Hacked! Prevention & Recovery

If you own a website, the chances of being hacked are real. It happens to big companies as well as small, and most likely you’ve already been affected by a hack. As they say, there are two types of consumers: those who’ve been hacked and those who don’t know they’ve been hacked.

As a website owner, a hacked website means lost revenue and even worse, loss of customer trust. This article will help you know how to protect your site from hackers and if you do get hacked, critical steps you’ll need to take to recover.

How To Protect Your Site

  1. Keep your site updated. If you’ve read Proper Care & Feeding of your WordPress Website, you already know that many if not most updates are security related. Platforms (like WordPress), themes, and plugins all require continual updates in order to address newly discovered vulnerabilities and technical changes. Leaving outdated files on your computer is like leaving the door wide open to eager hack attempts.
  2. Install security plugins, when possible. Free or low cost plugins like iThemes Security and Bulletproof Security offer affordable ways to tighten security on your website. There are several technical processes a senior level developer can implement to reduce your chances of a hack, but for many small businesses the cost of the developer may be prohibitive. Using a security plugin may help reduce the need for custom security work. Many hosting providers also offer additional security. It might seem pricey at first but most likely it’s a bargain compared to the costs of having your site down, content destroyed, customer information compromised, and repair services.
  3. Don’t use “admin” or other common usernames. Hackers look for common usernames as keys to directory paths. Using a common username like “admin” is like putting a neon arrow that says “Look Here!” to key entry points in your website.
  4. Rename the wp-content folder on WordPress sites. You’ll want to do this when the site is new, before you’ve uploaded any images that appear on posts or pages, otherwise it could break linked images stored inside the wp-content/uploads/ folder. Like the “admin” username, hackers look for common paths so changing the name of this folder will make access more difficult.
  5. Use strong passwords. I’ve lost track of how many sites we’ve worked on that were hacked due to simple passwords. Here are the rules to a complex, secure password:
    1. 8 digits or more
    2. use both lower and upper case letters
    3. use both numbers and special characters
    4. don’t use the same password for multiple sites
    5. don’t use words that can be found in a dictionary
  6. Remove unused plugins and inactive users. There’s really no point in leaving unnecessary paths into your website by keeping unused extensions or plugins installed or keeping users who no longer need to login to your website. Clutter is rarely a good idea and this applies to your website as well.
  7. Backup your site regularly. If you site does get hacked, restoration will be easier if you have an un-hacked version of your site on hand.

What To Do If You’ve Been Hacked

Your next steps:

  1. Don’t panic. You’re not the first and you won’t be the last. Keep calm and start work on recovery.
  2. Call in your professional support team. Strong technical expertise as well as someone who is familiar with your site—most likely your web developer or hosting provider. Web designers may not have the technical skills required to find and repair the problem however an experience web developer should be able to help you. You’ll need to provide:
    1. WordPress (or other CMS) login
    2. web hosting login
    3. FTP/sFTP access credentials
    4. any backups you have
  3. Take your website offline. Your web host may have already done this but if not, you’ll want to remove it to a secure folder while you assess and fix the website.
  4. Make sure the hack is limited to your site and not the entire web server. Your web host should be able to provide this information.
  5. Scan your local computer(s) for viruses and malware. Sometimes trojans or other infections can come from your local computer to your website. Be sure your anti-virus software is up-to-date, then run the scan.

Your web developer’s steps:

  1. Change your passwords for website logins, databases, FTP, etc.
  2. Download and inspect all of the hacked site files to determine how and when the website was hacked. This information is important to properly clean the site and fix it to prevent future hacks from the same hacker.
  3. Check all plugins or extensions to make sure they are up-to-date and do not have known vulnerabilities. If you’re using a plugin that no longer has updating and support, consider ditching it for a better, supported plugin.
  4. Check any custom code for security flaws or vulnerabilities.
  5. Clean up the issues and put the site back online.
  6. Update your site to the newest version of your platform (WordPress), theme and plugins.
  7. Test that everything is working.
  8. Backup your new, clean website.

Taking the steps mentioned in the first part of this article will definitely reduce your chances of being hacked. While there is never a guarantee you cannot be hacked, you can certainly take steps to make sure you’re not easy prey. With regular monitoring and backups, if you do get hacked, the repair work will be easier and faster.