It’s often said that prevention is better than the cure. That being said, what do you do if the worst happens and your WordPress site gets hacked?
Unfortunately, this is an issue that’s becoming more prevalent, according to Securi Security’s data through the first quarter of 2018.
First, let’s look at the prevention steps. A WordPress site routinely handles thousands of malicious attempts to break into the admin backend. That’s why it’s very important to not use easy-to-guess passwords. It’s also recommended to use a different password on your site than you use on other sites.
If you use the same username and password on every website and one of those sites gets exploited, a hacker potentially has access to anything he can find out about you. Assuming that you stick with WordPress’s machine-generated passwords, you should also install a good firewall and log-checking plugin. One of our favorites is Wordfence. If the site receives too many attempts to login from one IP address, Wordfence will actively block that IP in a firewall from further attempts.
The next best thing you can do is consistently back up your site. These should be occurring automatically and retained, containing your database and your file system. WordPress plugins are routinely updated by their authors, so even if your site hasn’t had its contents updated, running plugin updates can change multiple files over a few days.
In the event of an issue, you can restore your WordPress to a known, working copy — but only if you have one. It’s very important when you’re looking at a hosting provider to know what its backup-retention policy is, if it even has one.
At Thinker, we perform daily backups for a week and then store a complete backup every month. It’s possible to restore a backup from any of those. Once we determine when the site was infected, we can restore the appropriate backup. These backups need to be stored in a separate, secured machine. This is important so an exploit can’t erase or corrupt the backups.
Cleaning a WordPress site is a lot easier if you know what happened. Keeping logs of the intrusion is critical for an expert to return your site to what it should be. Knowing what your host does with your server logs is vitally important should you find yourself in a position of needing to go through them.
Some VPS servers will set as little as one day of logs in their default settings; some don’t keep any. Logs can generate huge amounts of data very quickly, and having the ability to search through those logs is indispensable.
Again, Wordfence is a useful plugin to help cleanup. It has the ability to scan your site for malware and repair or remove any infected files. However, this is only useful once you’ve worked out how the exploit happened.
Once you have plugged the hole, cleanup can begin. All plugins should also be updated. Wordfence will also alert you to any abandoned plugins, which may need to be replaced or disabled. Once repaired, scan your site again to check that those exploits haven’t been replaced by other malicious code in your site.
If a Wordfence scan keeps producing the same malware, if you don’t have good backups you can restore, or you can’t work out from your logs how the intrusion occurred, it’s time to call in the experts. At Thinker, we have a good track record of cleaning infected sites.