Hi. So, today I want to talk to you about what to do if your blog gets hacked. When I say ‘if’, what I really mean is ‘when’, because honestly, it’s going to happen. It happens so, so often, and I feel like I really need to share some advice on this topic. In the last few weeks, I’ve worked pretty much solidly to clean up and restore at least three hacked websites and I’m noticing a worryingly similar pattern. Be warned, this is a long (but important) read.
Security. Or lack thereof. Actually, not even just that, a lack of maintenance, which is something that really needs addressing to help keep us all safer online.
But first, a disclaimer. I’m no expert on these things, but I have learned a lot about keeping websites secure over the last few years. I’m also very lucky to have a web developer expert pal to run things past when it goes too far west for me to keep up with. So in short, I’ve spent a lot of time in the front and back end of WordPress over the last five years or so, and I’ve seen this happen multiple times.
I really wanted to title this post ‘why the fuck aren’t you taking your WordPress security seriously enough?’ but then I realised that probably wasn’t very SEO-friendly. I also realised that actually, it wasn’t very fair of me either.
I forget sometimes that not everyone thinks about this stuff as much as I do. I also forget that most bloggers and website owners don’t actually know a great deal about their own websites and that I only do through learning the hard way. That sounds twatty of me probably, but it’s true.
Why Does This Matter?
The reason I’m writing this is not to put out some kind of thinly-veiled advertorial of my services (although, you know, please hire me). No, I’m writing it because there are some great bloggers out there who are simply considering pulling the plug on their work because they’re being targeted by hackers so often.
That’s not right. It is a hard thing to get your head around, and to be fair, not every blogger actually wants to. But if you have a website, I’m afraid that’s not really an option. You have to get better at this stuff if you want to keep control of your hard work.
More importantly, allowing your blog or website to become susceptible to hackers because of your own ignorance around security is really dangerous. You might think that sounds harsh but think about it like this. You may have the contact details of hundreds of subscribers logged in your website. They’ve given you consent to process their data via GDPR. If a hacker gets in and steals all of that information for their own uses without your knowledge…who do you think is to blame for that?
Yep. You are, and that’s just the tip of the iceberg of risk here, my friends.
So today I’m going to share some advice on what to do if your blog gets hacked, and what you need to know to stop it from happening again. Buckle up, because this is going to be jam-packed with some hard truths. I apologise if any of this comes across a bit patronising, but I’ve worked with a lot of bloggers who, understandably, really do struggle with this side of things. Hopefully, this post will help empower people to get more proactive about their WordPress security.
What To Do If Your Blog Gets Hacked
First thing’s first – how do you know if your blog has actually been hacked? Well, a good indicator is usually that your readers start noticing pop-ups or links taking them off to third-party sites. Sometimes it could be a pop-up that looks like ‘allow notifications’, sometimes it could be a redirect to a completely different page altogether. Put it this way, if there are strange things happening in your website that you didn’t put there yourself, then chances are you’ve been hacked.
If you suspect a hacking, the first thing you should do is reach out to someone you know who can investigate it for you. Not tooting my own horn here, but if you’re concerned about this at all, drop me a message and I can have a quick look for you.
If you’d rather do it yourself, then a good place to start is with a basic site check from an external scanner such as Sucuri. You can run your website through this tool at https://sitecheck.sucuri.net/ and you’ll get an instant answer as to if and how badly you’ve been hacked.
It’s Not Looking Good
Ok, you’ve ascertained that your site is compromised, now what?
Now I want you to grab a strong coffee and bear with me. Your website isn’t beyond repair (hopefully), but before we start you need to take a good look at some things. First on your to-do list is to make a backup. If you have a backup plugin installed, use it now and keep that file on your computer. If you don’t, you should be able to get one from within your hosting control panel. If you’re still not sure, ask your host.
You might not need a backup plugin if your host has regular backups enables within the control panel, so if in doubt, ask them. Usually, you’ll be able to tell by accessing your control panel and looking for something like ‘database backups’, ‘file rollback tool’ or ‘directory backups’, but if you’ve never done that or have no idea how, the best thing to do is reach out to someone who can help you.
The next thing is to check on your updates icon. If you look up in the top left corner of your WordPress dashboard, you’ll see the updates icon. Be honest, how many do you have pending?
I cannot, cannot stress enough how important it is that you keep on top of these updates. Nine times out of ten, hackers find their way into your blog via an out of date plugin or theme. Think about your whole website like this and hopefully, it will start to make sense.
