Top 10 checklist post WordPress Hack
So you have had the unpleasant experience of a WordPress Hack!
No doubt you do not want to go through this again so let’s go through the top 10 items as a minimum that you need to do to protect yourself against further hacks.
1. Backup your website
If you hadn’t backed up your website before being hacked we bet you wished you had! If you had done you could have just restored and rolled back your website. So the first and most important is to arrange for your website to have regular backups. WordPress out of the box does not provide that and most likely nor does your hosting provider.
To do this you most likely will need to use a plugin, there are a number of plugins that will achieve this for you and here are a few (but not exhaustive) for you to consider, some are paid and some free.
2. Update your website
One of the primary causes of a WordPress Hack are hackers infiltrating your website through out of date WordPress Core files and Plugins.
- Update your WordPress Core files to the latest version
- Update all Plugins
- Remove unused themes
3. Change your passwords and username
So the hacker has been onto your website and has infected your site with malware and other nasties. You got that all removed, and your site is up and running again, don’t just sit there and let them back in. They gained entry through a ‘backdoor’ or guessed your passwords through brute force attacks, so leaving your passwords the same just allows them back in again.
Use strong passwords
What is a strong password? Well try using a long complicated one and to help you with this try a password generator. Of course there is no way you will be able to remember this password (if you can its not strong enough), to enable you to remember it use a free password vault like LastPass.
So you will need to change passwords for the following:
- Change all administrator passwords within WordPress
- Change ftp, sftp, cPanel passwords
- Change your database password using PHPMyAdmin or through CPanel
Do not use ‘admin’ as a username – Change it if you have.
4. Virus Check your PC or Mac
This problem is a very common reason why your website may get infected. You are receiving emails everyday and if your laptop is not filtering out malware and you are logging into your WordPress site, well you can see the problem.
If you already have some antivirus software on your local computer then run a search for Malware. If you dont have any antivirus then do it straight away. Most of the antivirus software apps are paid apps. There are a number of good ones that you can use:
5. Shared Servers and Cross Contamination
Here’s a big one, if your website is stored on a shared server, the cross contamination of hosts can be a big problem. You may have had your malware removed and your site is backup and running and you have followed all the recommendations from the company that removed your malware, but a few days after your clean up and you thought you were protected, BANG it happened again.
What is Cross Contamination and a Shared Server?
If your website is on a shared server that is a server that shares the same IP address and you have other websites that are not hardened up from a security point of view then those pesky viruses on the other websites will migrate back to yours.
Quick initial solution: Get your host to provide and change to a dedicated IP address
Hardening up your post WordPress Hack Installation
6. Invalidate existing cookies
To ensure all your cookies are removed from your website and therefore forcing users to log in again you should replace the following keys with any random string:
7. Re-Install Plugins
Just to be sure that your existing plugins do not have any remaining infections or open backdoors reinstall your plugins to the latest versions.
8. Information Leaks
Don’t give the hackers any clues.
Hide the WordPress version – To do this delete the readme.html file in the root of your installation.
9. Plugin & Theme Editor
If your pesky hacker does manage to get into your WordPress backend, what better place to cause havoc than in your Plugin and Theme editor where they can edit php files directly.
So make sure they are disabled. If you need them for any reason then just enable them again remembering to disable them when you have finished.
10. Keep a clean shop
One of the many reasons hackers manage to get in is because of lots of old out of date files on the server. Make sure if you have sub domains or any development sites that they are deleted or cleaned up. Remember if you have sub domains you need to secure and harden them up too.
Well there we have it, what to do after you have had a WordPress Hack, whilst not exhaustive, it will certainly put off the casual hacker. Whilst Im sure people will have many other ideas these we consider a pretty good start to securing up your WordPress website and deter the hackers from an easy WordPress Hack!