Your client has a hacked WordPress site. It's finally happened. You've read about it happening to other businesses, but thought, "It won't happen to my clients." Their websites don’t get enough traffic; they are kept up-to-date enough, etc. Somehow, it still happened. It's OK! The first thing you need to do is not panic. Usually, a hacked WordPress site can be fixed in a few steps. First, however, you should understand the consequences of a hacked WordPress site. It's important to first note that the term 'hack' has come to mean a few different things when referring to websites. If your client has been hacked, it means there is:
possible unauthorized access to your site because of a vulnerability somewhere in WordPress, a plugin, or theme.
This could mean that someone has broken into your client’s website and stolen valuable information: names, email address, and passwords for example. Another common consequence of a hacked site is sending spam to people via email or through unauthorized ads because of unwanted code injected into the site. Either way there are a few things you should consider:
- Will my client lose any content?
- Will my client lose any customizations?
- Was any of my client’s information stolen?
The last question will be the toughest to answer. In most cases, it's not likely your client’s information was stolen. Don't take this lightly though - especially if they run an e-commerce site. If the site is hacked, it's important to notify any users, tell them what happened, and help them take necessary steps to make sure their data is as safe as possible. As for the first two questions, one sure fire way to protect your clients from any loss is with thorough and regular backups (which we’ll talk about a little later in this article). However, whether they lost data or not, you should follow the following steps to clean up the site.
Fixing a Hacked WordPress Site
Take a backup of the site.Even though the site is hacked, you don’t want to risk losing data or important files. If the site can’t be fixed with the following steps, there are services that can scrub these files.
Download the enabled theme, custom plugins, and any other custom code.After downloading, you should clean them, including the /uploads/ folder. This means you need to look through every file for code that shouldn’t be there, as well as remove any files that shouldn’t be there.
Delete all other WordPress files and reinstall everything.This is pretty much everything that’s not in the /wp-content/ folder, as well as any stock themes and plugins. This is done because if any of those files are compromised, they don’t need to be checked; they can be replaced with clean versions. It also ensures that WordPress is on the latest version, which inherently has security fixes.
Upload the /wp-content/ folder back into WordPress.You’ll need to restore the site by logging in and re-activating plugins and themes.
Do a site scan 1-2 hours later.I used a tool by Securi. If the site is still not clean, then there are more serious problems at play. Contact web host your for further assistance.
Fortify the site.You should use a plugin like iThemes Security.
Bring the site back online.If the website had been taken down because of the hack, now is the time to contact the host and ask them to make the clean site live.
As a WordPress web developer, I’ve had to take these steps for clients a few times. If we’re lucky, I have backups of the custom theme and plugins I developed for them, allowing me to restore the site with no content or customizations lost. However, other clients have lost content and theme customizations that were made through the theme editor and stored in the database. Fortunately you can prevent this for your clients with following tips.
Prevent a Hacked WordPress Site
No one wants to be faced with the issues, work, and cost of recovering from a hacked website. While no one can guarantee a website will never get hacked, there are a few things you can do to dramatically decrease your clients’ chances.
Keep WordPress, themes, and plugins updated.Make sure automatic updates are on for WordPress Core and login every few days to make sure themes and plugins are up to date. Most developers are good about security and bug fixes; making sure the site is completely up-to-date will lower your clients’ chances of vulnerability.
Remove unused themes and plugins.If there are themes or plugins that are disabled and *not in use* at all, clear them out. This will reduce the amount of code you need to update. If you're not sure, ask your developer or someone else who might know the answer.
Install a security plugin like iThemes Security.Plugins like this will automate a few good security practices, make recommendations, and scan the site. Think of them as an antivirus for the website.
Take regular backups.Services like VaultPress and BackupBuddy will take full backups of the files and database so that even if the worst happens, you can rollback to the last known clean state.
Finally, you should also take advantage of services your hosting company offers. Many hosts will take backups and make sure your site is running in tip-top shape, as well as notify you when something is amiss. In upcoming articles, we will take a look at how Liquid Web's services can help prevent and mitigate a hacked website. Want WordPress without the hassle? Check out WordPress Without Limits, a managed WordPress solution, with one-click staging, one-click backup restoration, automatic updates, automatic backups, and free SSL.