First, let me start out by giving a big F U to hackers. Damn it, they suck. They have made my life (and the lives of many programmers, web developers, etc) incredibly difficult, throughout my career. Ok, whew, I feel better. Second, there are a lot of ways to hack into a website. I realize that there are a lot of ways to secure a site, from better hosting to needing a security expert. The following are the steps that I used in a particular instance after a hacking. I hope that it helps if you have just been hacked.
Now, my client had built the site himself, and hadn’t thought too much about security. I mean, why would he? It didn’t handle credit cards or take visitors personal information. The site was only supposed to have 4 pages. My client also never used an analytics program, never signed up for Google’s Search Console (formerly called Webmaster tools), and was completely unaware that this problem existed before he received the email. In Google search results, the site has been flagged with a notice saying “This website may be hacked.” Yeah, again bad news. So, to fix this problem, here are the steps that I followed.
Sign up for Google Search Console
Since Google had already flagged the site, I figured that there could be some extra information in Google’s Search Console. Signing up is easy if you haven’t already, and you can get some great info about your site there. As described in a previous post, you can also submit a sitemap through Search Console to help Google crawl the pages on your site that you want Google to see. Anyway, there were messages there for my clients site stating that it might have been hacked and gave steps to follow to help rid your site. Another thing that you can do is type “site:http://example.com” (obviously inserting your own domain) into google and see all of the pages that Google has indexed of your site. This can obviously help out in other areas to know exactly what Google sees on your site. I used both of these ethods to find out just how bad the problem was. It wasn’t pretty.
The version of WordPress that my client was using was quite outdated. The great programmers behind WordPress are pretty quick to patch holes in the security of the software. I believe that one of the ways that the hackers may have gained entrance is through an old bug or a hole that had since been patched. Always make sure to keep your WordPress site updated along with any plugins that you are using. Always make sure to make a backup copy of the site before upgrading anything, just to be safe.
Yes, it sucks, but you have to change your password. Yeah, I know that it will be hard to remember a new password that isn’t your dogs name and the year that you were born. I get it. But, just like any time that your email may get broken into, you really need to change your passwords. There are great password management apps and software out there that will manage the passwords and remember them for you. So go ahead and use a randomly generated 18 character password that uses number, symbols, and upper and lowercase letters.
One of the plugins that I discovered through helping return the website to normal is a security plugin called Wordfence. There is a free version and a premium version available, but the free version had what I needed in the short term. This plugin will scan your website and compare the WordPress files on your server to the files from WordPress itself. If something is different, then it could be a sign that it was altered by hackers. It also monitors all traffic to the site and updates in real time the IP address with the country of each visitor, what page they are trying to access and when it happened. You can also see all attempts to log in to your admin section. This part was actually quite terrifying as there were several attempts from Russia and Ukraine every few seconds. Through Wordfence, there are ways to permanently block users by their IP address, even though it can be easy to continue trying through other IP addresses. The plugin can even email you when too many failed attempts are made to log in, just to keep you updated (or frightened).
To make it even more difficult for hackers to log in the admin section, I found a premium plugin called Hide My WP which can make your WordPress site appear as though it isn’t a WordPress site. The look of your website won’t change, but there are several tell-tale signs that a site is using WordPress, and hackers can zero in on those. One feature that I love is that you can hide the WordPress login page and turn it from mysite.com/wp-login.php to mysite.com/wp-login.php?somethingelse=1234 . It’s going to be pretty difficult for a hacker to guess that page, and if they do, it is easy for you to change it to something else.
Deleting and repairing hacked files
Doing a site:search, as I described above, will let you see the pages that Google sees. This can show you the additional pages that are being generated through your website by the hacker’s code. What the hackers did on my client’s site was create a new file titled wp-update.php. They could then generate a ton of pages, each with unique content by adding “?page=” followed by a string of characters, which then referenced a bunch of files that were hidden in fake plugins. By removing the wp-update.php file (which I made sure to double check just to make sure it wasn’t a core WordPress file first) along with the fake plugins, the pages couldn’t be produced any longer. Using the Wordfence plugin will help you find the files that don’t belong or have changed when they shouldn’t have. You will need to do a little bit of work to find some of the pages (like the wp-update.php file) but it is worth the work to secure your site.
After these changes, Google only took a few days to remove the “This website may be hacked” notice after I submitted a form through Search Console asking them to take another look at the site. I had to describe the steps that I took to remove any hacked files when submitting the form. I continue to monitor the site to make sure that there aren’t any new unwanted entries to the admin section, and so far, so good. If you have any other steps that you have used in the past or if you have other plugins that you recommend, please leave them in the comments. If you need help with your website, SEO, or any other digital marketing services, feel free to drop us a line. If you are a hacker, sorry about the whole F U thing from before. I wasn’t hugged enough as a child, or something. Let’s be friends, ok?
Langdon Siggelkow (rhymes with Giggle Show) is the Founder and Mayor of BuzzTown. A website designer and developer since 1996, Langdon has no problem typing this in the third person so that it seems like someone else is saying great things about him. He was a working Stand Up Comedian for several years and wants to add humor to discussions on creative inbound marketing strategies. Langdon has spoken at several events about using Social Media, Inbound Marketing, and creative ways to be memorable. Connect with Langdon on LinkedIn
What the Buzz?
We are a digital marketing company with a focus on helping our customers achieve great results and tell great stories.