First things first, no content management system (CMS) is immune to compromise. WordPress, with its unparalleled popularity and a dominant global market share of about 60%, is one of the most targeted platforms across the board. Whereas the WordPress Core itself is relatively tamper-proof due to regular security patches, third-party code such as plugins and themes often turn out to be low-hanging fruit.
A website hack typically entails long-term adverse consequences and can be extremely tedious to recover from. In addition to sanitizing the code, webmasters may have to plunge headlong into rebuilding the reputation of their projects from scratch.
With that said, it’s best to err on the side of caution and follow safe practices to avoid the worst-case scenario. Using strong passwords, limiting user privileges, maintaining site backups, scrutinizing third-party code before installing it, and keeping the WordPress engine up to date should do the trick. But what if a hack has taken place? Let’s dwell on the red flags and ways to remediate the damage.
WordPress hacked: the symptoms to watch out for
Whereas the CMS and its elements are susceptible to garden-variety technical glitches down the line, you should learn to distinguish them from a compromise. The following anomalies should give you a heads up in this regard:
- You are having issues logging in.
- Your site’s content has been modified without your awareness.
- Web browsers are displaying security warnings when you and other users try to visit the site.
- Search engines have blacklisted your site. In this case, users will be alerted to potential danger once they click on the site’s entry in search results.
- Anti-malware applications are flagging your site as unsafe.
- The site is redirecting to another resource.
- Your WordPress security plugin keeps notifying you of a possible breach.
- Your hosting provider has sent you an email about suspicious activity on your website. Even worse, it may suspend your account altogether.
If you have noticed any of the above oddities, you need to take immediate action. This brings us to the checklist of what should be done to recover from a hack.
How to handle the aftermath of a WordPress hack?
Before you proceed, here’s a pro tip: stay calm. Sober thinking is half the battle because you’ll need to make important decisions to succeed. So, put panic aside and get down to remedying your hacked WordPress website.
Step 1: Reset your passwords
Since it’s nearly impossible to figure out which password the attacker has used to infiltrate your site, be sure to reset all of them. In addition to changing the password for your WordPress dashboard, you should reset access credentials for the database, the Secure File Transfer Protocol (SFTP) setup, and your account with the hosting provider. Ascertain that the other admin users change their passwords as well.
Step 2: Turn on maintenance mode
Make sure your visitors don’t suspect a hack – it’s bad for your reputation. A good way to cloak what’s going on is to make it look like the site is undergoing regular maintenance. This mode can be turned on via the admin panel, but with the caveat that you may be unable to access it due to the compromise. Anyway, if you can’t do it straight away, do it once you reset your password and sign in.
Step 3: Run a malware scan
Many WordPress breaches involve backdoors that allow malefactors to circumvent authentication and stealthily do their dirty job. This way, crooks can maintain surreptitious access for weeks or even months without your awareness. Also, the so-called “pharma hacks” rely on exploits to inject harmful code into WordPress installations that haven’t been updated for a while.
You can pinpoint such loopholes by scanning your site for known vulnerabilities and obfuscated malware. Do your homework and find an effective WP security plugin to dot the I’s and cross the t’s in this context. As soon as the service has identified sketchy code, use the tool’s automatic cleanup feature purge it. Many plugins will additionally advise on eliminating weak links in the configuration of your website that may have allowed the hack to occur in the first place.
Step 4: Update third-party site components
Once you have regained access and removed malicious code, head to the “Updates” section in your admin dashboard and apply all pending updates of your plugins and themes. This is a critical measure because your further efforts may be futile unless you patch a vulnerability in a third-party entity that continues to expose your site to easy compromise.
Step 5: Remove dubious plugins and themes
In case you are in doubt about the security of a specific plugin or theme, you would be better off uninstalling it. This is particularly relevant for free items you downloaded from outside the official WordPress directories.
Step 6: Audit the list of users and their privileges
Scrutinize the list of admin accounts that have permission to access different areas of your WordPress site. If you spot users that don’t belong there, remove them without a second thought. A good long-term tactic in this regard is to follow the principle of least privilege: when adding new users, assign roles that don’t go beyond the scope of their intended activities on your website. Making everyone an administrator or an editor is a slippery slope.
Step 7: Tidy up your sitemap
If an attacker gives your sitemap.xml file a dodgy overhaul, search engines will probably identify such an abnormality. This is the primary source for blacklisting on search providers’ end. In case you have run into such a predicament, you need to inspect the sitemap and rectify everything that’s out of place. A reliable SEO plugin should do the trick in a hassle-free way.
Your next move is to let search services know that you’re in the clear. Go to the Google Search Console and resubmit the sitemap. When the web search giant re-crawls your site and sees that it’s safe to visit, the blacklisting issue should be fixed.
Step 8: Restore from a backup, if any
If you have been vigilant enough to back up your WordPress website regularly, then recovering from a hack is going to be trivial. The mantra about the importance of this approach has solid reasoning behind it. Restoring from an earlier point is so much easier than assessing a huge amount of code and cleaning out the database, sitemap, and third-party stuff manually.
They say prevention is the best cure. If you find this phrase vanilla, the right time to change your mind is now. If your WordPress site is hacked, things can get out of hand and the recovery is always a bumpy road. You can steer clear of the quandary by adhering to a few recommendations.
Here’s a summary of them:
- Keep your WordPress installation up to date.
- Use plugins and themes from reputable vendors only.
- Remove third-party components you aren’t using.
- Install a WordPress security plugin.
- Use strong passwords throughout your personal WordPress ecosystem.
- Maintain backups.
- Use a trusted hosting provider.
WordPress is an awesome CMS, but it’s not flawless in terms of security. Therefore, you should safeguard your website proactively and have a plan B that will help you get back on track after a compromise.
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.