Plenty of WordPress websites get hacked every day. And, be under no illusion, yours could be next. Especially if you don’t take security seriously. But, let's be honest here for a second: many website owners overlook having a security and recovery strategy in place because it doesn't strictly relate to business goals. Yet, when they get caught off guard, panic mode strikes and that's the moment they look for (quick) fixes for their compromised website.

That's a common approach to security, but it's completely wrong. If you want to improve your WordPress website's security, it's mainly a game of preventing "bad things" from happening.

So, what do you do if you happen to be the latest victim of a hack? Here are some tips to significantly lower the chance of losing control of your website after it's been hacked, all supported by a security expert's professional expertise.

Restore from a clean backup

You might have noticed this in other situations: backups of your website are vital assets you can't afford not to have. So, before your website is hacked, the most important action you need to take is to ensure you're backing up all that you need, namely:

  • WordPress core files (the actual WordPress software)
  • Your plugins
  • Your theme, which often also include parent theme and child theme
  • Your Database

Then, when you find out your website's been hacked, all you would have to do is restore the backup in a few clicks. In one fell swoop, you will have removed the hack and get the website back up and running.

That would be the easiest, most frictionless scenario to revert your WordPress website to its non-compromised instance. But that almost never occurs: things are usually way more complicated than this. What’s more restoring the backup is nothing more than a first step, you are only restoring a website that is vulnerable to attack and proven as such.
But even worse, your backup may only appear to be clean, in many cases, hackers break into a site and leave backdoors sometime before doing anything like adding links to their favorite Russian porn sites in your footer. And in this case, each time you restore a backup it won’t be long before they are letting themselves back in through the back-door. As WordPress developer and Codeable expert, Liam Bailey explains:

In some cases the hack's actually already been there and it's not been noticed. So, even though you've got backups for two weeks and you put this backup back in place, you've still actually got malware on your site, or what they call 'backdoors'.

If that's your case, you need to restrict site access before starting cleaning. Liam recommends a 3-step process for this:

  1. Block the site off so that it's only accessible on your computer's IP address
  2. Have every user with access change their passwords, this includes passwords to the WordPress site and your FTP password for the server
  3. Scan the site to ensure you're removing all the backdoors

Cleaning up backdoors

Wait a minute: what are backdoors? How do they affect your website?

Explains Liam:

Backdoors are like files with executable code in them that doesn't actually show you the executable code. Usually, it's base64-encoded or otherwise obfuscated (hidden) so they'll hide what they're doing.

Now things get a bit technical here, that's why working with a security expert is the most common choice.

To find backdoors you might want to use a maintenance plugin such as Wordfence which will show some malicious files. As you find them, you should not only delete them but also take a snippet of each and everyone. Now that you have a collection of how some of those malicious files hideously populating your website "look like", you have an opportunity to search for others featuring similar strings.

Technically, the process it's usually performed via SSH leveraging the grep command, which allows the user to search for a given text in your files content. This will highlight files with malicious codes as well as completely new files or code strings that have been created by the hackers. Liam explains:

The good thing about ssh and grep is once you know what you are looking for you can find and delete all malicious files on the server in one fell swoop, although a dry run is advisable.

The same principle as grep (namely regular expression or pattern matching) can be used to clean up the database too.

Re-think about your hosting provider

In case you don't have a recent backup of your website, it won't be possible to get things back the way they used to be after a hack. And this is where a good hosting provider with a good backup system and security in place excels.

Says Liam:

I think WP Engine's got a really good system because that does a complete snapshot of the entire install. So it's really giving you a complete coverage backup, which is good.

If your current hosting provider doesn't have this kind of system, you can either back up the files manually or use a plugin like Updraftplus, which gets the job done really well for the average site. But if your site has a lot of pictures, be careful as updraft can eat up a lot of resources with sites with lots of large images, in some extreme cases it can cause server faults.

Having a good and reliable backup system is just one thing you should evaluate your current hosting provider on. And it's no secret that cheap hosts not only have slower server stacks but also lack further tools and resources that might be critical in the event of a hacked site.

Re-thinking why you've opted for a cheap hosting solution, instead of a more professional one, usually makes you realize you made your decision solely based on your possibility to save on costs. If you add in how much trouble, the time needed and the overall stress of not knowing when things will be back to normal, I'm sure you no longer think of that choice as a smart one for your business.

Wrapping up

If your WordPress site's been hacked, it's never an easy and quick fix. It all gravitates around how secure you've built (or grown) your own ecosystem: your website, your users and their passwords, your plugins, and themes. The better you are at keeping all these secure and updated, the lower the chances for your website to be breached.

But the real key element you can't live without is a clean backup, your only chance to revert things back to normal as fast and close to the latest version of your website as possible. Without a good backup, there are no guarantees that you can restore the website as it was before.

Considering how costly a hack can be for your business, it's important that you don't leave anything to chance. Make sure you have a reliable backup system in place (or have a hosting provider do that for you), so you know you can always get back on track whenever your site is comprised. And get back to sleeping tight.


Liam Bailey is the developer behind Webby Scots with over 500 successfully delivered projects for clients through Codeable. An expert in many areas of WordPress, Liam also studies and specializes in website security. Liam has helped many happy clients improve their WordPress sites including also working in-house at Codeable before returning to freelance and help more clients from all over the world.

WordPress Security Checklist DownloadQuality: The Codeable Differene