Usually a client contacts me in a state of panic because something horrible has happened, like this…
Yup, it’s likely his/her website might have been hacked.
As I begin an investigation, one of the first things I do is to check what Google knows. When I see this message in the Google search results page, my heart shrivels with anxiety:
Can there be any digital marketing punishment worse than having every Google Search Engine Result Page (SERP) link to your website show an ugly “This site may harm your computer”?
How can it be fixed? Let me tell you a recent tale of woe…
Usually a client only has one infected website. This particular one had 4, all on the same host, that began to trigger web browser “malware” warnings and the Google SERP was showing “This site may harm your computer” within every organic link.
*sigh* There are words, but I choose not to use them in polite company.
It was a lot of time backing up 12 GB of files & databases, cleaning up 12,000+ mysterious files, changing all passwords for hosting/WordPress/MySQL/FTP/etc., changed WP salts, updated all themes/plugins, deleted unnecessary themes/plugins, deleted unnecessary user accounts, switched to a better security hardening plugin (enabled nearly every possible setting). Then I tried new site scans looking for anything I missed. When confident, I submitted each website to be reviewed by Google using the Google Search Console. Instructions said it might take up to 72 hours for review. Fortunately each was reviewed and approved in less than 24 hours. Whew!
Why did this happen? What can I do?
There are numerous hows and whys explaining why your website would be hacked. This video by Google is a good reference.
PREVENTION = Passwords + patching + monitoring + backups
I have no idea how many people have noodled around in that client’s server and WordPress accounts over the years, so I’m not surprised that there could’ve been exploitable opportunities. Website security is not compatible with a “set-it-and-forget-it” mentality.
Did you ever read Zen and the Art of Motorcycle Maintenance? It contains various lessons on how being proactive at fixing leaks or motorcycles can prevent bigger hassles down the road. Basically, a bit of preventative maintenance helps you enjoy more time on the road, rather than being stuck on the side of the road.
I take a lot of extra steps to protect my servers and client websites. Nothing is perfect, but I do my best so we don’t make it easy for something horrible to go wrong. I’m fortunate to report our hosting has never been compromised due to our lack of vigilance. But clients with their own hosting and lack of experience can unwillingly make things insecure.
For Pete’s sake, will you use a strong password already!
The worst ongoing offense I witness is regarding passwords. You are asking for trouble by:
- Having short, simple passwords.
- Using the same password everywhere (because it’s easier).
- Emailing your login credentials to various people. (Please, at least break it up into 2 separate messages. Perhaps use SMS.)
How to fix? Just do the opposite of the above. Here are some more password security tips.
Lock it down tight
There are some very useful free and low-fee security plugins for WordPress that can block many exploit methods. (i.e., code injections, readable folders, writable files, login page attacks, various types of probing, etc.) Check them out, read the reviews, install one and follow the instructions to lock down your website. Be mindful that installing several might be counter-productive in case they create conflicts among themselves.
What’s secure today may no longer be secure tomorrow. As web browsers get updated with new features, vulnerabilities may be exposed in older web technologies. So…
- Patch your Content Management System – WordPress
- Patch your theme
- Delete unnecessary themes
- Patch your plugins
- Deactivate rarely used plugins
- Delete unnecessary plugins
- Change your WordPress salts
Yes, it is a hassle.
Here are some Google resources that may be of help to you:
Website health monitoring tools
Utilizing a variety of good monitoring tools can help you respond quickly when something is afoot.
- Daily malware scans.
- Ping your website from random locations.
- Google Search Console
In the event of a hacked website, the easiest road to recovery is to delete everything and reinstall the last clean backup of your database and files. In order to do that you need to:
- Have a dependable backup utility.
- Make complete backups frequently.
- Store several recent copies elsewhere — not on the infected hosting server.
So what’s it going to be?
Put some proactive energy into web maintenance? Or be ready to freak out?