Sailors like to make the statement that if you meet other sailors who say they’ve never run aground, they either have not been sailing for very long or they are lying. A similar saying can be used for web site owners and developers. If your WordPress site has never had security problems, you are either a new site owner—or lying.
The reality of WordPress web site ownership is that sooner or later you are going to experience something “wrong” with your site. You may wake up one morning and find a bunch of emails from friends who are wondering why your blog is now the #1 promoter of Viagra and other pharmaceuticals. You may find yourself locked out of your website because someone else has gained control of the management of the site. It is important to come to the understanding that any site, no matter what content management system or lack of, can be hacked if the site is on the internet.
What should you do when your site has been hacked?
#1 WordPress Security Tip
1. Remain Calm
Since we already know that websites can be hacked, we can make preparations for this situation.
- Having quality backups ready and accessible at any time.
- Having more than ONE way to access your web server. (FTP, SSH, contact with hosting company, etc)
- A possible staging site that is connected with the live site.
If you are looking at this list and don’t have at least 2 of the 3 already preparation items in place, I recommend you first take care of making backups and then understand the different ways to connect with your server.
It’s important to remain calm because in times of stress like having your web site hacked people tend to do ill-advised things. There are stories of someone who “freaked out” that they thought their site was hacked and deleted everything on their server, only to realize that they also deleted all of their backups. Or the person who initialized an entire site wipe and reinstall of a brand new server, when it turned out they only needed to replace a semi-colon in one of their files.
#2 WordPress Security Tip
2. Make Contact with Your Hosting Company
One of the best things you can do when something goes wrong (a hack or the site operating unusually) is to get in contact with your web hosting company. There is probably a good chance they are already aware of the situation. If they are unaware when you contact them and it turns out to be a malicious hack, they will be grateful that you were able to point them in the right direction as soon as possible.
Your hosting company should have dedicated staff/resources to chase down and fix any hacks that may be occurring on their servers. It is in their best interest as a company to keep their servers running in the best possible condition. There are times when quickly contacting a hosting company can set everything in motion to fix an issue without you having to do anything.
#3 WordPress Security Tip
3. Consider Contacting a Professional
Internet security is a huge field and there are many companies that dedicate their entire existence to security. Professionals will normally be more up-to-speed with the knowledge needed and things that are happening around the world and the internet. While hiring a security professional to clean up your hacked WordPress site might be expensive, it might be worth it if it eliminates downtime and allows you to stop pulling your hair out.
We recommend checking out Sucuri, our trusted partner for WordPress hack repair.
#4 WordPress Security Tip
4. Change ALL passwords
It’s always a good idea to change your passwords whenever something out of the ordinary or unexplainable happens. The changing of passwords isn’t just changing your WordPress user account password, it entails going through and changing all of the following passwords:
- change your web hosting account password (how you login to your web host control panel)
- change your WordPress user account passwords
- change your FTP account passwords
- change your SSH account passwords
- change your domain registrar password that controls your domain name attached to your WordPress site
- change your email address password that is connected to your site
- consider changing your MySQL passwords
Passwords are the #1 method of security protection and in any case where something happens you should automatically think about changing your passwords. There are a number of solutions that may help you manage and rapidly change passwords like Dashlane, LastPass, and 1Password. (Note: I highly recommend Dashlane to manage your passwords.)
#5 WordPress Security Tip
5. Change the SALT keys in the wp-config.php file
There is a block of code in your WordPress wp-config.php file that should be changed after you have changed all your passwords.
The WordPress SALT keys, once changed, will automatically log out anyone in your site and will require users to re-login. This is a helpful step because if there is someone in your WordPress admin area that shouldn’t be there, this will log that user out of the WordPress site and require them to attempt a new login. Since the passwords were already changed, that user will be unable to use old “acquired” passwords.
#6 WordPress Security Tip
6. Restore Site from Backup
Sometimes the concept of hunting down roque scripts or code snippets or malicious files is too much of a hassle that it becomes easier to simply wipe that site and restore from a unaffected backup. This is where BackupBuddy comes to the rescue to make sure you are never far away from a recent backup.
Don’t forget that as soon as you restore an un-hacked backup, you need to make sure to update all plugins, themes, and WordPress core before continuing. You don’t want to restore a backup only to have it hacked 15 minutes later because you didn’t update a vulnerable plugin.
#7 WordPress Security Tip
7. Check All File/Folder Permissions, Open Ports & Users on Site for Anything Not Set Up Correctly
Using a tool like BackupBuddy or iThemes Security will provide you with an easy method of verifying all the file and folder permissions are set correctly on your server as well as providing suggestions for modifications if they are needed.
Most WordPress sites only have a few user accounts on the site so this next suggestion is fairly easy. Remember to visit the Users section of your WordPress Admin Dashboard to make sure there aren’t any user accounts (especially Administrator accounts) that are on your site that shouldn’t be on the site. Remove any old accounts that don’t need to be used on the site anymore.
#8 WordPress Security Tip
8. Once Site is Back to Functioning Correctly, Change Passwords Again
After you’ve done all the above tasks, don’t forget to change the passwords for your WordPress User accounts AGAIN just to verify that during your restoration and fixing period someone wasn’t able to gain access to an account to watch what you were attempting to fix.
#9 WordPress Security Tip
9. Change the SALT keys again in the wp-config.php file
Now change the SALT keys again to force everyone to log out of the site for the last time. It probably is a good practice to periodically change the SALT keys in your wp-config.php file. iThemes Security has a built-in tool that will change your SALT keys with a click of a button.
#10 WordPress Security Tip
10. Make a New Backup
Now that you have a restored site with all of your fixes in place, it is now time to make a new fresh WordPress backup and take a much deserved break.
More WordPress Security Reading
- How to Protect Your Site Using Proven WordPress Security Solutions
- Best Settings for iThemes Security Pro Checklist
- Online Security Tips for WordPress Site Owners [Infographic]
- Introduction to Two Factor Authentication
What do you do when your WordPress website gets hacked? Share your experiences in the comments.
Get iThemes Security Pro Now
Secure your WordPress site now with iThemes Security Pro, the best WordPress security plugin.