It’s one of the worst things to encounter for anyone that owns a website. When a website gets hacked and has a virus or malware put onto it, a billion and one questions will naturally rush into your mind. Have they got my login details? What have they put onto my website? Have I found everything they put onto my website? Will Google and other search engines penalize the website due to this security flaw a hacker exposed? Have I lost money? Will any data be lost and, most importantly, is it recoverable?
After experiencing such a dilemma, here are some tips to help you if you ever suffer a website attack, to help get your website up to scratch.
#1 Backups should be Proactive, not Reactive
The first thing you should think about doing, if you are not already, is making backups of your website. This will allow you to revert to a virus/malware free version of your website, so that your website is recoverable.
#2 Find the Problem
The first step is to see if your website has been hacked or not. There will be many clues that can suggest this:
- Extra code in your template files
- Links appearing on your website
- Adverts appearing on your website that you did not warrant
- Warnings from Google and other websites when loading your website
- Any abnormal changes to any part of your website, or the dashboard of your website
- Lack of/increase in content
#3 Call in Help
As much as many people might have found the source of an attack and know the way to fix it (delete the code etc.), it is always best to get expert advice and help from people that do this for a living. For me, I went to WordFence, since they provide a market leading security plugin for WordPress websites, as well as great support when under attack. By doing this, you will have complete faith that the attack has been completely neutralized.
#4 Patch Security Flaws
This is extremely important. You might find that you have security flaws in your website. But, the problem with an attack isn’t with recovering your website back – this is relatively straight forward. The problem lies in finding out where the attacker went to exploit a security vulnerability. For a WordPress website, there are a few areas that could cause security flaws in a website, so it is a good idea to do the following when your website is back up and running as normal:
- Change every password associated to your website. This will include:
- Standard WordPress login details.
- FTP and STFP login details.
- Hosting login details.
- Social media login details.
- Update every plugin to the latest version.
- Remove any plugin that has not been updated for a few months or more. This suggests the plugin has been abandoned, increasing the risk of a security flaw in the future.
- Enable two factor login authentication anytime you login to any account associated to your website.