It’s all fun and games until you noticed something is wrong with your website. The symptoms could be one of the following:
- You got: “This site can’t be reached” message when entering your URL
- Random pop-ups appear on random pages while you are navigating your site.
- Random files and folders suddenly appear in your web folder
- Random new users account has been created
- Your WordPress Admin account has been removed
- Unidentified files have been installed in your FTP that you do not know
- When you Google your site, the result says: “The site may be hacked”
There could be other signs your WordPress site have been hacked, but those are the most common one.
Reasons why you have been hacked
While it could be done by someone who has the access to your WordPress backend or your hosting control panel (like a disgruntle ex-developer), there are other reasons why your website is vulnerable to attack.
- You have a weak & easy to guess password
- Your plugins and theme files are outdated
- You are using nulled plugins and themes
- You never set up security solutions on your WordPress installation
What should I do if I’m hacked?
If your hosting provides scheduled backup, you can contact them to revert to the last working version of your website. If you don’t have backups, you may find a web design company who can retrieve back your website. This will be done manually and technically challenging depending on the size of your website.
Here are my 5 rituals in ensuring a secured website:
1) Strong username and password
What passwords and condoms have in common
You don’t reuse it
You don’t share it with others
You don’t use the same one as the others
If you’re in doubt, change it
Stop using ‘admin’ as your admin username, silly. Find a suitable username that’s not so common and probably unrelated to you in a sense that anyone could guess from looking at your Instagram or Twitter handles. Your username shouldn’t have anything to do with your personal information.
Same goes with your password. Use uppercase, lowercase letters and various characters to strengthen your password. I also recommend that you regularly change your password, especially if you had shared your password with some freelancers or anyone you hired to make the changes before.
If your site has a lot of outdated plugins, there could be security holes where hackers can break into your system. Therefore, it is important that you keep your plugins and WordPress updated. Updated plugins improve the load time too. Keep auditing your plugin list and remove any redundant plugins.
I recommend using Siteground as a hosting and I have used them for our clients for many years. They have daily backup and 99.99% uptime on their servers. Prices are very reasonable and their control panel is user-friendly and easy to use. Their support is effective and competent. Based on my experience, in some cases, they will help in restoring your site if it got hacked.
4) Install WordFence
Wordfence is one of the most downloaded security plugins for WordPress. It has a number of smart features to protect your website from common hackers attack. Wordfence is easy to use, so you do not have to be a rocket scientist to use it. Installing Wordfence will significantly increase your website security.
Some of the features that I like include:
- Perform a virus scan of your entire site and get a report.
- Block IP addresses and countries from accessing your website
- You receive an email every time a user logs in to your website. Here you can see the user IP, user hostname, and user location and their username.
- Built-in firewall to protect your site from unwanted traffic.
I could not emphasise this one hard enough. You might purchase the best theme and plugins, hire the best web developers and use the best hosting solutions – but if you don’t schedule backups for your site, all your investments will go down the drain, once your site has been hacked.
There are lots of backup solutions out there, but I really like UpdraftPlus because it’s simple and just work in most case.
All of these rituals are not very technical because I want everyone to be able to understand and perform the security check yourself. However, there are some advance solutions that you can perform. Eg. You can limit write permissions to files and folders so you do not get the wrong people in and overwrite your files.
Remember to keep your plugins and theme updated. Outdated files may have security holes, making your site vulnerable to attack.