Late last week I got a number of emails from people around the ’webs complaining that I was spamming their blogs, which gave me the horrified, sinking feeling that I hadn’t actually eradicated all the hacked files. So once again I backed everything up and performed a complete reinstall of WordPress, my theme, and all my plugins. By now I’m a pro at that, so it actually didn’t take too long. But when threatening messages kept coming in telling me to stop spamming, I realized it was time to call in the professionals.
I remembered that one of the 7,000 pages I’d read recently on cleaning up a hacked WordPress site offered to help if your site cleanup was beyond your abilities. I scoured through my browser history and found Michael VanDeMar’s Smackdown blog. For a modest fee and 1–2 hours of work, he will go through your WordPress site and remove anything suspicious, restoring it to the natural, pristine site that God intended it to be in. I emailed him, sent him my passwords, and now, less than 24 hours later my site has been given the all clear. I’d actually gotten rid of everything except a couple of backdoors that were redirecting certain visitors to pharmacy sites and displaying false information in Google searches. The form spamming that was happening was apparently coming from outside my site and merely directing people here.
If you’re experiencing something similar, I highly recommend Michael as a cleaner. But, if you are running a WordPress site and aren’t having any issues, don’t let it get to this point! I can’t tell you how many hours I spent reading articles on cleaning WordPress hacks and reinstalling files, cleaning code and installing security measures. From my experience, I strongly suggest the following, at the very least:
- Change your username: Don’t use the default “admin” username. In fact, it’s recommended you don’t have any users in the first user slot at all. And make your username hard to guess—don’t use “john” if your name is John. Use something with random capital letters, number and symbols, like “j0n@tHan,” or even better, something totally unrelated to your name.
- Use strong passwords, everywhere: For your WordPress login, your FTP directory, your hosting login, and your SQL database. All of these are potentially vulnerable. I’d also recommend installing the Google Authenticator plugin, which makes you enter not only your username and password to login to your dashboard, but also a six-digit code that’s sent to your smartphone.
- Keep everything updated: WordPress, your plugins and themes, everything. Most of the updates are for security, and hackers look for old versions of WordPress because they’re much easier to break into. It’s also good to delete any unused themes and plugins so there are fewer places for hackers to hide their wares.
- Install WordPress security plugins: I recommend Better WP Security, MVIS Security Center, and Wordfence. They all do something different, but they all help you harden your WordPress install, recommend ways to make your site more secure, and scan for potential intrusions and suspicious behavior. I now get an email every time someone logs into my WordPress admin page, and I’m tracking all other login attempts and locking out anyone who tries too many times without success.
- Back up your site regularly: If you start now, before you get hacked, you’ll have an easy way to return the site to its clean state.
Is WordPress too vulnerable to attacks? If you don’t take any security precautions, yes. But if you follow some basic steps to harden your installation, use strong passwords (and usernames), back up, update, and keep an eye out for suspicious activity, you’ll probably be fine. Unfortunately, there’s no way to 100% guarantee you won’t get hacked, but the harder you make it for undesirables to get in, the more likely it is they’ll give up and move to the next site.