Your website is a car. Bear with me. The parts of your car are as follows:
- Database – this is your car’s engine, without it, your car won’t work at all
- Files (posts and photos etc) – these are all of your car’s interior, they look smart and makes up the inside of your car – without them your car will work, but it’ll look and feel a bit shit
- Themes – these are your car’s body/exterior, they make your car look all slick and shiny but they need to be kept clean and free of chips, dents and bird shit (see where I’m going here?)
- Plugins – these are your car’s tyres, they help your car to run smoothly, but if you don’t maintain them regularly, they get punctures in them. Then, if you keep driving on knackered tyres, a whole load of unwanted crap gets sucked up into the inside…and eventually, they burst and your car grinds to a halt.
It is VITAL that you maintain your car’s body, tyres and interior at the very minimum. It’s absolutely fine if you don’t want to touch the engine, you’re better off leaving that to an expert anyway, but those three things you need to keep on top of.
How To Keep Your Car Working Properly
This is honestly a piece of piss and it amazes me that people forget to do it so often. Every time you log in, check for updates. If you see the update arrows in the top left corner, update immediately. Always, always, always prioritise plugin and theme updates. It’s so important and is one simple way to keep attackers out.
Next, you need to review your choice of themes. Not all themes are as secure and safe as you might think. I’ll probably get some shit for saying this, but I would never buy an externally made, third-party theme. By this I mean ones you can buy outside of WordPress, i.e. off Etsy or from another website. The reason for this? Lack of updates. Lack of security testing.
Not All Themes Are Equal
When a theme is uploaded to the WordPress repository, it has to go through a rigorous set of testing before WordPress will allow it to be released into use. The themes you can download from the WordPress library have all had to meet the required security standards before being declared fit for use. A third party or external theme does not. Another thing about using pre-bought or external themes is that once you’ve uploaded and unzipped it, that’s usually it.
External themes don’t tend to come with additional updates. As time goes on, your theme’s quality and security naturally depreciates, because it was sold as-is at the point of purchase, without additional support for updates. You’re essentially driving a car with paintwork that might look shiny and slick for the first few months, but after a year, two years, or longer, the chips are starting to show and the bird shit is seeping into the cracks.
WordPress themes are updated as frequently as their developer releases new ones. You can always be sure that your car’s paintwork looks shiny if it’s being regularly cleaned up and improved by the person who sold you the car in the first place. That’s what you get with a guaranteed WordPress theme, that has come through WordPress itself. Please don’t buy external themes. They might look pretty but in the long run, they’re going to cause you a ton of grief, especially as the hackers start to spot chinks in your paintwork.
Remove Anything That Hasn’t Been Updated In The Last Few Months
By now you’re hopefully getting an idea of why regular maintenance is so important when it comes to preventing blog hacks. But, we’ve already crossed into hacker territory, so let’s start with some fixes.
Go into your ‘Plugins’ tab and look at how many you’ve actually got. When where they last updated? If you’re not sure, you can click on the ‘view details’ option and it’ll tell you on the popup screen when they were last updated by their developer. Anything that hasn’t been updated in the last year, bin. I don’t care if it’s something you think you can’t live without. Bin it. You can always find a more up to date replacement.
Would you keep driving a car with punctured tyres?
The same goes for themes; anything you aren’t actually using on your live site needs to be deleted. If you leave them in, they’ll become susceptible to hackers. Keep your blog lightweight and up to date at all times.
Get Rid Of All Your Spam Comments
They’re like a breadcrumb trail for hackers. If you leave them in your ‘spam’ section but never actually delete them, they’re still there, waving a big old ‘come and get this sucker over here’ flag to the hackers who look for vulnerable targets. If you’re not sure whether or not a comment is spam, make sure you’re using a decent, up to date spam detection service (not necessarily Akismet) to keep it all cleared out.
If you have to go through and check them all manually, that’s what you have to do. You need to clean everything, thoroughly.
Check Your Uploads
One of the places that hackers like to put their malware codes is in the uploads folder of your website. One way to check if they’ve done this is to look in your media library, and check what’s in the ‘description’ or ‘caption’ boxes. If they’re empty, that’s good, if not, well…we’ve got some work to do.
