essentially providing your login credentials away to everyone else on the same network who may be running a packet sniffing script.
If you haven’t integrated an SSL certificate on your website (that encrypts your password and username on the network), then utilize a Virtual Private Network (VPN) service so you can encrypt your traffic on the same network. Utilize this even if you have an SSL certificate on the website, as it is good to stay in a VPN on any public network.
9 – Backup your website
While backups aren’t always all that useful in recovering from a Website hack, they’re still essential for the complete recovery, particularly when it comes to the damage of your database, where all your website content is stored.
10 – Consider a better web hosting
Hosting companies like SiteGround, Kinsta, WP Engine, and Flywheel have your back on the subject of privacy and security. They routinely do security scans and would clean your hacked website for free, though we have known a lot of people to be hacked on these services as well, and it could take a lot of days to get unhacked or not at all.
We would still suggest running the MalCare plugin because hosts aren’t malware experts. We have been hosting most of our sites lately with the SiteDistrict. Their performance and security are pretty excellent in terms of website speed (right up there with the Kinsta), and their customer support is proactive and hands-on.
Steps to fix your hacked WordPress website
Step 1 – Analyze the issue
Step 2 – Backup your entire website
Step 3 – Install Security and Debugging plugin
Step 4 – Fix any specific errors
Step 5 – Delete WordPress
- Manual Deletion
- CPanel Uninstall
- Manual Delete Database
Step 6 -Check FTP Accounts and Delete unauthorized and unusable accounts
Step 7 – Update all plugins and themes
Step 8 – Delete unused themes and plugins
Step 9 – Change your usernames and passwords
Step 10 – Confirm with your hosting company for any malware detection on the website or database
Step 11 – Backup the clean copies of your website once all hacked files has been trashed
Step 12 – Reinstall WordPress
Step 13 – Restore your website with the previous Backup without malicious files
Step 14 – Rescan your website
Step 15 – You should take preventative measures to keep the hacker from attacking again
Let’s Begin,
Check the Severity of Attacks
The hacked WordPress site fix operation step is to check to see if you could log in to your admin panel. If you’re unable, then the severity is pretty high, and you might need professionals to help save your time and do a thorough cleanup.
However, If you could still access the admin panel, you could move forward to the operation’s next step. We highly suggest you change your website passwords before you begin the thorough cleanup.
Google Site Checker
With Google’s safe browsing tech, you could quickly check whether a site is a potential danger as a user. Another choice is Health check, which is available in the Google console through the Health menu item.
Once Google has already identified any malicious file or program on the site you visit, you must have received a “This site may be hacked” warning, which would disappear once the website is fixed
WordPress Scanning and Removal
There are tons of scanners on the website that could discover and remove any trojan and malware from a site. After the scan, you would overview the issues encountered, such as unauthorized changes or possible spamming to the web page.
Users can apply plugins with helpful functionalities such as last access, post-list verification, and various security notifications. Besides that, Hackers often hide their backdoor inside plugins and themes in WordPress websites.
You must look at your website and delete any disabled plugins and themes. You could learn more about the WordPress Backdoor hack. Once you’ve deleted the theme and plugins, you must rescan your website to get an updated list of problems.
The most basic places are WordPress plugin and WordPress themes directories, wp-config.php, wp-includes directories, wp-content upload directories, and .htaccess files.
You should run your site through the Theme Authenticity Checker, linked here. Theme authenticity checker would show details key right next to the theme concerning any infected file. It would also show you the corrupted and malicious code that it discovers.
Restore your WordPress site from the Backup
If possible, you must restore your website to the earlier point, when it wasn’t hacked. You could access the steps to take Backup and entirely restore WordPress manually here. If you’re capable of restoring your website, there is a good chance that you will have your website back up and running pretty soon.
The downside could still be that you might risk losing your blog posts published after taking back up, new comments, etc. you even might want to manually trash the hack, depending on the measurement of the hacked amount of content and time you have.
WordPress security plugin
There are many security plugins of WordPress for protection against the trojan and malware and rootkits. When we are talking about the malware in WordPress, you must pay special attention.
Update / Remove unused plugins and themes
You must update all themes and plugins. By the way, although you could have some plugins on your website, and every one of them provides you unique functionality, it doesn’t make any sense to have some themes installed.
Delete all the themes you do not utilize and keep the active theme you’re working with updated. This is how we could update plugins and themes. To provide you an overview of the whole operation, we have divided it into a few steps:
- Download your theme with the latest version.
- Unzip that File to access that updated theme.
- Then Go to the panel and Activate maintenance mode.
- Connect with your hosting using FTP.
- Rename your theme directory with any familiar name: themename-OLD.
- Upload that previously downloaded updated theme directory.
- Check the version of the active theme.
- Check everything (pages, functions, CSS, and JS)works correctly.
- Delete that old theme directory (themename-OLD).
Keep following
Do an entire cleanup on your WordPress website and trash all unused themes and plugins. Hackers often search for the disabled and outdated plugins (including official WordPress plugins) and themes and utilize them to gain access to your computer device or upload any malicious files to harm your server.
So one way to keep your website secure is to always update your themes and plugins that way, you know most hackers look for dormant plugins that don’t get updated in a while, and they could sometimes hack inside those. Keeping all your plugins updated is a way to help protect the website.
