Website Hacked: a reader asks…
I have a WordPress-powered website, it’s a simple blog without a lot of fancy plugins. I don’t use it much anymore, but recently noticed that I can’t log into the control panel anymore. I think I might have been hacked, although the site looks ok and I don’t see anything strange-looking on the pages. What should I do?
One of the most important things you can do with your WordPress website (other than posting articles) is to keep it up-to-date. Just a few weeks ago, a major vulnerability in WordPress was discovered that if exploited, made websites easy to hack. To their credit, WordPress developers issued an update quickly, but many folks with WordPress-powered websites don’t update their websites, either automatically or manually. Consequently, millions of websites got hacked once the details of the vulnerability were shared within the hacker community.
Later I’ll go over the relatively simple tasks you need to do to keep your WordPress website safe, but for now let’s look at what you can do to fix the problem. First, you can contact your web hosting provider and request their help. Most hosting providers give you their own control panel where you can do things like access the website files directly (using FTP), and even kick off a WordPress update. Each provider does things a little differently, so you need to explore their support options.
The second thing you should do is change the password for your web hosting account. Be sure to make it something that’s not easily guessable. I suggest 20 or more unrelated characters. You can create a mnemonic to make it easier to remember, or better yet use a password manager (like my favorite, LastPass).
The third thing you can do is contract with a 3rd party to clean your website. I like Sucuri.net but they’re not cheap. They charge $199/year to both clean and protect your website. You can also contract with your favorite tech support folks (like PosiTek.net!). For example, I maintain a developer account with Sucuri.net and can add websites for much less than the cost of a standalone account.
You can try to do this yourself, but I’ll warn you, it’s not for someone who isn’t very familiar with how WordPress works, how your hosting provider works, and how to conduct a cleaning operation.
You’ll have to give Sucuri FTP credentials so they can go in and inspect your website files, quarantine infected files and replace them with clean versions. Sucuri’s service includes a real-time scanner that helps protect your site from future hacks. You can even display a logo on your site showing that it’s protected (see the Sucuri logo at the bottom of our website).
If your website isn’t a money-maker, you may be tempted to forego spending time and money on it, but as you’ve discovered, the threats to websites are real and they are increasing. So it makes sense to do what you can. Once you’ve enjoyed (sic) the pain of having to clean up a hacked website, you can take some low or no-cost steps to prevent future hacks. Here’s what I recommend:
First, perform routine maintenance to keep your site up-to-date. I suggest that at least weekly, you log into your WordPress control panel and check for updates – both to WordPress itself, and to any installed plugins and themes you have. Rather than try to update everything at once, I suggest doing it in stages:
- Update any themes you have installed (in addition uninstall any themes you’re not using)
- Update any plugins you have installed (in addition, uninstall any plugins you don’t need)
- Update WordPress
Second, you want to make sure your site is well-secured from hackers and also backed up. I suggest you add two plugins:
- iThemes Security: there is a free version at https://wordpress.org/plugins/better-wp-security/, but I recommend the Pro version (get it at https://ithemes.com/security/ for $80/year).
- BackupBuddy: Also from iThemes.com and also $80/year, get it at https://ithemes.com/purchase/backupbuddy/. If you’re determined to not spend any money, you can use one of these free plugins: https://wordpress.org/plugins/backup/ or https://wordpress.org/plugins/blogvault-real-time-backup/
Once you have secured your website the plugin, and have scheduled routine backups of your website, the only remaining thing to do is to a) download backups to your computer on a regular basis (as part of your maintenance tasks), and b) make sure you know how to restore a website from a backup. BackupBuddy has extensive documentation at https://ithemes.com/codex/page/BackupBuddy and you should familiarize yourself with the procedure to save you time in the event of a disaster.
Lastly, you may want to consider your choice of a webhosting provider. Most of the low-cost providers give you shared storage space and their tech support is pretty abysmal. Of the low-cost providers, I’ve found Bluehost.com to be in the top-tier, especially for support. But even if your site isn’t a money-maker, small businesses and non-profits may be well-served by going with a better class of webhosting providers. One of my favorites is wpengine.com. They’re not cheap, but you’ll get a significantly better level of service and support, well worth the money imo.