So, Your WordPress-Based Site Has Been Hacked, Now What?
A while ago our WordPress based website was hacked and code inserted into the core WordPress and theme files. The code was meant to redirect visitors to a malware site, but even this was broken and it just killed our site instead.
Although we are a small business, we try and organize ourselves like the big boys with our approach to technology where it makes sense to do so. We may not have a security monitoring center and team of system administrators running backups but we take the underlying principles and apply them to our needs.
Our site was offline while we recovered and in a few hours we were back online again with no damage done. We were reasonably prepared for such an eventuality and since this incident we have documented our recovery process to reduce the time and simplify the process.
Unfortunately it is a fact of life that certain visitors to your site have malicious intent and the flexibility and richness of modern web platforms give hackers many options to exploit.
What to do if you have been hacked?
There is loads of advice on Google but basically perform the following. Some might call this overkill but we prefer to replace everything with a clean configuration.
- Do not panic. Very important, this one
- Restore from a clean backup your WordPress root directory. This will replace all compromised files and configuration settings
- Restore your WordPress database from a clean backup
- Change your FTP password to your site.
- Change your WordPress database password. Remember to update wp-config with new password.
- Change all user account passwords in WordPress
- Make yourself a cup of tea and relax
This will hopefully return your site to how it was pre-hack. Obviously there is no magic here, just common sense and backups. Back up as frequently as you need to, we do it daily. A scripted backup job takes care of the WordPress files, themes, media and plugins and we use a neat WordPress plugin called ' WP DB Backup ' to run a scheduled daily backup and send us the result.
What else can be done to prevent it happening again?
Again, Google is your friend, but some obvious tips include:
- Make sure you run the latest versions of WordPress and any plugins
- Use strong passwords
- Use some of the exploit scanner plugins to test you configuration
- Disable or remove any plugins not required
- Make sure file permissions are correct
- BACKUP! – We use wget in mirror mode
wget -m "ftp://host.com"Keep your login credentials in a.netrc file for easy scripting
- Like a good boy scout, "Be Prepared"
It makes sense to test your recovery process and doing this on another machine or domain means you will always have a development instance of your website for testing new plugins and the like before deploying to your production site. We are also testing a health check routine to alert if any key files are modified on the web server and allow us to effect a controlled repair.