The number of themes you should ensure that you do not have any additional theme files lying around in your Cpanel/file manager is not utilizing. So it’s the best idea to delete out all the other unused themes because you could utilize one theme at a time for your site anyways, so now these are all updated.
It helps keep your site a little bit faster because it trashes, you know, all the useless stuff and files that could slow down your site. It is just additional space. It is taking up. So by just removing plugins that are disabled. You are also helping speed up the website a little bit.
By deleting themes and plugins that you stopped utilizing (and probably didn’t update) a long while ago, you anyhow deduct the risk and make your site a little bit more secure.
Manual control
One more way to find and repair a hacked website is to review it manually. Files of the type .php, .htaccess, and multimedia files are pretty viral among many hackers. We recommend searching for any existing directories according to the base64 encodings.
These kinds of infected files could be easily identified. If you find malware on a site, you would require to clean your computer device thoroughly of malicious files and programs and, after that, change their logins to access FTP., even after that.
The infected pages require to be removed or cleaned. The CMS should be reinstalled. However, The new installation eliminates the significant problems. But, while the above choice could help you find trojans and malware and repair your hacked WordPress website, there isn’t any guarantee of success.
The constant evolution of a cyber-attack makes the IT protection landscape unstable.
Disable file editing
As you know, WordPress comes with a built-in file editor that permits you to modify PHP files. While this functionality is beneficial, it could do a ton of damage as well. If the attacker gains access to the admin panel, they’ll look for the File Manager instead of that File Editor.
Some users prefer to disable this function completely. It could be disabled by just modifying the “wp-config.php” file and adding the following line of code:
define( ‘DISALLOW_FILE_EDIT’, true );
That’s all you have to do to deactivate file editing inside WordPress. IMPORTANT: If you want to re-activate this function, utilize your hosting provider’s File Manager or FTP client and delete this code from the “wp-config.php” file.
Reinstall everything
You would require to reinstall the themes, plugins, and WordPress itself right after backing up everything. When you extract the content from your “wp-content” directory, only utilize the picture files that you’ve archived.
It’s quite risky to download PHP or Java files because they could be compromised without your single knowledge. Afterward, perform a full virus scan of the computer device to ensure that there is nothing more to worry about.
Replacing damaged or infected files
Removing malicious code from all infected files is possible by removing damaged files or replacing those files with new generic files. We’re going to carry out the following operation in the following order, in an organized sense and without leaving any steps so that no trace of the trojan r malware remains:
- Replace the site’s files of WordPress with the files downloaded directly from the official WordPress website
- Replace the directories of all those plugins with the files downloaded in the .zip format files from the WordPress repository
- Replace those theme files with the theme files, which could be downloaded from the official store and source.
- Instead of doing file replacement, it’s suggested deleting and then pasting the newly downloaded files to make sure proper cleaning.
Once this is complete, it’s possible that our site is already less or more secure and that we could access it in a standard way using the web browser. You should keep in mind that if you’ve made essential modifications to the plugin code or the theme code concerning the originals downloaded from the official stores or sources, you’re going to lose them, and you should do them again.
Check All User Permissions and Role from WordPress Admin
Do your diligence on offering access to the right users in your team for the WordPress site. You might check the users’ section of WordPress to limit access to your site.
Download the latest version of WordPress
It’s essential to install the latest WordPress version to make sure to get off to a good beginning. You should also download the last versions of the plugins because the hacker might have introduced scripts inside your plugins.
Disable Cookies from WordPress Admin
Suppose you ensured that the cookies are disabled moving forward to prevent any further hacking. When a user logins utilizing the permissions, they will remain logged in until the cookies expire. It would help if you first made a new collection of secret keys. You require to make a new security key. You should add this newly made key to your “wp-config.php” file.
Rescan website
WP Hacked Help center is the ideal way to rescan your WordPress-based sites for website blacklist, malware, defects, injected SPAM, and malicious code online. In no time, they’ll scan and offer results, whether your site has any sort of infection or not. It’s one of the ideal scanners to discover viruses, malware, or malicious code present inside your Wp core files, theme, or plugins.
Change Your Passwords One More Time
You require to update your password of the WordPress, FTP / cPanel / MySQL password, and every place that you may have utilized this password for max security. It would help if you ensured that all users who have access to the site had changed their passwords. We hope this informative guide helped you fix the hacked WordPress site or yours.
Backup the clean copies of website files
We’re going to utilize FileZilla for this example. Once you have cleaned the WordPress site from the trojan or malware and any malicious code or virus, follow these steps:
- Access your FTP Accounts in CPanel to find out the credentials you require to set FileZilla. If you’ve forgotten or did not set a password, then click Change account password and change your password.
- Go to File, then Site Manager, then New Site. Fill in the username, password, and hostname fields with the details you gathered earlier. However, leave the rest of the configurations as is. Once complete, press Connect.
- When a connection successfully establishes, then you could right-click on the “public_html” directory on your website to Download it.
- While if you wait for WordPress files to get downloaded, you could make a backup of the database using the phpMyAdmin database system. Also, FileZilla would notify you after the completion of the file transfer, so do not worry!
