A website is often the result of a lot of labour which involves brainstorming and a lot of development hours. However, like any property in real life, a website needs to be well looked-after from a security viewpoint to protect WordPress from malicious attackers. Online security threats are constantly evolving and adapting to measures taken by webmasters.
Detecting If Your WordPress Website Has Been Hacked
As a WordPress website owner, you should always be on the lookout for any potential signs that point to a hacked website. For example, if your installation has been hacked, Google’s Chrome browser will flag any visitors that the website they are accessing has been subject to a phishing/malware attack.
Web hosting providers scan hosted websites on their servers on a frequent basis. If a scan alerts to a compromised website, the web host will usually take the site down altogether so that the infection does not spread to other websites stored on the same server. The site owner will get an email notifying them of the hack and the take down as a result. In this case, it is important that you have the latest backup ready at hand.
Hackers will often use compromised websites as part of a larger scheme of serving malware to internet users. Unsuspecting users will be served with “phishing links” which will direct them to web pages where the hacker will ask them for important information like credit card numbers, social security and so on. It is always a good idea to have a notice on your website which tells users about the information your website collects. Encourage users to contact you in case they notice some irregular behaviour.
Monitor your Website
Google’s Search Console (previously known as Google Webmaster Tools) is an effective way of keeping track of the security of your website. It is free and easy to setup, so if you have not already, set up the Search Console for your website immediately. It will notify you via email if Google detects malware or any compromising piece of code on your website.
A few best practices for detecting potential hacks are:
- Keep an eye on customer/visitor complaints
- Analyse your website traffic for any unusual spikes or drops in traffic
- Check the load times of your website regularly. If it shows non-routine behaviour, investigate the cause
- Scan the content on your website regularly for any suspect links and unauthorised changes
- See if your site is flagged as infected by Google’s Transparency Report
Source code scanners such as Wordfence are extremely effective at detecting a hack before it is noticed by either your customers, Google or any third party. They regularly scan the code of your website and compare it with a secure version of it. The source code scanner will even point out the infected pieces of code for you so that it is more convenient to diagnose the problem and remove it.
CloudFlare is a nice addition in the security toolkit. For small websites the basic version is completely free. It protects against denial of service attacks, shields your website’s IP and can speed up your website by caching it for you on their servers. So visitors would rarely touch your real site. Service like these are called CDNs or content delivery systems.
To make it harder for a hacker to break into your site you can add additional layers of security:
Non Technical Rules to Safeguard WordPress
- Choose long complicated passwords which cannot be guessed and keep them a secret.
- Don’t use public WiFi without trustworthy VPNs to login to WordPress. Hackers can spy your password if your connection is unencrypted.
- Don’t use public computers. There might be key loggers on them.
- Keep WordPress updated, even if the design should break. Then you need to fix it. A site that is not patched invites hackers.
- Give your admin password only to a developer whom you trust.
- Do backups regularly.
- Keep your Antivirus software update and run it daily.
- Logout after your work is done.
What to do after detecting the hack
If your WordPress website has been compromised, it is best not to panic as you can have it running as it was before the hack following some simple steps. The best way of website recovery is by using a recent backup. A good practice is to make backups regularly and store them on a cloud service such as Dropbox, Google Drive and such. This ensures that even if your web host has been infected, your backups will be clean and secure. If your website is constantly being updated with new content, it is best to take regular backups to ensure minimal loss of data.
A useful and free WordPress plugin for backing up your website is UpdraftPlus. UpdraftPlus can be configured to backup your website at intervals as small as 4 hours and send the backup files to your Dropbox. What’s more, it can store backups in the cloud, so even if your host is infected, your backups will be secure and you can simply redeploy them to have your website up and running. A few other backup plugins/services worth a look are:
- Backup Buddy (Premium WP backup plugin)
- Dropmysite (Paid website backup service)
- Backup & Restore Dropbox (free)
- All-in-One WP Migration Free Basic Version which is simple and easy to use but for each option you need to pay extra.
An additional step you can take in order to determine the source of infection is by running a free virus scan from one of these websites: