So your WordPress site is hacked. This is too common an occurrence these days. First we’ll review a couple of steps you can take to make sure your WordPress site reduces the chances of being hacked if it hasn’t been.
WordPress Security Plugins and Procedures
How to Avoiding Being Hacked
WordPress has high vulnerability of being hacked due to it being open source and there’s no real security in a basic WordPress install besides a login. Most bots that are trying to hack your site will do so by searching for possible usernames, starting with “admin”.
To avoid this as much as possible without being a server administrator or a techy person, there’s a few things you can do to vastly reduce the possibility of someone you don’t want getting into your site. These steps should take you less than an hour to complete and can save you days or hundreds or possibly thousands of dollars depending on the depth of the security breach on your site.
- Install a strong security plugin. Wordfence and Ninja Firewall are both great plugins. We’ve used Wordfence and created the rules to automatically lockout any IP address that has tried logging in unsuccessfully more than 10 times.
- Install a malware scanning plugin. Anti-Malware and Brute-Force Security by ELI has worked great and provides an intensive scan to help identify any code that could be malicious.
- Update your username. Yes, this is important. Do not use the “admin” login – or your site/business name. Use something with at leas an upper and lowercase letter and at least 8 characters long. And once you do this, delete the “admin” user altogether.
- Update your password. You’ve heard this many times, but following the rules of using upper and lowercase letters, numbers, and at least one special character helps keep malicious attacks away when they’ve found out your username.
Is Your WordPress Site Hacked?
An easy way to see if your WordPress site has been hacked is to go to Google.com and do a search on “site:yoursitename.com”. This will tell you what pages Google has indexed for your website. If you see pages that are in a foreign language, have items dealing with pharmaceuticals, fashion, or even porn, you should keep reading this article.
Also, if you rank for your brand name, do a Google search on your brand to see the search results. If you see one of the following, it’s time to get your site cleaned up and secured.
Another way to checking if your site has been hacked is to login to your Google Search Console account. In the “Manual Actions” report, you’ll see something like this if your site has been compromised.
Fixing a Hacked WordPress Site
We have fixed a lot of these lately. Depending on the size of the site and the depth of the hack itself, it can take anywhere from a few hours to a few days to remove the holes in the site security and to update all items needing addressed before submitting to Google Search Console for a site review. Even after all proper steps have been taken, it can take weeks or longer for the bad results to stop showing in Google search results.
Here’s the steps we’ve taken to help clean up WordPress sites and get them back to normal. It generally takes a programmer and someone with SEO knowledge and tools to perform these actions.
- Remove any SQL injected code and increase security at server level.
- Install and run a malware scan plugin. Yup – same as we mentioned above.
- Ensure a good Firewall Plugin is properly configured. See above for examples.
- Do a full backlink profile and disavow using majestic.com or another backlink tool.
- Create a disavow link list file for Google Search Console & Bing Webmaster Tools. Remember to disavow at the domain level – not the page level.
- Submit the site for review in Google Search Console.
- Make sure all username/passwords are very tough – longer than 12 characters, uppercase/lowercase/numbers/special characters. The harder the better. If there is an admin that is named “admin” or “business name” remove and create something that is tougher to break.
- Do a “site:example.com” in Google and grab all links that aren’t your site, but were injected. In Google Search Console, create a removal request for each page from the Google search index.
- Check the Users and Managers in your Google Search Console to ensure there’s nobody who was able to gain access improperly who has changed the sitemap.
- Create and resubmit your xml sitemap & robots.txt file to Google & Bing Search Console. If you don’t already, upload the free version of the Yoast WordPress SEO plugin to easily configure your Webmaster Tools and create these files for proper submittal.
- And finally, request a review of your website from Google Search Console. You’ll need to tell them the steps you took to remove the hack, so keep a list of the items you completed handy to copy/paste these into the form field when you need to.
After taking these steps, it usually takes about 4-8 weeks or longer for the site to be showing the right pages in Google search results. We’ve gotten lucky and heard back from Google within a few days in some cases. Still, we needed to wait for the site(s) to be fully crawled and re-indexed and cached by Google, which took a couple of months.
If this seems overwhelming and time consuming, you’re not wrong. The best course of action is being proactive so you’re not in this position. If you’ve fallen victim to this issue, my team and I would be happy to help you get back on the right track.