Step one: Breathe. Remembering to stay calm is the most important step to take when you suspect a hack! The reality of owning a website is that you invariably open yourself up on a daily basis to the possibility of a hacker, thief, or other garden variety day-ruiner breaking in and running amok.
Here are some tips for helping you protect your site and remaining calm in the event you have to deal with a hacked WordPress site.
An Ounce of Prevention
Before jumping in, let’s go over an important note on preparedness and prevention. You have car insurance, don’t you? Your site needs the same kind of protection. We recommend regularly backing up your website files and database and storing the zip files somewhere other than your server (Dropbox, external hard drive, etc). You can set this up to run automatically using either of the following options.
First option (recommended): select a hosting provider that includes managed backups as part of your service agreement. We are partial to WP Engine.
Second option (for the diy contingency): use a plugin such as BackWPup and set up the automated backup schedule yourself. Remember to make sure the resulting zip files are stored somewhere other than your server. In the event of a website hack, any files on your server are at great risk of being compromised. This includes backup zip files. You also need to periodically check to make sure the automated process is running without issue (remember, diy = do it yourself). Add some quarterly reminders to your calendar, then rest easy knowing you have a plan in place should your website ever come under attack.
Pro tip: use the Sucuri plugin to automatically scan for malware. The notifications can be a little complex to setup at first. But the end result of having an arsenal of anti-malware tools including an automatic email in the event of brute force attack or admin password change is well worth the effort.
Hindsight is 20/20
If you are reading this, it might be too late (hope you’re remembering to breathe). Hopefully, you had some sort of backup strategy already in place. In this case, restore from your backup, change your password, and then you are ready to rock n roll!
If not, keep breathing and act as quickly as you can. First, immediately change your WordPress password and make sure no new WordPress user accounts have been created.
Use Sucuri or other similar (free) plugins to scan for the hacks. These will tell you your site’s status as well as identify where the hack is hiding. An additional quick tip is to scan for any WordPress themes or plugins that are currently inactive, most likely hackers will use these to gain backdoor access to your website. See if you can delete these as a first step toward minimizing the severity of the hack.
Next, run through this helpful checklist (source: WpBeginner.com)
- Can you login to your WordPress admin panel?
- Is your WordPress site redirecting to another website?
- Does your WordPress site contain illegitimate links?
- Is Google marking your website as insecure?
Afterward, check in with your hosting company and share what you were able to find out with them. Many have very helpful help tools to guide you through the tough waters. They may even help you get your site get up and running again (sans infected files).
If they can’t (or won’t) help you, then consider reaching out to your ‘web person.’ There’s no guarantee they’ll be able to restore the site, especially if you don’t have backups on hand. However, if you nor your hosting company can fix the hack, the next step is to call in the big guns.
Pro Tip: delete any themes or plugins not in use. Update plugins and themes as soon as an update is available (after backing up the site first). Failure to keep your plugin roster in proper check leads to the backdoor access points referenced above.
Pro Tip: when shopping for a hosting plan, do some research and don’t automatically go for the lowest priced option. It’s way better to find out a company won’t help you in the event your site is hacked upfront than in that horrible moment you realize your site has been compromised. In keeping with the theme of this post, an ounce of prevention is worth a pound of care.