This article is for you if you are unlucky to have had your website hacked. We will walk you through of what to do if your WordPress website got hacked.
A hacked and non-functional website is a nightmare and is the greatest fear for every administrator and business owner. No matter how hard you try to keep your website secure, unfortunately there is no way to fully protect your website and make it 100% secure. The problem may occur due to a fault in the work of some other person, for example your other administrators or your hosting company. If you want to know what steps to take if your website is down due to an attack then keep reading.
Is my website really hacked?
There are many symptoms that indicate that your website has been hacked. The most obvious one is a changed homepage with a message that the website has been hacked. Some other symptoms of a hacked website include:
– You received a warning from your hosting provider that your website is spreading malicious traffic and SPAM;
– Search engines put your website on the blacklist;
– Your antivirus on the local computer marks your website as dangerous;
– You see users in the admin dashboard (and/or administrator users) that you did not create;
– Your website redirects traffic to other websites or links;
– Your customers complain that their private data (credit card numbers) were misused;
– Any other symptom that makes it difficult or impossible for your website to work properly
If you’ve noticed any of above symptoms and think your website has been hacked, below we’ll show you some steps to take that will best help you get your website up and running again.
1. Document recent changes
This is one of the most important steps in the process of recovering your website. You must document all the changes that you have observed on your website, which make you think that your website has been hacked. You should also document how the problem appears and manifests itself on your website. It is very important to document if you have installed any plugins, themes or made any modifications. Maybe a plugin or theme that you recently installed on your website caused a problem.
Making notes of any changes you make to your website is very important so that you can track the progress of your website recovery. If you do not do the recovery yourself, but use the services of third parties, then the documentation will be of crucial importance for the successful elimination of the problem.
2. Scan your website
The next step is to scan your website. If you can still access your admin dashboard, then install a security plugin that will scan your website for malicious code. Our recommendation is to install Sucuri or Wordfence security plugins. I think these are the two best plugins in their category.
If you do not have access to the admin panel and cannot install one of these plugins, then you can use an online scanner (crawler). One of the most famous is Sitecheck. This tool will check your website for malware, check if your website is blacklisted, and give you some guidance on how to improve the security of your website.
3. Scan your PC
One of the most common ways hackers get credentials from administrators is by stealing credentials from their computers. Maybe a keylogger, trojan or any other malicious software is installed on your PC that will steal your credentials and send them to the attacker. In this way, an attacker can gain access to your admin dashboard, FTP account or any other part of your website and thus make any changes, write malicious code or simply delete everything.
There are many excellent and free antivirus tools for all operating systems. Before installing any of them, check the ratings and user reviews. Do a full scan of your computer and delete all detected threats if there are any.
4. Talk with your hosting provider about the problem
It is very common that one website that is infected can infect and endanger other websites on the same hosting server. Therefore, you need to inform your hosting provider about the problem you have. They may have detected the problem before you and are working to fix it. As we have written before, many excellent hosting providers like Bluehost have a virus/malware scanner as part of their services.
If you use a shared hosting account, then your website shares a public IP address with other websites on your hosting server. This can be very dangerous. If any website with which you share a public IP is infected, search engines will block the disputed IP address and thus your website will be blacklisted. This is one of the reasons why you should use verified hosting providers that work proactively and have implemented multiple levels of protection against all types of attacks.
5. Change the password for wp-admin, cPanel, MySQL and FTP access
A very important step is to change the password for all the accounts we mentioned in the title. This way you will be sure that the attacker no longer has access if they ever accessed using your credentials. Do not forget to change the password for all users who have access to the specified areas.
Do not use simple passwords, names, dates of birth and words easy to guess. We recommend that you use one of the many online password generators that will create generic passwords that are impossible to guess.
Another great thing you can do is implement two-factor authentication. If an attacker gets the credentials of one of your administrators sometime in the future, he will have to have physical access to admin`s mobile phone or e-mail in order to log in. It is not an easy task and it is likely that the attacker will give up his intentions.
6. Force password reset for all users
You are probably still not sure how your website was attacked. Maybe the reason is that the attacker found out the credentials of one of your users. That’s why you need to force all users to change their password. You will do this task very easily using some of the plugins for that purpose, and one of the best and most famous is Emergency Password Reset.
After installing this great and free plugin, simply click “Reset all passwords” and you’re done. All users will receive a password reset link which they will use to set new passwords for their accounts.
7. Create a backup and download your website
Even though your site is probably infected with some malicious code, you should make a backup and download it to your PC so you can easily find which files are infected and to eliminate the problem. Check with your hosting provider if they do daily and weekly website backups. Many premium providers such as Bluehost and Siteground offer periodic website backups.
If your hosting provider does not have a backup of your website, then you can use one of the many backup plugins like UpdraftPlus WordPress Backup plugin. This plugin will make a full backup of your website and your database.
8. Look for suspicious files and inspect the core WordPress files
After you have made sure that you have a complete website backup, download it and extract it to your PC.
Make sure all the files are there. Be sure to check the .htaccess and wp-config.php files for suspicious code. Install a new installation of WordPress on your hosting account. Install all the plugins you had, but never upload files from backup because they can be infected. It is also important to check if there are any hidden .js files inside the backup that can be used to execute malicious code.
9. Install security plugins
In order to protect yourself from attacks in the future, it is recommended that you install some of the security plugins. Our recommendation is Sucuri, an excellent security plugin that is used by more than 800,000 websites worldwide and provides an excellent level of protection. It offers options for malware scanning, sending various security notifications, detects if your website ends up on the blacklist and many more useful options. Since it is a free plugin, you should definitely have it in your collection.
One of the best ways to protect your WordPress website is to hide the fact that you are using a WordPress CMS. This is not a difficult task at all if you use the Hide My WP plugin.
This great plugin will hide the fact that you are using a WordPress CMS. Within this plugin you can change the folder names for plugins and themes, you can completely change the link structure and hide the wp-admin and login page. A potential attacker will give up because they simply won’t know how to find vulnerabilities on your website. The HMWP plugin is used by more than 30,000 satisfied users, has excellent user reviews, and that’s one of the reasons why you should try it.
Conclusion on what t0 do if your WordPress website got hacked
In previous articles we wrote about how to protect your WordPress websites from different types of attacks. We also wrote about the best tools to keep your website secure. However, since there is no 100% protection, every administrator may have his website attacked and become temporarily inoperative. That’s why today we decided to write what to do if your WordPress website got hacked. We hope this article will help you to get your website back up and running very quickly.