Home / Blog / A safer website

How to Survive Your WordPress Website Being Hacked

As a company who specialises in WordPress web design, we have seen a large increase in the number of people coming to us in need of help after their WordPress website has been hacked. WordPress is an amazing Content Management System (CMS) and is now powering over 30% of websites on the Internet. With this growing popularity so too comes a bigger appeal to hackers. WordPress is used so widely and has such an involved community of designers and developers creating themes and plugins. Because of this the number of ways for someone to ‘get into’ your website is greatly increased.

But why would they hack my website?

You might view yourself as a business with little or no useful information stored online to actually be of any interest to even warrant someone hacking you. A lot of hacking websites is not about targeting your business specifically. It is more to do with your site being an easy target and the process of finding an easy way in requiring only minimal effort on the part of the attacker.

Hackers have created automated bots which scour the web in search of known vulnerabilities in websites, plugins, themes, scripts, etc. If these bots find something of interest they report back to their owner who may then decide to break your website. Creating nasty search bots with instructions to focus on WordPress flaws makes sense to a hacker since, based on the number of sites running on WordPress, there is a high chance of them finding something they can use.

Steps to take if you’ve been hacked

prevent security issues wordpress website hacked

Redirect site visitors to a temporary landing page

People visiting your website who see a warning stating it may be dangerous to visit or announcing it has been hacked (a lot of hackers like to post a message telling people who hacked the site), empty blank screen, etc. will not be good for business. Your online brand reputation may be damaged or it could be as simple as people looking for your contact details to give you a sale and they can’t get in touch and assume you have gone out of business.

A quick fix for this is to create a temporary landing page on a different server. By changing your website’s DNS A record you can point all site visitors to this temp site so at least you provide the basic information to them, and they also know you haven’t gone out of business.

Hosting packages are available by the month so you can just pay for one month and put up a single page stating your website is currently being worked on and provide people with your contact details.

Change your passwords

One of the first things you should do is change the locks to the doors. If you fixed your website but someone still had the passwords to login they could decide to hack you again and again whenever they feel like it. At a minimum the following passwords should be changed:

FTP access
Hosting control panel
SQL database
WordPress user accounts
WordPress keys

Make a backup of the entire site root

Having a full backup of your site and database will mean at least if you make any major mistakes when trying to repair things you can at least get back to where you started. Make sure you backup the following:

All files and folders in the root of the site (themes, plugins, uploads, etc.)
XML export of content via WordPress admin Dashboard > Tools > Export
Export of SQL database via PHPmyadmin
Note the site settings such as permalinks, admin usernames and emails, reading settings, menus, etc.

Deactivate all plugins

Out of date plugins are a common way for attackers to gain access. Even plugins that are not active are still open to attack. Ideally, your site should use the minimum amount of plugins to do the job. If a plugin is deactivated, and not going to be used again, it should be deleted.

Make sure the plugins that are active are actually being used. We’ve seen e-commerce plugins installed on websites that are not selling anything online. These plugins generate code on the fronted a website. Hackers may see this code and think a site might store credit card information from e-commerce transactions.

Write down or take a screenshot of all plugins installed and their active/inactive states. The WordPress database holds your plugin settings so you can delete the plugins and reinstall them fresh later on.

Inform hosting company of your WordPress website was hacked

Be warned your hosting company may delete your files to prevent others systems/accounts getting infected. Which is why you made the full backup already right?

Ask them to confirm there is no breach or issue directly on your web server. A server breach is normally something outside of a website owners control and would have to be addressed by the hosting company directly.

If there is a server breach then you will have 2 options:

Wait until the hosting company resolves the issue and gives you the all clear.
Move to a different server. If you followed the first step in this post and created a temporary landing page with a new hosting package, you could create the site on that server.

Remove files

You should already have a full site backup as a zipped file and a copy of the sites SQL database. If you are staying with your current web hosting service then you should remove all files in the root of the original WordPress installation. The only items required when migrating a WordPress website is the wp-content folder and the SQL database, so everything else can be deleted. Do bear in mind that hackers could have placed the malicious code inside any file in the wp-content folder too. In an ideal world you would delete every single item on the site and start fresh, but that may not be feasible for most sites.

If you are unsure about deleting files I’d recommend you talk to a WordPress expert who knows what should or should not be in a functioning website.

Download a fresh copy of WordPress

Having a standard and unedited copy of the WordPress system also allows comparison of files and folder structures with your current site, which helps spot anomalies or anything that shouldn’t be there or has been changed.

A fresh WordPress installation

Creating a brand new WordPress install is much safer than trying to filter through the previously compromised version. It doesn’t make a difference if you have a one-click install (provided by a lot of hosting control panels) or you install WordPress manually. The main thing here is to use as few files from the previous site as possible to minimise potential infection again.

Once the new CMS is done the next thing is to import the original content, images and settings. From the original site backup you can import the following:

XML content file via Dashboard > Tools > Import > install WordPress importer. Be warned that we have found malicious code in XML files generated by hacked WordPress website.
Site theme via FTP to siteroot/wp-content/themes/.
Uploads folders via FTP to siteroot/wp-content/uploads/. The uploads folder is where WordPress stores all media files uploaded to the site.
Edit settings to match the records you made from the original site

WordPress does not detect when you add files to the Uploads folder manually via FTP. Luckily there’s a great plugin to tackle this called Add from Server.

Test everything is working

Time to test your site for any issues carried over by running a security scan on your website looking for anything suspicious.

Since there are new ways to hack websites being discovered daily, it is safe to assume that online web security scanning services will not always catch every single potential issue on your website.

Next, navigate through the website and check all images, content, links, pages, etc. are working as expected.

How to prevent future website issues

steps to prevent wordpress website hacked

Offsite and ongoing backups

A WordPress website backup service is like having an insurance policy for your website should the worst happen. Having a solid backup plan in place for your website will save a lot of hassle but more importantly, it will minimise the downtime of your website the next time something goes wrong.

Hosting companies are not immune to being hacked either, so your website backup should be stored in a different psychical location than your website files are.

Keep WordPress core and plugins up to date

Nearly every single WordPress system or plugin update includes some sort of security or bug fix. Not being up to date leaves you open to attack and provides an invitation to those seeking easy targets. Carrying out a monthly WordPress update should be part of your stay safe plan.

Improve your security online

Letting CloudFlare manage your sites DNS is a good first step. CloudFlare acts as a middleman between visitors and your website, stopping visitors it views as potential threats. You can also configure CloudFlare to block specific IP addresses or even entire countries.

A correctly installed and configured website firewall can prevent a lot of attackers from even getting to land on your website.

Managed WordPress Update & Security Service

We offer WordPress website care plans which cover everything your WordPress website needs including backups, updates, security scanning and hosting. The goal of this service is to help prevent your WordPress website being hacked. For more information or help getting your WordPress website back online, you can contact us on 012544000 or [email protected]

All blogs

Cookie	Duration	Description
connect.sid	1 month	This cookie is used for authentication and for secure log-in. It registers the log-in information.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_8NTFJV7H0T	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_29337709_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
ajs_anonymous_id	1 year	This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before.
ajs_group_id	never	This cookie is set by Segment to track visitor usage and events within the website.
ajs_user_id	never	This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability.
brwsr	2 years	This cookie is set by the provider Impact Radius. This cookie is used for affiliate marketing.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
debug	never	No description available.
loglevel	never	No description available.
loom_anon_comment	session	No description available.
loom_referral_video	session	No description
mkjs_group_id	never	No description available.
mkjs_user_id	never	No description available.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.