Why WordPress Security Matters
No matter how well protected you think your WordPress site is, there is always a chance that it will be hacked at some point in time. What you can do in this regard is reduce the risk of this happening by beefing up your WordPress security. It doesn’t even have to be a WordPress site. Any site can be hacked, no matter which CMS it is running under – WordPress, Drupal, Joomla or any other. Security should be your top priority, especially when you are maintaining a business website.
The hack itself, apart from exposing you and your readers to viruses, affects your website’s ranking and its reputation.
You can also be hacked if you use shared hosting when one of the sites on the same server is hacked. That is why considering managed WordPress hosting is necessary when you think you can afford it.
Determine the Nature of the Hack
When your website is hacked, you’re usually under stress. This is the correct time to remember to stay calm and collect your thoughts.
Try to determine whether you can still access the admin panel and whether your WordPress site is redirecting to another. If it isn’t the case, find out whether the site has any illegitimate links or Google has marked it as insecure.
Whatever the case, consider changing all your passwords before you start cleaning up your site.
Contact Your Hosting Provider
If you are using the services of SiteGround, HostGator or GoDaddy, chances are they will be able to help you in such situations. They know their hosting environment well enough to assist you with the kind of problems you are experiencing with your site. Contacting your hosting provider should be one of the first things to do when in doubt of whether your site has been hacked. They can often pinpoint the nature of the hack and even deal with it.
Use a Backup to Restore Your Site
I cannot stress enough how important it is to have a backup of your WordPress site. You should regularly make backups of both your content and your database. If the content of your site is updated daily, consider scheduling daily backups, otherwise you risk losing the most recent information you posted on the site.
If you haven’t stored any backups of your site somewhere but you’re still determined to preserve the existing content, you are left with the option to manually remove the hack.
Scanning and Removal of Malware
Consider removing all WordPress themes and plugins you’re not using on your site. Even when inactive, some of those pose a security risk, apart from taking space on your server. It is often within themes and plugins that hackers hide their backdoors, later used to gain remote access to a site while at the same time remain undetected.
The next step is to scan your website. Sucuri have a free malware and security scan service. They also offer to clean up your website and boost up its protection, although you’re required to pay for it.
If you want more from Sucuri at no additional cost, I suggest you try their Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin. Apart from providing the scanning feature mentioned above, the plugin also boosts your WordPress security through a range of free features. You will need to spend some time configuring this plugin to work with your site but I believe it will be worth your effort. What is more, the plugin is well-maintained, frequently updated and includes documentation on how to set it up properly.
Both the free scanner on the Sucuri website and the free plugin will let you know about the integrity of your WordPress installation and where the hack is hiding.
Change of Passwords
As we already mentioned, you should also change the passwords. This includes the passwords of all users, the WordPress database passwords, the cPanel password and your FTP password.
Don’t forget to also examine user permissions and ensure that only trusted people have the administrative role assigned to their users.
Improve Your WordPress Site’s Security
While the aforementioned Sucuri plugin provides a good security for your site, it is by no means a substitute for a good backup solution.
Having backups both on my server and DropBox, together with the backups my hosting provider maintains of my website, makes me feel more comfortable and secure. While most people are fond of BackupBuddy from ithemes, I prefer to stick with UpdraftPlus. Besides, it is free.
Now that you have a backup solution in place, it comes the time to consider a good security and firewall plugin. Most people prefer to use Wordfence Security and yes, it could be the best WordPress security plugin there is, but I’m just as comfortable using All In One WP Security & Firewall.
The plugin has a range of functionalities for protecting your WordPress-based site, some of which you can guess from the screenshot above while you can go through the complete list of features through the link above. One of my favorite features is the option to rename the WP login URL, which helps prevent brute force attacks against your website as this is usually the method most hackers use to guess your password and username by “bombarding” your login page with software.
Be always cautions of the fact that Google has already introduced an update to its algorithm that takes into account whether your site has been hacked. Take the necessary steps to ensure it is not so!
If the above outlined steps on WordPress security haven’t helped you in fixing your hacked WordPress site, consider hiring a professional to do this job for you. Alternatively, consider paying for Sucuri support. I’m sure their staff is professional and will help you deal with whatever issues you may be experiencing with your WordPress installation.