Discovering your website has been hacked is a truly harrowing situation for some. Some business rely solely on their website as a source of income; if their website goes down the consequences can be dire.
WordPress websites, just like any website published online can be hacked unfortunately. It’s our job to put preventative measures in place to avoid this happening to our own websites.
A website hack can sometimes be quite obvious to spot, such as your website has been shut down, you can’t access your dashboard, strange code is displaying where it shouldn’t etc. But other times it can be hidden and very hard to spot.
We had a client recently whose contact forms had been hacked. Long story short, the hacker was using their forms and server to send out thousands of spam emails to various users. As you can imagine, you don’t see these emails going out, so it can be very hard to spot when it’s happening.
What to do when you find the hack
First things first, contact your hosting provider. In most cases, your website host will shut down your website themselves if they find malicious code. Most websites are hosted on a shared server, so any hosting provider worth their salt will disable your website so other websites on the server wont be affected.
Next, if you can access your websites WordPress dashboard still, we always advise to add a Google captcha to all of your forms. They’re free to use, and a great step in preventing your contact forms being hijacked and used to send spam emails.
Secondly, install one of WordPress’ many security plugins such as iThemes security or WordFence and run a scan of your website. Make sure to check if any core WordPress files have been changed recently, these are the most common files which malicious code will be added.
Lastly, run through your list of admin accounts. Scan for any new or suspicious looking accounts and remove them. Usually whenever a website has been hacked, an admin account will have had the password changed, so make sure to change the passwords for all current accounts.
How to prevent your website being hacked
Like the old saying goes “Once bitten twice shy” comes to mind here. If you’ve ever experienced your website being hacked, you sure as hell won’t want it to happen again.
1. Make sure you use a security plugin
As mentioned previously, its hugely important to have some sort of security plugin running in the background of your WordPress website. These plugins will block any suspicious attempts to access your dashboard, as well as notify you of any core file changes.
2. Use strong passwords
This one sounds like a no-brainer, but the amount of times a client has given me access to their website and they’re using a basic password that’s along the lines of their business name or personal name is crazy. A good strong password is always recommended.
3. Updates, update and update some more
This one might not be as obvious as the above, but keeping your plugins and WordPress versions up to date is a great measure in securing your website. As hard as website developers are working to build great plugins, there are equally talented hackers inventing ways of manipulating them and adding malicious code.
It’s important to remember that sometimes an update can break a website if it hasn’t been tested correctly. To be safe, take a full backup of your website and update each plugin 1 at a time, then browser your website to make sure it’s still working as expected.
4. Aways, and we mean ALWAYS backup your website
We’ve seen this happen before, entire websites deleted. Completely gone. Years of hard work and financial investment wiped away overnight.
This is catastrophic to any business, and it can be easily avoided simply by taking a regular full backup of your website every few days or weeks.
What if you can’t access your website at all?
If none of the steps above are helpful, it’s probably time to call in a professional website developer to take a look at your website. Sometimes the underlying issue can be harder to fix than expected; the hacker may have made changes in the database or added some hidden code somewhere on the server.
In these cases, it’s best to call in the big guns to help get your website back online.