Hacking is often done in a way designed NOT to draw attention to the breach. Its often drawn to your attention by Google throwing up warnings to visitors, or by your hosting company blocking access to your website and giving you an ultimatum to clean up the problem within 24 hours, or else…
Don’t panic, because that won’t help! Usually, the hacking efforts I’ve seen relate to exploits of inherent security weaknesses in;
- File or directory permissions, allowing concealment of phishing (most often bank fraud) code in a sub-directory
- Cracking Cpanel or WordPress Admin accounts
The first indication may be;
- An email from Fraudwatch requesting you delete the offending content
- A warning from your hosting company that the site is compromised and in danger of being shut down
- A tip from a friend or client that Google is displaying malware or virus warnings about your website
It is rarer to have an overt, immediately obvious hacking occur. Its mostly an out-of-sight, deeply planted problem that the hacker hopes won’t be discovered for weeks or months. Dealing with the problem is usually a straightforward process, as per the next section.
WordPress Hacking Recovery
In the unfortunate event that your website is hacked and you need fast help, contact me for prompt assistance. I have extensive experience in WordPress website recovery after hacking attacks, regardless of whether the problem is a;
- Blackhole Exploit
- Account takeover
- Admin password compromise
- Phishing attack
- Link injection
- Malware infection
- Virus infection
- Permissions exploit
This usually consumes a couple of hours effort because I will go through and;
- – Check if http://sitecheck.sucuri.net/scanner/ identifies any phishing/virus/malware files
- – Secure the Hosting & FTP accounts by changing passwords
- – Secure WordPress by changing Admin ID and passwords
- – Secure WordPress database by changing DB User ID and Password
- – Replace all core WordPress files
- – Remove / quarantine any suspicious files & directories
- – Install Wordfence; run a scan on all files, configure lockdown settings,
- – Apply User ID & Password restrictions
- – Apply a range of preventive measures to minimise further issues
The goal is to first disinfect the site and then prevent future intrusions.
In the even that you need to get off slow or insecure hosting, I provide website hosting relocation services.
WordPress Hacking Cleanup
Usually, the fastest way to deal with a known breach of WordPress is to Restore the site to its status before the hacking occurred and then harden it – that’s if you do actually have backups… If not…
- Run the Sucuri Scanner (https://sitecheck.sucuri.net/) to try and identify what if any malware has been uploaded and where its hiding…
- Install and configure Wordfence to scan for core files, plugins, themes, images and files outside WordPress and run the scan
- Use the Fix all fixable items and the Delete all deletable items to clean the site
- Use the 1-click update in WordPress Dashboard / Updates to overwrite all core files that may have been compromised
- Where a plugin is implicated. delete the plugin directory, and then upload a new copy
- Where a Theme is implicated, copy your old files across to replace the compromised files
- Install Malcare for a 2nd opinion from outsite the site
Follow that up by viewing the sites files in your Control Panel file manager or an FTP application such as Smart FTP, and look for;
- Files and directories that were altered or uploaded and don’t belong.
- Inappropriate file permissions – e.g. directories should usually NEVER be set to 777 permissions, as this gives access to anyone to do anything… The correct directory permissions for most hosting accounts is 755.
- Unexpected items in /uploads/ or /backups/ directories.
- File Modified dates that don’t match up with any edits, uploads or changes you’ve made
Reconfigure Wordfress Security to;
- Scan files outside your WordPress installation
- Scan images, binary, and other files as if they were executable
- Enable HIGH SENSITIVITY scanning (may give false positives)
Use more than one online scanning service to examine your website. These all have strengths in different areas, and one may identify issues that another might not spot. Try VirusTotal – scan the Home page URL and get a quick report from multiple sources
The overriding goal is:
- Deleting the compromised files and replacing them with the correct versions
- Ensuring secure permissions across directories and files
That must be followed by immediately by:
- Changing the WordPress admin password
- Changing the Cpanel / Plesk / Hsphere admin password
- Changing the FTP access password
- Deleting any “extra” User or FTP accounts that may have been added to provide easy future access for the hackers
Core File Compromises
If the /wp-config.php has been altered in any way, it is wise to reset the WordPress Database User Account password, and add the new password into the /wp-config.php file. This can be done through the Admin Control Panel access to MySQL Database management. In the case of Cpanel its very easy to change the MySQL password.
WordPress Security Implementation
Securing your WordPress business site is a mission-critical risk management strategy. I am able to;
- Install the most appropriate WordPress website security application/s
- Configure the site to give you the best possible protection from hacking attempts
- Enforce strong passwords
- Block illicit brute force login attempts
- Block access from troublesome geographic regions (China,Russia etc)
- Secure the Admin access
Attacks are primarily initiated in Russia, Poland, Germany and India. Generally speaking, its easy to minimise the potential threat by an hour of proactive efforts! Bearing in mind that often, attackers use a VPN to fake their location…
As always – an ounce of prevention is better than a pound of cure!
How to Secure WP
Several basic items need to be addressed as part of securing your WordPress installation.
#1 – A Secure WordPress User ID
The default User ID is “admin” and you should NEVER use that on your site. If you do, it immediately means 50% of the “site access” details are known – Mr Hacker only needs the password now..
A secure User ID contains a minimum of 10 characters containing a mix of upper and lower case with including numeric and special character variations e.g.; #The_Boss#
In addition, you should then assign a User Account “nickname” that gives no clue as to the real Admin User ID (should you use the account to publish any pages or posts.
For example, if the Admin User ID was “#The_Boss#” then using “Admin” as the nickname may prove to be an effective element of confusion… In addition to that, Wordfence allows you to immediately block anyone trying to log in with any specified user names…
#2 – Secure Passwords
Most people foolishly use a password related to their life in some guessable way. Phone numbers, wife’s name, child’s name, dog’s name etc… A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open!
A secure Password contains a minimum of 10-12 characters containing a mix of upper and lower case with including numeric and special character variations e.g.; #4X~bEwr$5$F
There are several websites specialising in secure password generation…
Always USE one of them if you are short of inspiration!
WordPress Security Plugins
A properly implemented WordPress security plugin will divert the majority of hacker’s efforts – specifically the bot-based ones! In the less likely event that a human-authored attack is made, it is easy to have basic but robust barriers in place that increase the probability of the hacker giving up and going in search of softer target. Time is money…
Wordfence or Block Bad Queries with Limit Login Attempts are my preferred security plugins because both are robust and reliable, easy to configure and cover the most important areas of vulnerability. I also add plugins to;
- Block XML-RPC
- Block REST API
Comment Spam & Bad Links
These contribute negatively to your website’s online profile, and consequently have a negative impact on rankings. Eliminate this easily;
- Don’t allow user registration unless its necessary!
- Don’t allow comments OR trackbacks on pages!
- Close comments on posts after 2 – 4 weeks!
- Don’t allow trackbacks on posts!
Installing and configuring WP Zero Spam is not at all difficult and it effectively screens out the worst of the comment spam garbage!
Maintaining WP Core Files & Plugins
It is crucial that you install WordPress and plugin upgrades in a timely fashion. Whenever a security breach or exploit occurs, fixes are quickly put in place. However, word of the exploit vulnerability quickly circulates amongst the hacking community, and fresh targets are sought.
Use the “Auto-enable updates” setting in WordPress / Plugins to ensure timely updates are done automatically!
Wordfence security scans also ensures you are notified immediately WordPress or plugin upgrades are released AND is polugins re obsolete and/or abandoned, or removed from the WP repository.
WP Technical Support services are at your disposal, all you have to do is ask!