My WordPress site has been hacked a few times over the years. Actually I have many WordPress websites and big tip for any would be Affiliate Marketers and make money online entrepreneurs out there would be… DON’T HAVE TOO MANY WEBSITES!
CREATE ONE SERIOUS BUSINESS AND BE AWESOME!!!
Scanning, securing and fixing hacked WordPress blogs can be a time consuming job, and if you have them all on one server, like a Hostgator shared account… If one gets hacked… they all begin to fall. And if Hostgator don’t like what’s happening, they will shut down all your websites until you get the problem sorted.
So… Seeing as you probably found this post because YOUR WordPress site got hacked and now you are desperate to fix it?
Let me give you a quick list of MUST DO’S for any wordpress website I build, that will not only fix your problem, they will prevent your WordPress blog from getting hacked again! In fact… I now do this is as part of the initial setup of any WordPress site I create, specially for clients!
WordPress Website Clean Up and Defense:
PLEASE NOTE: I will refer to Godaddy for Domain management and HostGator’s Cpanel, seeing as that is the combination I prefer!
- MAINTENANCE & TRACKING
Create a Google Doc Spreadsheet of your servers and domains to help this become a regular maintenance.
My columns are…
- Server IP/Name
- Domain Name
- Database name (available from the config file)
- Visits/m (from the quick Cpanel drop down)
- Addon (this helps me track expired domains that need deleting as they can get hacked even though they ain’t live on the web)
- WordPress Version (or use a date for when you last updated WordPress)
- Comment Control (For notes like; Comment spam attack, no spam, math sum in place, 30 day comments closed, using FB comments. etc)
- Anti-Malware plug-in last run date (see below)
- Last Malware infection date
- HostGator Alerts (for tracking which sites keep causing HG concern)
- Security Plug-in Running? (see below)
- Update plug-ins and deleted old plug-ins (Date you last did this)
- Deleted themes not in use. (Yes these can get hacked when not being used!!!)
- External Sitecheck #1 – http://sitecheck.sucuri.net/scanner/
- External Sitecheck #2 – http://siteinspector.comodo.com/
- Google Webmaster Tools – Submit your site and check the health and control the frequency that the bots ping your site with.
- Bing – See above (Bot visits can cause HostGator – or your host – to shut down you site on Shared accounts.)
- Google health status – “This site may be compromised.” warnings etc
- Database Backup – Date of last Backup or weekly if you have software doing this for you (see below)
- Files Backup – Zip and download the Domain Folder (files) from Cpanel or use FireFTP
- KEEP WORDPRESS UPDATED
Yes.. I realise this can be an issue if your site relies heavily on plug-ins that are not getting updated regularly or in time… So, if you are serious about your website, always check the update logs of plug-ins you install and better still pay for them, ensuring that you get decent support and updates!
- COMMENT SPAM
This can be a real issue, with so many people desperate for links and even stupidly wasting time forcibly creating their own links’ rather than spending that time creating AWESOME content. I once had a WordPress site, that even with secure settings and comments closed was getting thousands of pending comments per day!
- Use Disqus for comments or/and Akismet for spam management.
- Consider turning off comments or making the settings less automatic. WP / Settings / Discussion (settings)
- Consider closing comments after a few weeks or months
- Consider switching to a Facebook comment plug-in, People are less likely to Spam when it can be traced to their personal FB account and you get some a little viral traffic from people who comment and let it be seen that they did, on their FB page.
- Install a simple Maths Sum plug-in like – Math Comment Spam Protection
- Any WordPress comment spam plug-in can slow your website down and most are not necessary if you are using the correct settings under WordPress / Settings / Discussion
- UNCHECK – Attempt to notify any blogs linked to from the article
- UNCHECK – Allow link notifications from other blogs (pingbacks and trackbacks)
- CHECK – Allow people to post comments on new articles
- CHECK – Comment author must fill out name and e-mail
- UNCHECK – Users must be registered and logged in to comment
- CHECK – Automatically close comments on articles older than 360 days
- CHECK – Enable threaded (nested) comments 5 levels deep
- CHECK – E-mail me whenever: Anyone posts a comment
- CHECK – E-mail me whenever: A comment is held for moderation
- OPTIONAL – Before a comment appears: An administrator must always approve the comment
- OPTIONAL – Before a comment appears: Comment author must have a previously approved comment
- Hold a comment in the queue if it contains 1 or more links.
