Did your WordPress site get hacked? In this article, I will mention the essential things to do to fix your hacked WordPress site.
Identify and Fix a Hacked WordPress Site
Your WordPress site is hacked, and you do not know what to do next? Here are some of the things you should do:
- Take WordPress into maintenance mode.
- You can then export the post data from Tools > Export. Keep that backup on your desktop. Scan and manually check that XML file for any injected code.
- Notify your web host about this incident. Check the security logs on your web hosting account for the record of intrusion.
- Change the passwords of your hosting control panel, FTP, domain name, and email ID associated with these accounts.
- Change the passwords in wp-config and change the authentication keys with a new set of keys.
- Remove the old themes and plugins from the setup.
- Install a new WordPress setup if there are too many fixes to the WordPress code.
- Check the file permissions on the webserver. Make sure that none of them are set to 777. Use the Sucuri plugin or WordFence to check the files on the webserver.
- Make sure other sites in the hosting account are not affected by doing a security audit of those accounts.
- Check for the malicious files in the hosting account.
- Do fresh install if you find any security issues with WordPress.
How do I do maintenance on WordPress?
To put your WordPress site in maintenance mode, you have to install this plugin and (assuming you know how to activate it) follow the following steps:
- Log in to the WordPress admin dashboard.
- Scroll to the “Settings -> WP Maintenance Mode” page in the left panel.
- In the “General Settings” section, switch the “Status” to “Activated.”
- Click the “Save Settings” button.
Look for a WordPress Maintenance Expert
You may be an expert WordPress user, but there are many things that you cannot do from your end unless you know what and how to fix them. It is better to ask for help from the hosting support team or an expert who knows how to fix things in such a case. We also provide WordPress Website Maintenance Services, so you can look at the service page by clicking the hyperlink.
When you contact them the fixing WordPress issues, be prepared to offer the following things:
- Keep your backup and download it to your local drive before you give access to your hosting account.
- Keep your server logs backup.
- Explain your problem to the hosting support.
- Point out the issue with the help of a screenshot or URL if possible. Ask them to explain to you the problem once they finish their fixes.
- You can always ask for help in official WordPress forums.
- Many WordPress security professionals can help you with fixed fees.
Hacked WordPress Security Checklist
Use this 9-Point WordPress Security Checklist to fix your hacked WordPress website. Keep your website safe and secure by prioritizing the tasks.
- WordPress Security Setup Checklist
- Keep your WordPress setup secure by executing these tasks.
- Install WordPress Backup Plugins.
- Install a login security plugin.
- Install the Security scan plugin.
- Remove unused themes and plugins.
- Perform basic WordPress setup hardening.
- Schedule automated website backups.
You can learn more here: How to secure a WordPress website.
WordPress Maintenance Checklist: Manually maintain your site in 8 steps
Once you set up the security measures for your WordPress site, it is crucial to maintain it regularly. Below are eight easy tasks to do if you want to manually maintain your WordPress site and keep it in the best shape:
- Perform security hardening with php.ini and .htaccess.
- Schedule backups.
- Remove unnecessary security plugins.
- Remove unused plugins and themes.
- Search for harmful files in the server logs.
- Check server logs for intrusion attacks.
- Check the security issues with the updated version of plugins.
- Check the issues with the WordPress update.
- Take a backup of MySQL, WordPress files, and other media files.
Website Information Checklist
Make sure you have this information stored securely. If you have more than one website, then make sure you keep all this data in a spreadsheet hosted in some encrypted drive or online service. If there is only one website, I recommend you print the login credentials and keep them somewhere safe.
- WordPress Logins
- Domain Registrar Login
- Hosting Account Login
- Email Logins & Settings
- FTP Login Information
- Google Accounts
- Backup service login