Truly securing your website requires that you consider and address all three components of a complete security strategy — protection, detection and recovery. The best protection and detection strategies can still be foiled so you need to be prepared with a plan to get your site back up and running if it’s been knocked down.
In Part 3 of our 3 part series we’ll review some common best practices for website recovery.
Create Regular Backups
Creating regular WordPress backups is the most important thing you can do to secure the health of your website. Backups give you peace of mind and will save you in catastrophic situations when your site gets hacked.
Depending on who your site is hosted with, you may have access to some sophisticated backup options through a cPanel or similar backend. Your hosting company may be making periodic backups of your site but to have real control over your data and be able to respond quickly to attacks or site problems, you’ll want to monitor your own backups.
A sound backup strategy should include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location. There are several free and paid backup plugins for WordPress, and most of them are easy to use. One popular backup plugin is Updraft Plus. The free version is very a full-featured and easy to configure tool that allows you to back up your entire WP installation: database, themes, plugins, uploads, and (if you choose) the Core Files as well. Backups can be scheduled as well as created on-demand and saved to a cloud storage location like Google Drive or Dropbox (more options available with the Premium version). Restoring any backup can be accomplished with just a few clicks.
Recover Your Website
Security is serious and if you’re not comfortable dealing with code, FTP, servers, etc. then it’s almost always better to have a professional handle your website recovery.
Change Your Passwords
It’s crucial that you change your passwords before you start your site recovery. Change all passwords related to the site: FTP, SFTP, cPanel, Plesk, WordPress admin, database password, etc. They may likely be compromised, and you do not want to be reinfected – attackers can continue to disrupt your site by reusing your compromised passwords. Most think long, complicated passwords are overrated, hard to create or hard to remember and will opt for something simple and much shorter than recommended; a fact hackers know and take advantage of. Good strong passwords comprised of letters, numbers, and any other valid characters will go a long way to protect your site. The more characters there are in your passwords, the longer it takes brute force algorithms to crack them.
Assess Your Situation
The more information you can gather about your website hack prior to clean up the better armed you will be. Below are a few key items to review in order to assess what has been targeted on your site.
Contact Your Hosting Company
Check with your web host and provide them with any information you uncover while trying to identify the hack. Most reputable hosting providers are very helpful in these situations. They have experienced staff who regularly deal with sites that have been compromised. Your provider knows their hosting environment better than anyone and can often guide you through your hack cleanup and site recovery. They may even be able to actually do the restore for you.
Restore Your Site from Backup
If restoring from a backup, make sure you have a clean copy. You don’t want to reinstall the malware that took your site down. If you have a blog with daily content, you risk losing posts, new comments, content shares, etc. In this case you’ll need to weigh the pros and cons of a full restore from backup and may need to consider identifying only the affected files and replacing them with clean ones.
Perform Malware Scanning and Removal
Look at your WordPress site and delete any inactive WordPress themes and plugins. This is often where hackers hide their backdoor. Backdoor refers to a method of bypassing normal authentication and gaining remote server access while remaining undetected. Most smart hackers upload the backdoor as their first step. This allows them to regain access even after you find and remove the exploited plugin(s).
Once you have removed inactive modules, scan your website for any signs of malware. It is recommended that you install a free plugin on your website, Sucuri WordPress Auditing. After this is set up the Sucuri scanner will tell you the integrity status of all your core WordPress files and show you where the hack is hiding.
Check Users and Permissions
Look in the “Users” section of your WordPress admin and make sure you and only legitimate team members have administrator access to your site. If you see suspicious usernames, ones you did not create, etc., delete them immediately.
Change Your Secret Keys
As of version 3.1, WordPress generates a set of security keys which encrypt passwords. If a user stole your password and they logged into the site, then they will remain logged in as long as their cookies are valid. To disable cookies and log an invalid user out of your site you must create a new set of secret keys. New keys need to be added to your wp‑config.php file.
Change Your Passwords AGAIN
You changed your passwords at the start of this process. Now do it again and follow the same strong password rules.
Fundamentally, security is not about perfectly secure systems. That ideal may be impractical or impossible to find and/or maintain. We all want to believe we can eliminate security risk with our website, but we simply can’t. What security is though, is risk reduction, not risk elimination. It all boils down to implementing the appropriate security controls, within reason, which reduce the risk of your site becoming a target and subsequently getting hacked.