LOOKING FOR AUSTRALIA’S FAVOURITE SEO eCOURSE? GO HERE >

How to cope with a WordPress hack

How to cope with a WordPress hack

You only start thinking about security once yours has been compromised.

It’s like locking the fridge door after someone has already stolen all your creme eggs.

A while back I discovered my website had been hacked.

I noticed this when my Domain Authority rank suddenly dropped from a healthy 52 to a rather depressing 34.

All my hard work had gone down the toilet. My pages (cached by Google) were peppered with sentences like ‘Buy amoxicillin online’ and ‘Cheap Prozac without prescription’, destroying my carefully orchestrated keyword saturation.

How do I know if my site has been hacked?

If you’re reading this and wondering if your site has been hacked, let me reassure you that generally you’ll know.

I highly recommend setting your site up inGoogle Webmaster Tools. Google will watch your site for problems  report any problems back to you in .

However while Google Webmasters is great at telling you about the problem it is also very good at telling your customers.  This is what causes the warning boxes to pop up in your browser when visiting a site. So be sure to fix the problem fast!

Here’s a nifty little tool that can check your site for hack signs or try this one from Sucuri.

Understanding the hack

The hack was one that only appears to Google bots (spiders) so the site looked ‘normal’ to my customers but, as far as my Google natural search was concerned, my site was no longer about ‘SEO copywriting’, or even ‘Sydney copywriter’.

Worse still, my 2nd and 3rd place rankings suddenly dropped out completely and I lost a whole day trying to sort it all out.

My WordPress hack prevention tips

So, to save you suffering the same fate, here are some recommendations to make your site safe (or as safe as it can be) when using WordPress.thumbnail

  1. Choose a strong password: Include characters and numbers, caps, digits. Make it memorable and unique.
  2. Uncheck the ‘Anyone can register’ box under Settings > General.
  3. Limit the number of users on your website to the bare minimum.
  4. Keep your WordPress installation up to date.
  5. Choose only 4-star plugins: The more well known a plugin is, the more likely it is to be safe (you hope).
  6. Keep all plugins up to date: Old software can be troublesome.
  7. Delete any plugins you are no longer using. (See above).
  8. Consider downloading some security plugins. I now use:
    • Paranoid, which notifies me every time something happens to one of my files (so I know if someone, other than me, is fiddling with it).
    • AskApache Password Protect, which does lots of clever security stuff.
  9. Do all the things recommended in this Security article.
  10. Make sure you have a solid back up set up – I currently use Back up Buddy.

2014 update: Since writing this post I’ve discovered the Wordfence security plugin, which totally rocks.

My WordPress hack survival tips

If the worst should happen, then try your hardest not to get your knickers well and truly in a twist.

Instead, keep calm and follow this 7-step guide:

  1. Run a virus check on your desktop/laptop. (I used ClamXav.com for Macs.)
  2. Change your WordPress password.
  3. Change your FTP password.*
  4. Change your database password.*
  5. Read this support article from WordPress.
  6. Read this article for Sucuri.
  7. If all else fails, contact these guys Sucuri.net who will fix your site for approx A$100. (You might have to wait a few hours as they’re based in the US.)

Dealing with the aftermath

When your site is clean and secure again then follow these simple steps:

  1. Change your WordPress password again
  2. Change the FTP password again*.
  3. Change your database password and update your wp-config.php file with the new password*.
  4. Run another virus check on your desktop/lap top, just in case.
  5. If you’re not running the latest version of WordPress, install it now.
  6. Update all your plugins.

*If you’re not sure how to do this, speak to your hosting company or developer.

My site seems to be all better now, and I’ve learnt a lot about how security works and what to look out for.

So thanks Mr HackerVirus-makingGIT this was a great learning experience.

Over to you

If anyone has any other security tips I’d love to hear them. Please share below

Want to have a chat?

If you need a Copywriter, SEO Consultant or Information Architect, then please contact me.

The Recipe for SEO Success
The Clever Copywriting School

 

  • Remember, just because you’ve downloaded Paranoid, doesn’t mean they’re not out to hack you! So glad you’re all clean again. :)

  • Via Twitter: Do Back-ups of your database however frequent it may need.

  • C. Andrimitious

    Thank you for this article. I recently got a virus on my website and went into panic mode. I google WordPress hackk and your article came up. Some really useful advice.Thanks C. Andrimitious.

  • Dan Rippon

    Hi Kate,
    Just adding to what Caleb said above – I’d highly recommend a full backup of everything once you know your site is clean, followed by regular updated backups every week or month (dependant on blogging frequency). Personally I use Backup Buddy and although it costs a bit, I can’t recommend it enough. (It’s also pretty handy for doing site migrations if you’re a dev!)

    • Hi Dan, Thanks for the recommendation. Here’s the URL for anyone who’s interested. http://pluginbuddy.com/purchase/backupbuddy/ At time of writing $45 for two sites. (Why don’t they have a one site option?). So not cheap but a lot cheaper than losing your site altogether! Thanks for commenting Dan.

  • Pingback: 6 shitty things that happened to my business (and the lessons I learned) | Kate Toon()

  • Have you checked out http://vaultpress.com/ migth be handy for a site of your size (SEO position) and value?

  • One of the biggest things I see as to why people’s WP sites get hacked is failing to change the file permissions on the files, and in particular the wp-config.php file. If it can be read by visitors, then a WP site can be hacked. There are two ways you can stop people accessing the config files one is file permissions so only the server and php can access it, which stops outside sources, I usually use 0644 which can be done via FTP, and via the .htaccess file. Your web host should be able to do both of these if you can’t (I know you prob can Kate, I just put it here so others are aware).
    This can be put into your .htaccess:
    # Block Access to .ini, .db, .sql, .htaccess Files

    Order allow,deny
    Deny from all
    Satisfy All

Pin It on Pinterest

Shares

Want more copywriting and SEO tips?

Join my mailing list and receive a FREE SEO checklist.

You have successfully subscribed you clever sausage.