Your WordPress website was hacked? Don’t fear, recovery is possible.
Usually a client contacts me in a state of panic because something horrible has happened, like this…
Yup, it’s likely his/her website might have been hacked.
As I begin an investigation, one of the first things I do is to check what Google knows. When I see this message in the Google search results page, my heart shrivels with anxiety:
Can there be any digital marketing punishment worse than having every Google Search Engine Result Page (SERP) link to your website show an ugly “This site may harm your computer”?
How can it be fixed? Let me tell you a recent tale of woe…
Usually a client only has one infected website. This particular one had 4, all on the same host, that began to trigger web browser “malware” warnings and the Google SERP was showing “This site may harm your computer” within every organic link.
*sigh* There are words, but I choose not to use them in polite company.
It was a lot of time backing up 12 GB of files & databases, cleaning up 12,000+ mysterious files, changing all passwords for hosting/WordPress/MySQL/FTP/etc., changed WP salts, updated all themes/plugins, deleted unnecessary themes/plugins, deleted unnecessary user accounts, switched to a better security hardening plugin (enabled nearly every possible setting). Then I tried new site scans looking for anything I missed. When confident, I submitted each website to be reviewed by Google using the Google Search Console. Instructions said it might take up to 72 hours for review. Fortunately each was reviewed and approved in less than 24 hours. Whew!
Why did this happen? What can I do?
There are numerous hows and whys explaining why your website would be hacked. This video by Google is a good reference.
I have no idea how many people have noodled around in that client’s server and WordPress accounts over the years, so I’m not surprised that there could’ve been exploitable opportunities. Website security is not compatible with a “set-it-and-forget-it” mentality.
Did you ever read Zen and the Art of Motorcycle Maintenance? It contains various lessons on how being proactive at fixing leaks or motorcycles can prevent bigger hassles down the road. Basically, a bit of preventative maintenance helps you enjoy more time on the road, rather than being stuck on the side of the road.
I take a lot of extra steps to protect my servers and client websites. Nothing is perfect, but I do my best so we don’t make it easy for something horrible to go wrong. I’m fortunate to report our hosting has never been compromised due to our lack of vigilance. But clients with their own hosting and lack of experience can unwillingly make things insecure.
For Pete’s sake, will you use a strong password already!
The worst ongoing offense I witness is regarding passwords. You are asking for trouble by:
Having short, simple passwords.
Using the same password everywhere (because it’s easier).
Emailing your login credentials to various people. (Please, at least break it up into 2 separate messages. Perhaps use SMS.)
There are some very useful free and low-fee security plugins for WordPress that can block many exploit methods. (i.e., code injections, readable folders, writable files, login page attacks, various types of probing, etc.) Check them out, read the reviews, install one and follow the instructions to lock down your website. Be mindful that installing several might be counter-productive in case they create conflicts among themselves.
What’s secure today may no longer be secure tomorrow. As web browsers get updated with new features, vulnerabilities may be exposed in older web technologies. So…
Roland Reinhart is a Digital Marketing Consultant in NJ specializing in digital marketing for your business/organization. Contact Roland about Website Design, Search Engine Optimization, PPC Advertising, Email Marketing, Video and more. Call (908) 344-5688.