Broken glass screen

What would you do if your WordPress website was hacked? Panic? Cry? Turn off the computer hoping it would go away?

In my experience, website security breaches are rare. Knowing how to identify a hacked site and what action to take is vital. There are common issues that make sites vulnerable. And easy things you can do to help prevent future attacks.

Signs of a hacked WordPress website

A defaced homepage

One hacking method is to replace the homepage so it looks nothing like your website. Whilst some hackers prefer to be anonymous, others like to announce it loud and clear!

Addition of bad links

Data injection hacks insert links to spam websites. These could appear anywhere on your site, and even be hidden. Unfortunately, deleting the links doesn’t guarantee that they won’t come back. The hacker has created a backdoor into WordPress to change files and the database. You will need to find this and block entry to stop this kind of attack.

You can’t login to the WordPress dashboard

WordPress failed login message screen

If you can’t login to your website, this is a sign of a deleted or amended user account. An easy way to check is to click the “Lost your password” link. If this fails, your account may not exist anymore.

It redirects to an unknown website

Redirecting visitors to another website is a sign of a potential hack. And chances are, it is a site they have no intention of visiting!

Changes to WordPress core files

Security plugins, such as Defender, will flag changes to core WordPress files. Hackers often edit these files with malicious code to disrupt websites.

Warnings from search engines

Warning message from Google about a hacked website

Search engines may display a warning message for hacked websites. Changes to sitemaps will affect the way they crawl sites and how they appear in search results.

Why do WordPress websites get hacked?

These are three of the most common reasons WordPress websites get hacked. They are also the easiest to deal with.

Software is out of date

The easiest way to keep your website safe is to use the latest version of the WordPress core software, alongside any themes and plugins.

Out of date software makes your site vulnerable to attacks.

Insecure passwords

Guessing someone’s login password is the easiest way for hackers to target a website. According to NordPass, the most common used password in 2022 was “password”! And it takes less than a second to crack it!!

Insecure code

Using themes and plugins from disreputable third parties could introduce bad code to your website. Use the free WordPress plugin and theme directories to source software. And be sure to check reviews and the reputation of the provider when using premium products.

What to do if your website is hacked

Stay calm

This sounds absurd, right?!! Stay calm! Someone is trying to undermine your business, for crying out loud!!

Wooden scrabble tiles spelling deep breath

Take a few deep breaths, then gather some facts before moving forward.

  • What makes you suspect your site has been hacked?
  • Have you tried logging in?
  • Do you have a recent back-up stored somewhere safe & accessible?
  • Do you have the login details for your website hosting account?

Contact your trusted website professional

Explain what has happened and let them get to work. And relax, safe in the knowledge that an expert who understands your website is on the case.

If you don’t have someone to turn to, now would be a good time to get a website troubleshooter in your corner.

How to keep your WordPress website secure

Keep software up to date

Login to the backend of your website once a week to check for theme and plugin updates. Subscribe to my WordPress update service for notifications about core software changes.

Use secure passwords

Make sure your login password…

  • Includes a mixture of upper- and lower-case letters, plus numbers and symbols.
  • Is long, between 15 and 50 characters.
  • Avoids using real words or phrases.
  • Doesn’t include personal information, such as your name, birthday, or address.
  • Is unique – don’t use it anywhere else.

I recommend storing them somewhere safe, like Google or Norton’s password managers. And using LastPass to generate long, strong phrases.

Use reputable plugins and themes

When downloading plugins and themes from WordPress, check…

  • They are compatible with the latest version of the core software.
  • What star rating they have – 4 or more indicates a better plugin.
  • When they were last updated – if it’s been months, best to try something else.
  • How many support issues have been resolved in the last 2 months – suggesting an active developer.
Example of a WordPress plugin listing

Tidy up your website

Review your themes and plugins. Deactivate and remove any that are not in use.

Install a security plugin

A good security plugin will notify you of any suspicious activity on your site. I would recommend installing Defender, WordFence or Sucuri.

Use an SSL certificate

SSL certificates add an extra layer of security to your website. They keep sensitive data transferred between servers and web browsers secure and private. Google recommends that all websites use SSL to protect their users. Many hosting companies offer certificates for free via Let’s Encrypt.

And finally, a good relationship with the person who built your website and the people hosting it are essential. These will be the people you turn to if the unthinkable happens.

If the security of your WordPress website is a concern or you want to better protect it, I’m happy to have a chat. Why not book a call or drop me an email?

Stay safe! And bookmark this article for future reference.

Image credit: Ivan Vranić on Unsplash