It’s a nightmare scenario. You go to your website only to find a nasty message from a hacker bragging about hacking your site. And nothing else. As far as you can tell your content is gone and you can’t even find a way to log into your WordPress dashboard.
Would your business survive your website being shut down, even temporarily?
It Happens
That’s exactly the situation that my friend Viveka Von Rosen found herself in recently.
Fortunately we were able to help her out, rescue (most of) her files and get her back up and running relatively quickly. But that isn’t always the case.
Turns out Viveka could have done some things to better protect herself. Fortunately she learned her lesson well and she’s in much better shape today than she was before the attack.
Have You Really Been Hacked?
A lot of times people come to me saying, “My site’s been hacked,” when it really hasn’t. With WordPress sometimes plugin conflicts can cause issues that seem to the user like a hacker has messed with something. This is most common when upgrading to a new version of WordPress if a plugin hasn’t been made compatible with the new version yet.
While that can cause your site to crash, it’s not caused by hackers.
Not only that, but most of the sites I’ve seen that have been hacked weren’t just taken down by them. Most of the malicious hacks I’ve seen involved injecting some code into the site, usually with the end goal to redirect site traffic to some other website.
The Symptoms
Without going into the gory details, Viveka’s case was a little different. Her site actually showed an all white screen with an error message along the lines of a plugin conflict and the hacker just wanted to crash her site. Turns out he was into stealing something else.
When I did some troubleshooting I was able to get her site back up and running in fairly short order. In Viveka’s words:
I must add here, that it only took Chris 45 minutes to decipher and fix what was a rather sophisticated hack!
While I’d never promise to be able to recover a hacked site that quickly, I do have a good track record recovering hacked WordPress sites.
Here are some things you can do to minimize the chances you’ll end up getting hacked and maximize the chances to fully recover quickly should your site crash (for whatever reason).
1. Use Strong Passwords.
I honestly think this was Viveka’s biggest mistake. Again in her words,
This is what got me – I just used numbers and letters and the password was – well – kinda obvious.
Make your passwords not only hard to guess, but make them more difficult for sophisticated hackers to break as well. Randomly mix in special characters (found on the number keys with the shift button) as well as numbers and upper and lower case letters. Here’s what Wikipedia says about password strength.
Both WordPress and cPanel will tell you how strong your password is. Stronger passwords offer better protection.
It also makes them harder to type in. That’s why I use 1Password to manage my passwords on my Macs. I can use really strong passwords and I don’t have to remember them or type them in. 1Password will auto fill web forms for me. It’s the best of both worlds: good security & user friendly.
2. Keep Your WordPress Updated.
One of the most common ways WordPress websites get hacked is because their owners don’t keep their software up to date. What happens is that older versions of WordPress can have know security weaknesses. These weaknesses are fixed by newer releases of the software.
But if you don’t update your software, you leave yourself exposed.
This also holds true with plugins and themes. Besides, the newer versions of WordPress make keeping everything up to date remarkably easy. There’s not much of an excuse to keep you from updating things.
3. Backup Regularly and Often.
A good backup can cover for a ton of other issues by making it possible to revert back to how things were before your site crashed. When it comes to WordPress you need to back up your
- Database
- Theme Files
- Plugins
- Media Uploads
There are several different ways to handle backups and I’ll cover some of those in a future post.
But the point is backup early and backup often!
Bottom Line
I don’t believe any site is completely “hack proof.” A determined hacker with enough resources can break into most anything. Just watch an episode of NCIS! 
But if you do these three things you will greatly reduce your risk of being hacked and make it much easier to recover if you do run into a problem.
You’ve written quite an informative post. Personally, I love NCIS too.
Are there any plugins you’d recommend for automating the backup process?
Heya Frederick! That’s a great question and there are some good ways to automate backing up your WordPress site. As I mentioned above I’m putting together another post about backups because it is such an important topic. I’ll lave a reply here when that post goes live in the next few days.
I wish I had read this post before my blog had got hacked. one mistake which I had done was, that I had not updated my blog. Anyways, I have learnt the hard way.
I suggest to changed the password every month
I would do it a bit longer
Thanks a lot Chris for putting much stress on security. I don’t think any online business can survive if the website is shut down. Strong password and its frequency of change can be a great help for securing any kind of website. I still remember once my ftp password was stolen by a kind of virus and it was continuously altering the html content of web pages. It was basically a dll file stored on the local computer where ftp client was installed. I am looking for your advice on protecting the websites from this kind of issues.
Keeping a backup copy on MS Word is the best policy. Been doing this for class and for work forever.
nice post just a quick question if you can help id really appreciate!
i work really hard on my website to keep it on the first 2 pages of any seach related to what i do, but today this guy from abyaraimoveisbr.com just literally copied everything from my site, my pics, my analytics code, my live chat script and hosted it for his benefit!
was just wondering if there’s a way to prevent content from being downloaded