The same goes for your posts. This might be trickier to spot, especially if you’re a blogger who likes to use Classic Editor. Personally I can’t stand it, but each to their own. For this, you might need to check via the ‘source code’ option in Classic Editor, or by checking the post in the text editor rather than the visual composer. If you can see some dodgy-looking scripts at the bottom of your posts that you didn’t put there, you can expect it to be in every post and page you’ve got.
From here, you might start to think this is going to be a fucking mountain to climb, and you’d be right. However, it is fixable, so don’t panic. Your best bet is to get someone who knows what they’re doing to help you, but there are some steps you can take to make things better from here.
Install/Run Your Security Plugins
If you don’t have these enabled, then do so. Now. Install and activate Wordfence as a matter of priority and run a site scan. It will pick up any malicious files straight away and give you options to repair or delete them. Go through each of these slowly and carefully and make sure you don’t delete anything that you actually need. Again, if you are unsure, ask for help.
Next, you need to locate that backup you made earlier. Check it’s still there. Yes, it’s got all the hacked files in it, but if anything goes tits up while you’re trying to fix things, at least you have a point to restore things from.
Run the scan and configure the Wordfence firewall. Make sure you read all the documentation on Wordfence’s firewall and blocking settings to make sure you tighten everything up as best you can. When you’ve finished doing that I want you to go to your ‘Users’ tab and delete anybody and everybody except for your own administrator account.
Change Your Passwords FFS
I cannot tell you how many times I’ve helped people out with their websites and their passwords have been so basic that it’s frightening. For the love of God, use strong passwords. Encrypt yourself, protect your life. It’s SO much safer have a gobbledygook password than anything ‘memorable’. You’re also going to need to add 2FA to your login page when you’re done, but you can do that via Wordfence’s login settings once we’re all finished.
I’m really not trying to be a dick here, but this stuff is really important and so often overlooked. I’m going to take a quick detour into why this matters at this point, just to reiterate why I get so stressed about it.
Let’s say you’re a parenting blogger. You regularly blog about your family life. You talk about your kids a lot. You have photos of your kids on your website. You share updates on their birthdays, you talk about soft play centres in your local area. How hard do you really think it’s going to be for someone to crack your blog if your password consists of ‘child 1’s name + birthdate, child 2’s name + birthdate’? Or ‘all our initials put together + my birth year’? Honestly, you’ve got to get smarter here.
Now I want you to imagine your lovely parenting blog has been infiltrated by someone who’s somehow managed to crack said password. Just like not all themes are equal, not all hackers are equal.
Some like to put spam code in. Some like to put third-party links in. Some link to prescription medications, some link to pet products. Some like to browse your photo collections. Some like to put porn links in your photo collections. Your photo collections with your fucking KIDS in them.
Now, do you see why you need to wake up and take this stuff much, much more seriously?
But What Could They Possibly Want With My Little Old Blog?
See above. See ALL of the above. These people want your information. They want the details of the people you work with, your site visitors, your fucking photo collection. They want to compromise your visitors’ data privacy and make you liable for a bollocking as per GDPR. They want access to your passwords, your carefully cultivated imagery, the content you’ve worked so hard to create.
Mostly, they want to hide really bad, often illegal shit right under your nose. Right on the photos of your babies.
Are you paying attention now?
Ok good. Main things to remember here:
- Don’t panic
- If in doubt, reach out to someone who you trust to help you
- Ask your host, but be aware that not all of them will be able to help you with this – they’re hosts, not security providers
- Backup your stuff as soon as you can
- Delete any old themes and plugins you’re not using
- Do another backup
- Don’t panic
Time To Take Stock
We’re going to continue this in the next post (because this one’s gone on a bit) but if nothing more, go and check your updates list. Right now. Stay tuned for part two of what to do if your blog gets hacked in the next few days. I’ll be sharing some next steps for how to fix some of the problems and which plugins will help safeguard you in the future. Let me know your thoughts in the comments or over on Twitter.
I also want to apologise a bit if any of this has made me seem like a judgemental bitch. I totally understand that this stuff might not have ever crossed some people’s minds. But the thing is, as much as I value the work, I don’t want to be locating and deleting dark web porn links on the photos of your children in the first place. I want us all to get smarter and work harder to stamp these fucking bastards out in the first place. That’s why I get on my high horse about this stuff – because it really does matter.
Anyway, please make sure you take an hour to really look at your website’s security at some point before I write part two. And for Christ’s sake, go and change all your passwords.