Over the last few years, at Outsourcify we helped quite a few times some people recover their hacked WordPress website after hackers made it a wreck with malwares and redirects.
Sometimes it’s a straightforward procedure, a few files to delete, the admin user password has usually been changed and should be replaced, in other there’s more to it than that what was initially though. A sever hack might have taken over the login page with a modified .htaccess file or some other PHP redirections to cover it up. In some cases, regardless of how frequently you erase the malware records, they can be mysteriously reinstalled within seconds.
Why do WordPress websites get hacked?
It’s pretty much the same reason as to why computers running Windows get more viruses than Mac or Linux. Hackers tend to focus on creating viruses and attacking the most used systems, it’s easier to target a Windows computer then to try to find the Mac user out of every 100 Windows users. It’s no different with WordPress, almost 30% of the web is running with it so it gets targeted more then Joomla or Drupal that barely have a few percents.
As a hacker when your objective is to divert web search tool activity to pharmaceutical or porn websites, or to send enormous measures of spam messages, you better spend your time analyzing WordPress in its every detail for a security breach than any other CMS.
It has nothing to do with WordPress itself or PHP, but since not all WordPress website owners take the security efforts needed and abandon themselves open to hackers assaults, WordPress stays an easy target. Normally a hacked website has a lot to do with the fact the website was left un-maintained for too long.
How to be a target?
Usually the main reason websites get hacked is because of obsolete software. WordPress is a software application that needs to be updated whenever a new version is available as in many cases the upgrades are security upgrades. All plugins should also be updated frequently, as well as themes when third party themes are used. It is also recommended to update as much as possible the server on which the website is hosted, update its software, Apache or Nginx, PHP and mySQL in the case of a WordPress website.
The thing is being used so broadly and targeted so often, WordPress and PHP are also very often improved. Any security breach is quickly found, analysed and fixed through a security upgrade.
As a website proprietor, it’s important not to disregard these updates. In the event that you would prefer not to do it, it’s advised to have a web developer oversee them for you, most likely in the context of a maintenance monthly or yearly contract.
Proactive solutions are always the best, a website maintenance is like car insurance, you should get it before you have an accident.
A couple of other things that you can do to help secure your WordPress website :
- Use strong password always (we recommend using the Password Generator tool in the profile page)
- Use a security plugin to limit login attempts, hide admin and login page
- Add some form of Captcha to login and contact forms
The iThemes Security plugin can help to manage most of the security needs of WordPress.
In the event that you would prefer not to set it up yourself, simply let us know and I’ll complete it for you!
Clean up a hacked WordPress website
It’s simply impractical to put in an article how to clear the malware and effects from a hacked WordPress website, there are numerous ways to install malware or spam bots to a website. What I prescribe is using services like Sucuri or the iThemes Security plugin to examine your website for malware as well as to give extra security.
These are a couple of spots you could begin to clean :
- « uploads » folder
But the best solution in most cases is to make sure you have daily backups and just overwrite the whole website with the latest backup, it’s the only safe way to make sure nothing’s left after a hack.