This blog post is actually from my wicked-awesome WordPress for Small Business Owners course. If you dig it, you should sign up for the whole thing. It’s totally free!
If your website is already hacked…
You’re welcome to follow this guide and go through the steps to secure your website, but even for professionals, good hack cleanup is tough. It’s scary easy for a hack to leave a file behind and repopulate itself, even if you think you fixed everything. So if you know your WordPress site is already hacked, hit me up for a WordPress tune-up, with hack fix included.
I once watched every site on a server get hacked
The server had become a slave to the hack, sending out spam email without anyone even noticing. Before long, it had been blacklisted across the web. Every contact form on every site on that server was now useless. My coworkers and I began a hasty, panicky cleanup operation, with a promise we’d never let anything like it happen again.
What’s a WordPress hack look like?
Sometimes it looks like a hack. Other times, you won’t notice anything. So it’s best to be proactive. You can have the world’s most on-message marketing, eye-catching design and revolutionary functionality, but that doesn’t matter if your website is hacked. So let’s get WordPress updated!
Step 0: Take a Backup
You should have some kind of on-demand backup solution configured. Go ahead and take a backup. If things go south, we want to have somewhere we can quickly restore from.
Step 1: Update Everything
You ever see this update notice before? I bet. It’s bad. Time to get rid of it! Click over to the updates page and update everything you possibly can.
Many WordPress updates are released because of newly found security flaws. These security flaws give hackers a place to hijack your website, send spam right under your nose, and do any number of other unsavory things. So best to apply our updates.
People are often afraid to apply updates because they think their website will break. If I’m being 100% honest, this isn’t out of the question. However, WordPress is a platform built with do-it-yourselfers and non-tech folk in mind. Most updates to both plugins and WordPress core are specifically designed to be backwards-compatible.
Step 2: Check Your Work
Go ahead and bring up your website. Click around and make sure everything is still intact. If you know of specific functionality you need to be working, definitely check that. Things should look almost identical to before.
If you notice some things broken, it’s time to restore your backup.
Whether you restored or not, feel free to move on to step 3. It’ll be helpful in determining where things went wrong, if they did, and we’ll still get you updated before this is all said and done.
Step 3: Install WordFence Security
Now that we’re fairly certain we’re secure against new attacks, we’ll do some basic poking around to make sure your site wasn’t already compromised.
Go ahead and install the WordFence Security plugin just like you would any other plugin (Plugins → Add New).
Step 4: Configure WordFence
You should now have a notice at the top of your screen about configuring the firewall. If not, navigate to WordFence → Firewall. Click “Continue”, click the button to download a copy of your .htaccess file, and then “Continue” again.
WordFence should now be in “Learning” mode. It’s getting an idea of what regular traffic on your website looks like. In a week, it’ll kick into “Enabled” mode and start proactively blocking any malicious traffic.
Now navigate to WordFence → Options. At the bottom of this first section, there should be a box where you can add your email address to receive notifications about malicious activity, unusual login attempts, etc. Go ahead and add your email.
Now scroll down to the section marked “Scan Options”. There should be two unchecked boxes in this section sticking out like a sore thumb – “Scan theme files against repository versions for changes” and “Scan plugin files against repository versions for changes”. Go ahead and check both these buttons to let WordFence check your copies of plugins and themes against the originals, in case anyone has made changes.
Then click “Save Options”.
If you ever feel like you’re getting too many alerts, come back and scroll through this page to disable ones you don’t want.
Step 5: Run Your First Scan
This next part couldn’t be easier. Navigate to WordFence → Scan, and click the big button to start a scan!
When it’s all done, it’ll let you know of any problems found. Scroll down to find details about new issues.
On this site, you can see I ran the scan before updating all my plugins, so I have a warning about updating. Your warnings may vary, but WordFence will have suggestions for how to address them. Some may indicate your site was already hacked, in which case you can attempt cleanup yourself, or hire a professional.
What if Updates Broke My WordPress Site?
Altered Theme and Plugin Files
If you had to restore your site from a backup because updates broke your site, it’s possible WordFence will display issues about altered files in a plugin, theme, or maybe even WordPress core. Don’t worry, these probably aren’t a hack! It’s more likely that you, your developer, or someone else altered those files to get the functionality desired. That’s a big no-no, and it’s why your site broke.
If you run into this, the proper fix is probably beyond your pay grade. Reach out to a professional developer for WordPress customization assistance.
Other Errors from WordPress Updates
For everything else, it’s time to start debugging. If you want, you can certainly start this process yourself. First update WordPress by itself, and then see if the problem you encountered earlier reappears. Then update your theme and check again. Finally, start updating plugins one by one and checking after each to see which one is causing the issue.
Depending on the problem you encounter, it may be time to hire a WordPress developer. I strongly advise against simply not updating.
How’d it go?
WordPress security basics? Check WordFence will continue to scan your website for updates and protect you against potential attacks. Keep those plugins updated, too. I try to do this monthly. Couldn’t be easier, right?