In the last seven days I’ve helped a total of ten clients get their hacked WordPress site back online after hackers made a mess with malware and other redirects.
In some cases it’s a simple process … Just run Sucuri’s Website Malware Removal tool through the site and it will clean it up.
However, in other cases there’s a bit more to it than that!
For example, I had one that was so badly hacked they had hijacked the login page which required over taking the wp-admin directory with a custom .htaccess file and some other .php files carefully hidden.
As another example, there was one site that no matter how often you deleted the malware files, they were magically reinstalled with in seconds, and they were everywhere!
Why does this happen?
Usually it has nothing to do with you, your business, or your website. Unless you pissed off your developer!
Hackers just want to take over your hosting and website to redirect search engine traffic to their pharmaceutical sites and porn sites.
In some cases they are also hoping to hijack your SMTP relay server to send massive amounts of spam emails.
Don’t take it personal. Chance are, you were just an easy target.
What makes you an easy target?
Hackers pray on WordPress users…Not because WordPress is a bad application, but because not all users follow good security measures and leave themselves open to attack.
The quickest ways to get hacked…
- Outdated Software (WordPress, Plugins, and Themes)
This is the #1 reason you have a hacked WordPress site!
WordPress is a software application. Do you know of any software that doesn’t have updates? Don’t neglect these updates, it is your responsibility as the site owner to manage your WordPress, plugins and theme updates. If you don’t want to do it, find a good developer who can manage them for you!
- Weak WP Admin User Credentials
If you’re using an easy username and password so that you don’t have to strain yourself to remember it, it’s going to be easy to hack. Use a tool like 1Password to secure your logins and have one click logins to your accounts.
Some things to avoid when setting your user names and passwords.
- domain name
- your name (easily found on published post)
As for passwords I recommend using the Password Generator tool in the profile section.
A couple other thing you can do to help secure your login page.
- Use the Limit Login Attempts Plugin
- Add some form of Captcha
- Hide admin and login page
- Activate Two-Step Authentication
The iThemes Security plugin does offer support for these four things and a bunch more great stuff too!
If you don’t want to get this all setup yourself, just let me know and I’ll get it done for you!
Cleaning up after hackers :-/
It’s just not possible to write an article that will show you how to clear the malware and redirects from a hacked WordPress site, there are too many different possibilities.
These are a few places you could start:
- bb_press (plugin not to be confused with bbpress)
What I recommend is using a solution like Sucuri’s full service (follow this guide here) or iThemes Security to not only scan your site for malware but to provide additional firewalls and protections most hosting providers DO NOT provide!
GoDaddy sells a product called SiteLock, which I’ve used, and it does clean the malware, most of the time. But if you’re going to spend the money, get Sucuri or iThemes Security, you’ll have much better results.
Hands off solution for a hacked WordPress site…
Many of my clients depend on me because they’re not tech savvy and don’t know how to manage their sites and/or issues. Others realize that their time is too valuable to waist trying to unhack their website.
Preventative solutions are always the best. We don’t buy Auto Insurance and Health Insurance because we want to get into an accident or be hospitalized, we do it just incase, it’s pease of mind!
The choice is yours, a few dollars now, or hours of your time and life shortening stress later, get started here!