Contact Us

Graphic Artists Guild

2248 Broadway #1341
New York, NY 10024

Tel: (212) 791-3400

What To Do If You Think Your Client’s WordPress Site’s Been Hacked

by Bud Kraus

The frantic email, text, or call always comes at a bad time. Your client thinks their site’s been hacked. What are you going to do?

Step 1:

Take a deep breath — even if you’ve done this before — and then head straight to the Sucuri Site Scanner, put your web address into the box, and hit the “Scan Website” button. Let the smart Sucuri people analyze your site. They’ll let you know if there is a problem and if so, its likely cause.

If you get a result like this, then it’s “Houston, we have a problem.”

In this case, the site is being blacklisted from search engines and other sites because, in all likelihood, it has been compromised. Further investigation may turn up any or all of these issues:

 

  1. Brute Force Attack: An illegal entry into your WordPress Admin.
  2. File Inclusion Exploits: A method to compromise your wp-config.php, a mission-critical file in every WordPress site
  3. MySQL Injection: Damage to or destruction of a database where data is maliciously added or removed.
  4. Cross-site Scripting (XSS): Presents as a danger to your site’s users.
  5. Malware: Malicious code that is being used on your site.

How you resolve the problem(s) depends upon the nature of the problem, your skills and/or the co-operation you will get from the web hosting company. You may also need to hire an outside service, like Sucuri, to clean up the mess. They may recommend the use of a firewall for the site.

But wait — there’s a step before Step 1.

“An ounce of prevention is worth a pound of cure” is not just a trite expression. In the business of keeping WordPress sites safer, it’s true. At minimum, keeping WordPress software up-to-date is a must. Understanding how versions work with any WordPress software is easy, so keep this in mind:

  1. If any update has two digits, like 4.9, that means it’s a major update. New features will be introduced, as well as bug fixes or security patches.
  2. If any update has three digits, like 4.9.1, this means no new features will be introduced. Three digit updates include only bug fixes and security patches.

WordPress software comes in three types, all of which need to be kept current:

  1. WordPress Core Updates: Major (two-digit) updates are usually available two or three times per year. Three-digit updates occur on a more regular basis. Most web hosts will automatically do three-digit updates for you. The two-digit update is something you usually need to do on your own.
  2. Theme Updates: Theme developers occasionally update their software. This may occur when WordPress itself is updated, but not necessarily; the two- and three-digit system applies for these updates as well. If you change your theme’s coding, always make sure to create a Child Theme. That way, your customizations will not be lost when your theme is updated.
  3. Plugin Updates: These can occur on a very regular basis. Again, you’ll know what kind of update it is by noting if it’s two or three digits. Good plugin developers frequently update their plugins.

Keeping Track Of The Updates

If you regularly log into a WordPress site it’s easy to tell what needs to be updated. If not, I recommend using the WP Updates Notifier plugin. You will get email that lets you know if WordPress, your theme, or any plugins need to be updated. Ignore that email at your own peril! (Note: If you manage many sites, consider using ManageWP, which lets you update software from one c-Panel.)

Security Is A Shared Responsibility

Keeping software up to date is just part of the precautions you need to take to keep a site safe and in good working order. The web host also has a role to play. Have they added SSL to your domain? (You can request this and it’s free in most cases). Are they using current versions of software, such as PHP? (7.0). Is the web host using a shared hosting plan? If so, that’s not nearly as secure as a Virtual Private Server.

In your contract with a client it should be clearly stipulated that you are to be held harmless and without liability if a site were to go down for any reason beyond your control. This includes sites you currently work on or maintain, as well as sites you no longer have responsibility for. In all cases, consult an attorney to help protect yourself from legal liability.

Bud Kraus has been teaching the fundamentals of web design for thousands of students at Pratt Institute, the Fashion Institute of Technology and for his private students for 20 years. 

Besides teaching Bud works with individuals and small businesses developing their WordPress sites.

His free WordPress A To Z Series is for beginners or if a re-fresher course is needed. Get access to all his videos at https://joyofwp.com/courses/free-tutorials-course-to-learn-wordpress/.

Questions? email Bud at: bud@joyofwp.com

Tags: