How to Recognize and Repair a Hacked WordPress Website

How to Recognize and Repair a Hacked WordPress Website

A broken or hacked WordPress website has to be an online business owner’s worst nightmare come true. Watching your revenue plummet because of missed or frustrated visitors is bad enough. But if your infected site spreads malware or discloses personal information, your credibility could take a devastating hit. Some businesses never recover.

How can you recognize a hacked website? What distinguishes a malicious attack from an administrator’s backend bumbling? There are several key differences, and we explore them here.

Broken Websites

What are the symptoms of your WordPress site’s disorder? Is it an error message? A wacky redirect? The dreaded “white screen of death”?

In any case, your first thought is probably “OMG, my site’s been hacked!”

More than likely, though, it was probably unknowingly broken by another administrator.

BTW, that’s one more reason to limit the number of persons with admin access to your site. Allowing just anybody to mess with your website’s backend is a sure-fire invitation to disaster.

Limit access to your website’s sensitive administrative functions to trusted personnel experienced with WordPress. Monitor security, backups, and updates yourself, or allow modifications by well-qualified professionals only.

Most of the common WordPress errors are easily fixed if you can access your site’s admin dashboard. Otherwise, you will need to communicate with your broken website using an FTP/SFTP client program.

Here’s what to do about the three most common WordPress errors.

White Screen of Death

It’s as if your site has ceased to exist! Where your snazzy design and compelling content once lived, there’s now literally NOTHING. A blank screen with no information. Why, and what to do?

This usually happens when a plugin or theme compatibility issue causes an error in the PHP code or the database.

If you have access to the admin dashboard, immediately deactivate all your plugins. Then reactivate them individually so you can determine which one is causing the problem. You’ll then need to deactivate, remove, and replace that plugin with a better solution.

No plugin issues? Check your site’s theme for concerns, especially if you learn that someone else has recently activated an update. Just reactivate the default WordPress theme instead to verify that it’s your theme that’s at fault. Again, you’ll want to remove it and use a different theme.

If the theme’s directory is missing or has been renamed, you’ll see an error message on the site’s front end. If you can log in to the dashboard, switch themes.

Quite frankly, though, you will probably not be able to access your admin dashboard in any of these scenarios. Using an FTP/SFTP client will give you access to the appropriate folders (wp-content/plugins or wp-content/themes) or directory to rename them.

Once the suspected folder/directory is disabled, you can follow up with the suggestions above.

Internal Server Error

You’re trying to log in but instead get an onscreen “Internal Server Error” message. There could be any number of reasons for this, including a corrupted .htaccess file. In that case, simply rename it “.htaccess-old” and reload the site. Resetting your permalinks will generate a new .htaccess file, and the old one can be deleted.

Again, plugin/theme incompatibility could be at fault. Deactivate your plugins or reactivate the default theme as above.

You’ll need to increase PHP memory if you don’t have enough. Although there are several methods for handling this, I’ve been successful by adding the following line to the wp-config.php file using a code editor: “define(‘WP_MEMORY_LIMIT’, ‘256M’)” or whatever number you need the new limit to be.

If corrupted wp-admin or wp-includes folders are the cause of your site’s issues, re-upload the appropriate file from a fresh WordPress install.

Error Establishing Database Connection

The onscreen message “Error establishing a database connection” is usually caused by a problem with your wp-config.php file. Use your FTP/SFTP client to confirm that the database name, username, password and host are all correct.

Also, check with your web host. It could be that their server is down, or your database is suffering a quota overage.

Or they might confirm the unimaginable: Your site was disabled due to infection.

Recognize a Hacked WordPress Website

Most likely, a hacker won’t announce their presence. They don’t want you to know they’re using your compromised website as a Trojan Horse to redirect your users to spam sites, secretly steal their credentials and private information, or other nefarious activity.

So how can you tell that your site’s been hacked?

Most browsers will display a warning page to deter users from accessing the site. You’ll also need to be on top of your website’s usual traffic and analytics to help determine if your site’s been compromised.

A change in traffic patterns could signal that your visitors are being redirected elsewhere. If your site seems unusually slow or is often unresponsive, you could be suffering brute force attacks. Suspicious user accounts are another clue to unauthorized activity on your site.

So despite your best efforts, a malicious actor has somehow gained entry to your site and hacked it up.

First of all, don’t panic! Your content can likely be salvaged. And taking the following action steps will substantially increase your chances of recovery.

Repair a Hacked WordPress Website

Take a deep breath and dive right in.

Start with an incident report documenting all the issues you’re experiencing and every step you take to repair it. Don’t neglect to include the results of each action.

Then use Sucuri’s SiteCheck, a free website scanner, to check for known malware, blacklisting status, website errors, and out-of-date software. Also run a virus check on your computer to be sure it wasn’t compromised in the attack on your website.

Next, check in with your web host. If you’re sharing space with other websites, you may not be the only one affected. Your provider can let you know what’s going on if that’s the case.

Before going any further, reset all your passwords and enable two-factor authentication. Use a trustworthy security plugin like WordFence or Google Authenticator from the WordPress repository. In addition to your wp-admin, be sure to generate new strong passwords for FTP/SFTP, cPanel, and MySQL.

Then, if you can, reinstall a recent backup. This is probably the first and best choice in any hacking scenario. If you have content that will be lost, though, you may prefer to remove the hack manually.

In either case, delete unused/inactive plugins/themes, and disable any plugins you hope to continue using.

Recognize and repair a hacked WordPress website with this easy-to-follow guide.

Recognize and repair a hacked WordPress website with this easy-to-follow guide.

Locate the hack via malware scan if it hasn’t already been detected. It will generally be found in your theme/plugin directories, uploads directory, wp-config.php, wp-includes, or .htaccess file. Also check index.php, header.php. footer.php and function.php for malicious code.

Go ahead and replace the corrupted files with the original theme/plugin or WordPress core file (except wp-content, where your content resides). Delete any suspicious users you found, or update all user permissions as needed.

Now that your site is clean, change all those passwords yet again! This protection is especially vital  moving forward. And, most importantly, implement additional security measures to prevent future attacks.

Request a Google site review to clear your site’s good name and remove any red flags that were set up to discourage visitors from using it.

Check out the WordPress support forums for more details and answers to specific questions that weren’t addressed here.

Conclusion

According to Google, compromised passwords, missing security updates, and insecure themes/plugins are among the top ways sites get hacked. So monitor your website’s security, use strong passwords and change them frequently, and only install reputable plugins and themes to help harden your website.

Has your website ever been hacked? How did you handle it? Let us know in the comments below!

7 Signs You Need a Website Redesign

7 Signs You Need a Website Redesign

Website redesign: Do you really need it? The look and “feel” of your website can certainly have an effect on how many visitors you attract and how they interact with your site. Slow, dowdy websites turn visitors away. That means your bottom line takes a hit.

Your website is your digital calling card. These days, it’s your most important business asset. Keeping it fresh and attractive is more than an exercise in keeping up with the Joneses, though. It’s an opportunity to rebrand and refocus your business. Or showcase new products and services. Or appeal to a new clientele.

Have you refreshed your site lately? You should review it with a critical eye every so often to make sure it’s still interesting to your audience and keeping up with current design trends. Not to be trendy, but to stay relevant to your target market and generate new visitors.

Outdated sites have more problems than simply looking obsolete. Let’s take a look at seven signs it’s time for a website redesign.

It looks dated.

Old-school websites look uncared for and are not visually appealing. Adding new content is not enough if the site is not engaging. Show web surfers a beautifully designed site with a modern layout and interesting visuals. You’ll probably notice visitors spending more time rather than quickly clicking away.

Website redesign: Do you really need it? Outdated sites have more problems than simply looking obsolete.

Outdated sites have more problems than simply looking obsolete.

It’s dysfunctional/not user-friendly.

Poorly designed sites make it difficult for people to find the information they seek. They might click around for a few minutes before leaving the site in frustration. Direct your users with easy-to-locate navigation and they will likely stay longer.

It’s too slow.

Current recommendations call for webpage load times of 3 seconds in this short-attention-span age. If you can’t quickly catch a visitor’s attention, they’ll probably move on to another faster-loading competitor. Your refreshed website won’t keep them waiting.

It’s not responsive or mobile-friendly.

Unless your site is optimized for various screen sizes, it can be difficult to understand or browse effectively. Visitors view your site on everything from tiny mobile screens to humungous TV-sized monitors. Be sure they can use your redesigned website effectively no matter the screen size.

It’s a security risk or has been hacked.

Another problem with old-fashioned websites is they can be easily compromised. If you’re not keeping up with theme and plugin updates, your site is a definite security risk. Keeping your website updated is one of the best ways to deter hackers.

Your business has changed focus.

What started out as one thing has lead to another and another. You’ve totally revamped your product line or have developed new services. You no longer cater to the same market, or you want to attract a different clientele. Announce your new direction with a refreshed website to attract new visitors and impress your regulars.

To update marketing strategies.

If you’re still using outdated marketing techniques, you’ll soon find yourself left behind in this digital era. Upgrade your business model using the latest approaches and a redesigned website to promote your new direction.

Closing thoughts.

How often should you undertake a website redesign? If you have any of these issues, it’s time to get started. Don’t think in terms of years or months, though, because the website you recently launched might already be stale.

Check for tell-tale signs that your site is not performing at its best. Is your traffic down? Have your sales declined? A website redesign might be just the thing to help get you back on track.

VAWW Online is being redesigned using Divi from Elegant Themes. If you’d like more information on our website design and maintenance services, click here to start the conversation.

WordPress Website Security: Best Practices 2018

WordPress Website Security: Best Practices 2018

It’s true that WordPress website security is a concern. Because the content management system of choice is so commonly used, it’s much more attractive and therefore vulnerable to malicious actors.

A 2016 study showed that of more than 11,000 infected websites analyzed, 75% were on the WordPress platform. Over 50% of those websites were out of date.

It has also been reported that 73% of WordPress sites are vulnerable to attack.

But if you’ve bought into the hype that WordPress is inherently insecure, then you’re missing out on all the great things WordPress has to offer, for no good reason.

You can easily put a range of simple enhancements to your website security in place that will ease your mind while keeping your site safer.

Don’t let security concerns keep you from enjoying the flexibility and power of WordPress

WordPress sites do get hacked, but the fact is that they are no more dangerous than other php-based websites. And it is by no means the security risk some people would have you believe.

The problem is that WordPress is open source, which means that anyone can read the code — even the bad guys who spend all their time looking for vulnerabilities they can exploit.

Couple that with the enormous popularity of WordPress, and it’s easy to see why you hear about hacks on a regular basis.

But that doesn’t mean WordPress is unsafe. Your site’s chances of being attacked are substantially minimized when you implement just a few security best practices.

Good Website Security Practices Help Protect Your Site

Every time you drive a car your risk of having an accident is increased, but that doesn’t mean you don’t drive. You simply take steps to reduce your risk instead. WordPress is no different.

With a few security measures in place, your danger of being hacked is nearly non-existent.

To start:

  • Choose a secure hosting environment.
  • Keep your site and its themes and plugins up to date.
  • Use strong passwords and change them often.
  • Limit login attempts.
  • Add two-factor authentication.

Be Smart About Your Hosting

Unlimited domains! Infinite space! Limitless bandwidth! And all for around $8 per month. You’ve probably seen the claims and may even have a hosting account with one of these companies.

Here’s the problem. This type of shared hosting is inexpensive only because they overload their servers with thousands of websites.

Just as close proximity in crowded classrooms allows human viruses to quickly spread, the close proximity of websites on a shared server means one infected site is a risk to all the others.

Choose a host that allows you to isolate each site on its own cPanel, rather than looking for the least expensive (and possibly riskiest) hosting option. Doing so will greatly improve the security of your website.

Keep Your Site Up to Date

This is by far the biggest hazard when it comes to security. New vulnerabilities are discovered in WordPress and its plugins and themes on a regular basis, so if your site is out of date, it is at risk.

Most hacked sites are running old versions that are not optimized for protection against vulnerabilities, and are therefore more easily compromised.

Hackers actively search for outdated websites they can attack, so make it a point to keep your site up to date. That includes plugins, themes, and the WordPress software itself.

The WordPress security team regularly releases security patches and core updates to counteract weaknesses, continually strengthening the overall stability and safety of the platform.

Use Strong Passwords

Second only to out-of-date installations when it comes to inviting hackers, weak passwords are regularly exploited with a technique called a “brute force” attack.

Simply put, a hacker sets a computer program (or “bot”) to repeatedly attempt to login to your site using thousands of the most commonly used passwords and what are known as “dictionary” words.

This type of vulnerability can be easily avoided just by choosing good passwords. Ideally, your passwords should:

  • be longer than 12 characters
  • never be used for more than one site
  • contain upper and lower case letters, numbers and symbols
  • never be stored in plain text on your computer
  • never be sent by email
  • be changed often

Also, consider using a password manager such as LastPass to generate and securely store good, strong passwords. You’ll never have to worry about remembering your passwords, and you’ll greatly reduce your risk of being hacked.

Limit Login Attempts

It goes without saying that you should never use easy usernames like “admin” that are the first choice of malicious bots attempting a brute force attack on your site.

Another good defense is to limit the number of login attempts allowed before a visitor is blocked out. This is easily done with the use of any number of available security plugins.

Add Two-Factor Authentication

Requiring users to authenticate their credentials a second time prevents nefarious programs from entering your site in the event that your username and password are compromised in a brute force attack.

In addition to something the visitor knows (username and password), this system calls for identity to be proven again by something ONLY that visitor has. This is commonly a dynamic passcode generated specifically for the visitor to input before continuing to enter your website.

Again, this is easily implemented using one of many excellent website security plugins available at the WordPress repository.

Conclusion

In the end, the safety and security of your site and its data is entirely up to you. Keep your software up to date, use good passwords, and choose a secure hosting environment, and you’ll be well ahead of the curve.

And while this is by no means a comprehensive article covering every aspect, these actionable tips can ensure that your WordPress website security is, if not impenetrable, at least so difficult to hack that it’s simply not worth the try.

Do you have favorite plugins or processes to help protect your website? Let us know in the comments below!