Recently I had my first experience fixing a client’s hacked website. We were able to get it back, so it’s all good now – but what a headache when it happens to you!
So I thought I’d share what I’ve learned from the experience, so that hopefully you don’t have to deal with it.
How to prevent a hacked website
- The first rule of computing: backup, backup, backup. There are lots of ways to back up your site. Two of the most common ways are using a plugin such as UpdraftPlus, BackupBuddy, or setting up an automatic backup through your web host.
- Remove all unused plugins. Often, hackers will scan a site looking for inactive plugins with vulnerabilities or back doors. When they find them, they’re in causing havoc faster than you can blink.
- NEVER have a user called ‘admin’ – always change the default admin user to another name when you install the site. ‘admin’ is the default user when you’re installing a new WordPress site. You have the opportunity to change the name when you install it, and ONLY at this time. The original admin user cannot be renamed later on, but it CAN be removed.
- Install a security plugin. I’ve tried Sucuri and WordFence. Sucuri comes highly recommended as the best security plugin, not just for WordPress, but many other platforms as well. WordFence is good too, and I find it’s easier to use.
- Keep your plugins, themes, and core WordPress installation up to date. Whenever you login to the backend of your site, take a moment to click on the Updates icon in the top bar. This will show you everything that needs to be updated. It only takes a minute or two to install new versions of everything, and it could save you a huge headache later on.
If you do get hacked, here’s what to do:
Take note of everything you can think of – what page or pages you notice problems on, what exactly it’s doing to those pages, whether or not you can login to the backend.
If you’re not tech savvy enough to fix it yourself, find a professional who can do it for you – your web host can help with this, or whoever set up your website. Give them all the details – everything that you’ve noticed and written down.
Restore from backup. Go back to the most recent backup from before the hack took place, and restore your site. You may lose some data, but it’s better than losing the whole site.
Reset ALL user passwords. You can never know for sure if they took user data off your website, even if you know they didn’t get in with someone’s hacked user account. You can reset all user passwords easily with a plugin called Emergency Password Reset.
After you’ve got your site back, go back to the first list in this post and implement each item on the list.