What to do if your WordPress site got hacked

Sooner or later you are going to experience that something is not right with your WordPress site, If your WordPress site has not had a security problem, you are either a new site owner or you’re not aware of what is happening to your site.

One morning you find yourself locked out of your website because someone else has gained control of your site, or you get emails from friends that wonder why your site is promoting pharmaceuticals. Please do not be naive to think this will not happen to my site, anything can be hacked, it does not matter what content management system you use. If you are on the internet it can be hacked.

What should you do to recover from a hack, first do you backup your site regularly – if not start today that will help you bring your site back quicker, keep details of your server and how to connect to your server with user logins FTP, SSH, etc. If you can afford it, have a staging host which is a mirror copy of your main website.

When your site has been hacked you need to take a few steps.

Don’t panic – there are stories of website owners who “panic” and deleted everything on their server, only to realize that they also deleted all of their backups or others that re-image the server and realized they did not have backups.

1. Get in contact with your web hosting company – your hosting company should have dedicated staff/resources to chase down and fix any hacks that may be occurring on their servers.
2. If you do not know what to do, contact a WordPress security professional to help you out of your situation – It can be expensive to hire a professional to clean up your hacked WordPress site, it’s worthwhile as it eliminates downtime and they will clean up out malicious code.
3. Change ALL passwords – It’s always a good idea to change your passwords whenever something out of the ordinary or unexplainable happens. Passwords are the #1 method of security protection and in any case, where something happens you should automatically think about changing your passwords. There are a number of solutions that may help you manage and rapidly change passwords like Dashlane. The changing of passwords isn’t just changing your WordPress user account password, it entails going through and changing all of the following passwords:
   1. change your web hosting account password (how you log in to your web host control panel)
   2. change your WordPress user account passwords
   3. change your FTP account passwords
   4. change your SSH account passwords
   5. change your domain registrar password that controls your domain name attached to your WordPress site
   6. change your email address password that is connected to your site
   7. consider changing your MySQL passwords
4.  Change the SALT keys in the wp-config.php file – The SALT keys once changed, will automatically log out anyone in your site and will require users to re-login. This is a helpful step because if there is someone in your WordPress admin area that shouldn’t be there, this will log that user out of the WordPress site and require them to attempt a new login. Since the passwords were already changed, the user will be unable to use old “acquired” passwords.
5. The simplest way to restore is to simply wipe the site and restore from an unaffected backup. I normally install WordPress from scratch with the latest version, then I install the plugins and theme that I used from the original files, the only items I restore from backups are the databases and the upload folder.  You could restore your backup then to update all plugins, themes, and WordPress core before continuing.
6. Check All File/Folder Permissions, Open Ports & Users on Site for Anything Not Set Up Correctly – You would need to login to your server to check the permissions. Go to the Users section of your WordPress Admin Dashboard to make sure there aren’t any user accounts (especially Administrator accounts) that are on your site that shouldn’t be on the site. Remove any old accounts that don’t need to be used on the site anymore.
7. After you’ve have restored and checked the file/folder permissions change the passwords for your WordPress User accounts AGAIN just to verify that during your restoration and fixing period someone wasn’t able to gain access to an account to watch what you were attempting to fix.
8. Change the SALT keys again to force everyone to log out of the site for the last time. It probably is a good practice to periodically change the SALT keys in your wp-config.php file.
9. Now that you have a restored site with all of your fixes in place, it is now time to make a new fresh WordPress backup and take a much-deserved break.
10. Restricting MySql user privileges – under normal WordPress operations, posting blog posts, uploading media files, posting comments, creating new WordPress users and installing WordPress plugins, the MySQL database user only needs data read and data write privileges to the MySQL database.

If you have experience with a hacked WordPress site. Please share your experiences in the comments.