- USE THE BLACKLIST – The following Google Doc link will give you my current list of anti-spam keywords
- ANTI-MALEWARE SCANS
The best and easiest WordPress plug-in I have found to keep a check on malware is GOTMLS’ – Anti-Malware (Get Off Malicious Scripts)
IMPORTANT: You don’t have to donate to use it, even though it prompts a lot.
REALLY IMPORTANT: You DO NOT have to install it on every WordPress site hosted on the same shared account… If you install a WordPress on your root domain, the domain name your created your HostGator account with, Anti-Malware will then scan all the ADDON domains (AKA folders on that account) very very useful!
*This plug-in will find and repair most wordpress hacks.
- HOSTGATOR ALERTS
Pay a lot of attention to your server alerts, bandwidth logs and error logs.
If you receive a warning from your Hosting Company, ask lots of extra questions as to which domains are affected or causing problems, and get specific reasons and solutions from support staff, rather than the copy and paste answers. If your WordPress website gets hacked it can cause some serious drains on the server you share with other customers and most Hosting Companies will often shut all your websites down without warning.
- SECURE WORDPRESS FROM HACKERS
The basic install procedure of WordPress and Cpanel programs (like Fantastico) create a ‘common ground’ footprint that hackers and hacking software will use to find your WordPress blog and hack its weaknesses. This security breach occurs because they/it know where to look for; your files, your database and table names, and even your default admin user name.
Better WP Security will handle many of those fixes, plus many more, until you learn how to install and secure your WordPress site manually.
*This anti-hack plugin is essential!!!
- DELETE OLD & UPDATE ACTIVE PLUGINS
Old and even unused plug-ins can be an entry point for hackers. If your plug-in has not been updated for a while you should consider looking for something else or try doing without it. Plug-ins create a heap a lag and loading issues on your website and can also be a drain on the server. You may also want to install a caching plug-in (like WP Super Cache) to speed up your website and reduce server load, just be aware that this may cause daily emails if you have the “email me when changes are made to my site” feature of “Better WP Security”.
- DELETE UNUSED THEMES
You only need your active theme. Old and unused themes can become entry point towards your WordPress site being hacked. Delete them!
- EXTERNAL SITE CHECKS
- The first check I do regularly is a Manual one. Simply go to your homepage in FireFox and press CNTRL-F to bring up the search bar. Enter the start of some spam words like VIAG to see if your website has any hidden code sending links back to seedy websites. This will often be the result of wordpress theme hack and the hacker installing an additional PHP file in your includes folder and then calling that up from either your header php file, footer php file, or main home page file. Manually look through your code and check/view any php files that get referenced to… Cpanel is probably the best way to view and edit these files manually. When you find something fishy, delete the reference code and also the nasty php file (after backing up, of course).
- Check to see if Google is displaying any snippet warnings when your Google search your main keyword.
Once clean your site needs to be submitted for review.
- Scan your WordPress site at – http://sitecheck.sucuri.net/scanner/
- Scan your website via – http://siteinspector.comodo.com/
- Check your Google Webmaster Warnings and Health Reports – regularly!!!
- CONTROL THE BOT CRAWLS
These can often put heavy loads on your server.
- Submit your sites to Google Webmaster Tools and Bing
- Slow down the crawl speed
- Note this does not slow down how often they visit just how fast they work when they arrive.
You may also want to block some bots using a Robot.txt or/and your .htaccess file
- BACKUP, BACKUP and BACKUP
Every WordPress website owner needs to adopt a good backup system, so that your can restore your website to a healthy version if it gets severely hacked and you are having trouble cleaning it!
My WordPress ‘double’ backup system:
- Hostgator’s Cpanel backup software to download the Database
- Better WP Security also has an automatic option that can send your database zipped up and to your Gmail account for storage
- FILES and IMAGES
- Zip the main file folder via Cpanel’s file manager and download
- Download (synch) the files to an external hard drive via FireFTP for FireFox or any FTP Software.
If your WordPress site has been hacked, my heart goes out to you, it is a horrible feeling. Just stay relaxed, you can fix it. Just work through all of the options above and your site will come out all the stronger for it!