Why do WordPress  sites get hacked? I heard this question in a web forum, the person asking thinking it was a ‘dumb question’ but it’s really not. Anyone who runs a WordPress site needs to know 1) how to minimize the risk of a hack and 2) what to do to fix your site if it has been hacked. In this post, I’m only talking about sites running on wordpress.org, not wordpress.com.

This is not meant to be a comprehensive list of hack scenarios, but an exposé of hacks I’ve personally encountered. I’ll start with tips on how to keep it from happening in the first place.

Secure That Site

  1. The easiest way to hack isn’t so much a hack, but an exploitation of a default WordPress installation. There are two things that should be removed immediately after a fresh install: Hello Dolly, and the sample blog post. Hello Dolly has absolutely zero function. I don’t know about you, but I believe that anything that serves no practical purpose should be removed. The fewer plugins on your site, the better. The sample blog post may seem innocuous, but hackers will find it and leave a comment. That comment will include links to bit coin sites and/or pornography. WordPress started out as a blogging platform, and wordpress.com still is. Delete your sample post, and change your Discussions settings to disable ‘
  2. Never use “admin” as your administrator username. Hackers and bots will scan sites looking for this username and then guess passwords. I had a situation where it appeared that someone had been able to create their own admin account by guessing the admin account. With this new account, they created a handful of blog posts. Fortunately the blog posts were simply promoting bit coin trading; the hacker didn’t bother doing anything worse. I was able to delete that user account, and with it, all the content that user created (this is default behavior with WordPress. If you want to keep content a soon to be deleted user created, you have to assign it to another account.) We also removed the ‘admin’ user account. User names can’t be changed easily without a plugin to do so. The plugin is out of date, but it works, so delete it once you have changed the username. We were fortunate that the account showed up in the admin dashboard. I’ve had an occurrence where the sneaky hacked admin account only showed up in the database. After discovering the hack, I ran a virus scan on the server (some hosts offer this via the cpanel, others you need to ask.)
  3.  An additional way to secure your site from hackers is to change the login url. This will invalidate /wp-admin/ and /wp-login.php as places to log in, replaced with the URL of your choosing. iThemes security offers this feature. The only issue I’ve had with this option is that if you’re trying to share a link in the dashboard with another user, and that user isn’t logged in, the link won’t work. Just make sure they’re logged in first.
  4. Share server credentials on an as-needed basis. I had a client’s site get hacked soon after providing credentials to one of the owner’s partners, who was going to create another site for users in their country. I noticed the issue when I tried to log in; none of the admin pages were working. Nothing was off visually, otherwise. I discovered that there was an htaccess file inside of every single folder, containing malicious code. Do you know how many folders are in a WordPress installation with all the plugins? Hundreds. Even a search/replace function on the server was too arduous. Removing this manually wasn’t an option, and if it wasn’t completely removed, if found a way to replicate itself. Fortunately, I was able to install new versions of all the plugins and the theme and a new version of WordPress. That took care of the rogue htaccess!
  5. Update, update, update. Outdated plugins and themes, and WordPress installs, are susceptible to hackers. That’s why they’re updated! On rare occasion, an update will break your site. Make a backup, always, before updating. Download it somewhere accessible. Have access to your server. If you have a slow server, don’t update everything at once as it can overwhelm the server.
  6. Use a reliable host. I’ve had hacks occur on multiple hosting platforms, so it’s not always the hosts fault. At the minimum, they should offer backups and virus scans. Some hosts have an issue where if one site gets infected on shared hosting, then all the sites on that server get infected. Better hosts have ways to eliminate this issue.

Hack Cleanup

Usually hacks are discovered because your site isn’t behaving properly. Sometimes code is injected into the pages that is invisible, but contains hundreds of links to other websites at the bottom of your web page. This is typically removed manually from all the pages. If you have a very large site, you’d do well to have a backup system in place that you can restore to from before the hack took place. This can be tricky with ecommerce sites because you don’t want to lose the sales history contained in the database.

Another site I discovered the links weren’t working. It was using e-commerce, and somehow code was being injected wherever the letters “e” and “a” were together. That’s a lot of words! Fortunately the site wasn’t very large, and I was able to manually remove the malicious code. We also changed the login URL, updated all admin passwords, and simplified the e-commerce system (removed the payment system to a manual inquiry).

Hack fixing can take hours and hours. Typically I start by disabling all plugins from the server, to see if it’s just a plugin causing the issue. Another way to do this is installing the plugin Health Check, which gives an admin-only view of the site with specific plugins and themes disalbed/enabled. Simply moving the site to another server will only help if the server itself has been hacked. If you move infected files, your hack will still occur in your site’s new home!

Having a maintenance plan in place can save you time and money. My own plans start around $20/month. If your site gets hacked under Megabite’s watch, we’ll fix your site without any additional charge. If you don’t have a maintenance plan and your site gets hacked, and you hire us to fix it, you will be billed at an hourly rate.

Common Occurrence

Don’t be embarrassed by your site being hacked. It happens to the best of us, and in most cases, it’s not your fault. Being prepared by having a recent backup available can help a lot. Having good access to your server is also helpful, at least to provide to your webmaster. If your site has malicious code, Google might even block it from opening. That’s a big ‘ouch’.

If your site is hacked and you need some help, please reach out!

I hope you found this helpful. Again, it’s not an all inclusive list of how sites are hacked, but the preventative steps will guard against most kinds of hacks.