WordPress is a great software system for your website. It scales well for a personal or business website and is even is use by very heavily trafficked sites. WordPress is very popular too but like any popular code its also a favorite of hackers and malware. How popular? 74.6 Million Sites Depend on WordPress.
If your personal website has been hacked don’t panic. This happens. Most of the websites I have administered over time have been hacked at one point or another. It doesn’t mean you failed (or I failed) it means there’s some work to do to both fix your website and then harden it against future hacking. Keep in mind that this in an ongoing process and I recommend putting a monthly one hour event on your calendar. You will want to come back to your website each month and verify updates and settings and to run a malware scan. Also consider applying what’s in my article before you get hacked.
Briefly here are the steps you’re going to take:
- Identify the hack (usually your web site files on the web server)
- Clean up the hack (typically deleting files and then re-installing WordPress)
- Harden the computer you use to manage your WordPress website
- Harden your WordPress website (this means adding active protection to the site as well as changing settings)
- Set up two-factor authentication for both the backend and frontend of the website
- Make a backup of your website
Step 1 – Find the Hack
You need to know how bad the hack is. There are several online scanning tools you can use that will provide a report that you can use to clean up your hacked site yourself. Below is the one I have used most often.
Step 2 – Clean up the Mess
You can use the information in the results to clean up your site yourself or you can pay the service to try and do it for you. Once the site is clean you’ll want to harden it to prevent future hacking. You will also want to make sure any computer you use to administer your website is clean.
Some useful tips for cleaning up the hacking:
Step 3 – Clean and Protect Your Computer
You should install and run protection on your computer as this is often how the malicious code get to your website. There are several free and paid options. You can always start with a free one but I recommend switching to a paid subscription at some point as these typically offer additional protections not included in the free versions. Make sure your web browsers (Safari, Firefox, Chrome) are all updated as these have some built in protections.
Step 4 – Set up Your Defenses
Tips for preventing another hack going forward:
- All-in-One WP Security Plugin (I run this plugin on many WordPress sites and it takes care of things listed in the articles below)
- 12 Ways to Secure Your WordPress Site You’ve Probably Overlooked
- Hardening WordPress
- 20 Simple Tricks to Secure Your WordPress Website
I realized that after making this list I could write an entire guide on configuring just the All-in-One WP Security plugin. So I will have to do that because there are a lot of choices and although they are explained well there’s still some other factors to consider to guide you through the process.
Step 5 – Make it Harder to Login
You want to add two-factor authentication to your WordPress website. This step can seem a little painful at first until you get used to it. What two-factor authentication means is forcing logging in to your website to require more than just a password (aka passphrase). I find that the best systems are ones that are simply tied to your smartphone using an app. This way it doesn’t require that you re-type in codes you only need to authorize the connection.