My Site Was Hacked: How to Prevent WordPress Hacks


If you run a blog in the 20-teens then you could get hacked.

Dear Blogger was hacked just a week ago, meaning anyone visiting the site saw a 403 error page and we were de-indexed from Search. Let me say that again, we were removed from Google. Zero traffic and zero revenue for 1 week. I wrote this post because “getting hacked” is still a very misunderstood concept and to explain what I learned.

This will help you prevent a hack, or clean things up should it ever happen.

Who should be reading this

analytics-flatline

Imagine seeing your analytics flatline. Daily subscribers and sales too. Not pretty eh? Not going to happen to you, you say? Well, that’s what I thought.

So I’m writing this post to warn:

  • Niche bloggers
    Niche bloggers have a long checklist to become profitable. You can forget security. And the sheer profitability of these blogs makes them ideal targets.
  • WordPress business website owners
    It’s becoming more and more common for WordPress business owners to start 10-20 WordPress sites and make a living out of it. More sites = more potential for a hack, which can then infiltrate all your sites.
  • Bloggers who blog full time
    Anyone who blogs full time needs to take precaution. And anyone who runs a lucrative blog can be crushed with a hack that leads to de-indexing. It’s average bloggers operating sheerly alone that can suffer the most from a hack because the world simply keeps moving and other bloggers will take your place almost instantly.

As I said it’s average solo bloggers – moms, dads, community managers – that can suffer the most from a hack so this post is for you. I’m here to help.

But before I talk about the two things you might not be doing – how can a hack really lead to being de-indexed aka taken out of Google Search and losing all your free traffic?

A hack often leads to de-indexing

Sitenote: thanks to Anya, an awesome blogger and subscriber, who first emailed me about our potential hack. I should have taken action then…

What is a hack? As Google puts it, a hack for website owners usually means a malicious third party has uploaded spammy content or malware to your site.

Example: Let’s say you have an awesome site about socks. You recommend the warmers, most athletic and always cutting edge socks. Then one day, Google crawls your site and finds all sorts of links to some irreputatable phramaceutical company (spammy content was put on your site). Or worse, Google crawls your site and finds malware, which is prying at your passwords and can be uploaded to visitors computers.

Google will mark your site as “This site may be hacked” to protect both you and all your visitors.

Here’s a hacking help video from Google I’ve already watched thrice:

If your site goes un-fixed for too long, it can be removed from Search entirely, the worst nightmare of any blogger.

What causes a website or blog hack?

update-plugins

Now that we know what a hacker wants to do once they get in – upload spammy content or upload malware – what makes your site vulnerable to a hack? Again, two things:

  1. Outdated plugins or versions of WordPress software
  2. Weak passwords

As trivial and simple as it sounds, these are the two most commons ways a WordPress site is hacked. Think about all the sites you run. Are your plugins up to date? Are you running WordPress 4.0 now?

Plugins, when outdated, can develop what are known as exploits – basically holes that allow a hacker to target lots of sites at once with their own malicious scripts. And weak passwords speak for themselves.

These causes are not mutually exclusive either. A hacker can enter through a plugin, obtain your password, and even then gain access to your server (like GoDaddy, Bluehost, or HostGator) and this is when it gets really serious.

Maybe it’s time to start taking the password meters more seriously? For me it is.

How to prevent a website hack

So, a hacker can use outdated plugins or core WordPress software combined with weak passwords to upload spammy content and malware to your site. Once they’re in, all hell breaks lose.

So, how can you ensure that your WordPress site or blog never gets hacked? Here are my suggestions:

  1. Spend at least one day each month updating all of your site content including plugins, versions of WordPress, eCommerce addons like WooCommerce and anything else you feel looks out of date.
  2. Purchase security software for WordPress (ask for recommendations)
  3. Develop a good relationship with your host

#1 will prevent you from 95% of hacks alone, and as such I don’t recommend purchasing expensive software especially if you have just started blogging.

However, #3 is paramount. When this website was hacked, HostGator acted swiftly to bring in security admins and quarantine the site. The downside was a few days without revenue or new subscribers, but the upside is we’re all clear now, some 5 days later. You absolutely need to act quick on these matters, and need the assistance of a good host or “hoster” as Google calls them to clean up all the graffiti.

Building a good support team now will help you figure out how to fix a WordPress website or blog hack quickly when it actually happens. The final step will be to request a review from Google.

Are you at risk?

Getting hacked is not something you want to prolong, but it is something you need to address quickly both on your end and to your readers. Having a quick strategy will help you fixed a hacked site and get back to business asap. Here are the main takeaways:

  • Always update your plugins (and delete plugins and themes you don’t use for a faster site).
  • Update WordPress often
  • Delete plugins and themes you don’t use
  • Start building a support network with your host today, so they know who you are when you rush to them for help. This is crucial.
  • Use medium-strong passwords
  • And you should be okay

I’ll be sending a more personal, elaborate story of the hack at Dear Blogger to my email club so hop on if you’re curious on the deets!

Let me know any questions in the comments and I’m happy to explain further.


Share This Post

4 Responses to "My Site Was Hacked: How to Prevent WordPress Hacks"

  1. In my experience to prevent getting hacked on WordPress its very important to keep everything updated. That means your WordPress themes, plugins, and the WordPress version. You can also pay a service to harden your website so you don’t get hacked. Many times there are vulnerabilities that you might now see. You can check your site on WP Scan to see if there are anything you might not be aware of. Thanks for the great information.

    Reply
  2. This is a great list. Getting hacked is such a huge headache. I had to jump through hoops when my priority site was hacked (injected with some evil code) on a multiple-site hosting account, affecting all of them. I lost a few sites completely. I used SiteLock to get my most important site clean (very expensive) then paid them $59/mo (I think) to firewall it for me while I came up with something more affordable for the long term. Now I’m hosting it with WPEngine ($29/mo), but I still have several old sites collecting dust over on Bluehost that I need to go through and update things in.

    I love Bluehost’s tech support, but it’s strictly DIY with their guidance or affiliate partners. Does Hostgator clean a site *for* you?

    The security plug-ins I tried were too complicated and technical for me and I’m no techno-newbie, but maybe they’ve gotten easier to navigate.

    What I have also heard is that if you have a lot of customizations, use a child theme and if you get hacked, all you have to do is re-install the parent theme and you don’t lose the customizations. Or, if you just use a WP Themes as it comes, you only need to re-install the theme if it’s hacked. True? False? What do you know about that?

    I was looking at the new X Theme and it has so many options that I wondered if options stay put if you get hacked then just re-install the theme…

    Reply
    1. Dear Michelle,

      Awesome comment!!

      Did you lose sites because they had to get wiped? Did you have to move from Bluehost for something more robust? It’s tough being a WordPress multi-site owner, sigh 🙂

      HostGator does clean for you long as you ask nicely. Their security admins were even cooler than normal chat support.

      That’s correct on child themes. Smart move.

      X is awesome! Some folks hate it but I think it’s the future. I just build a financial services sites on it. And I bet it has security features baked in.

      Again, awesome points here.

      Reply

Post Comment