How did this happen?
As WordPress is now used by 43% of the known internet, hackers like to try to infiltrate WordPress sites. A hack can come in a variety of ways. Very often the entry point of a hack is simply an out of date version of WordPress. Other common entry points are poorly coded or out of date plugins or themes. One reason we encourage limited plugin use is to limit exposure to hacks.
Because non-updated, older versions are easier to hack, we encourage always staying up to date. It is also possible that your site, FTP, or web host control panel login username/password was compromised and an attacker was able to log in with your credentials. Strong passwords are a must these days.
If you really want to understand how your site site could have been hacked and get some detailed options for preventing them going forward, here is some night-time reading that gives a very thorough explanation of all possible WordPress vulnerabilities.
Once a site is hacked, it is very common for the active theme to be compromised. So if your site is running ProPhoto, be aware that the ProPhoto theme files may have very well been compromised. However, this doesn’t mean that the hack got in through ProPhoto itself. In fact, in our entire existence, we have never found a hack that got into a site due to a vulnerability in ProPhoto.
What do I do now?
Begin by informing your web host!! They should know if their systems have been compromised, especially in the event that a more advanced hack has taken place which may require your content to be loaded onto a different uninfected server computer. They may also be able to restore your site to a time before the hack took place.
While being hacked is annoying and frustrating, there is rarely any information lost (meaning your posts, comments, etc), and it can almost always be cleaned out and your blog restored to normal. WordPress has a pretty thorough guide for what to do in case of a hack, that includes helpful reference links for more detailed information. Sucuri has an even more detailed guide for what to do if you suspect malware. The limited steps below are what we feel is important to highlight.
- Update your passwords everywhere. Do this before working with your site, so further hacks can be prevented. Change every password related to that hosting account, including the password for every WordPress site on your server, your FTP password, your webhosting account password, your database password and passwords to any other applications in that hosting account.
- Update your security keys in your wp-config.php file after changing your password. Don’t forget to this step so that no one can remain cookied into your site. Use this key generator to generate unique, random keys.
- Restore your site from a backup. This is the quickest way to remove a hack. Since the host can often quickly do that, ask them first. If they can’t do it, and you have good backups, go for it! If you need help, wpbeginner.com has a pretty good guide. When you finish, change your passwords and secret keys again.
(much) Less ideal method
If you don’t go the backup restoration route or don’t have a good backup, you’ll need to root out the hack manually. Again, the WordPress guide has some helpful links for doing this, but we’ll add a few thoughts.
- Manually replace the WordPress core files and the ProPhoto theme files. Rest assured that this is safe to do and does not change the content or look of your site. This only replaces core files, not saved information. Below are the relevant guides for that.
Manual WordPress Upgrade
Manual ProPhoto Update
- Delete and re-uploaded your plugins from backed up copies or from the plugin repository. If you don’t need it, though, don’t re-upload.
- Delete every theme except for your newly updated ProPhoto theme files in the “Appearance” > “Themes” or the themes folder on your server .
- Delete unused WordPress installations off your server entirely. It’s common for folks to have installed WordPress installations they never used and of which they are not aware. These can languish in an out of date state and become a security liability.
- Look for strange files on your server or strange code in php files or .htaccess files. This is the hard part but with the previous 4 steps there are new much fewer places where the hack could be hiding.
- If you have other web applications in your hosting account (like a Flash template site, or shopping cart application), you should contact their support as well and make sure that those files are clean.
- Update you password and secret keys again when the hack is removed.
If the hack or malware remains or keeps returning, you will want to get help from your web hosting company or someone who deals with hacks at a professional level. We recommend contacting a company called “NetCrafted.” We have been working with NetCrafted for several years now and have received nothing but positive feedback regarding their services. You can check out their malware removal services page or email them directly.
Should I install a security plugins?
Possibly! Security plugins provide you with a host of protection, scanning and reporting options. If you don’t know how to manually implement some of the security suggestions you’ve seen from WordPress or other guides, these plugins are a way to get those done in one place.
What about Google?
Of course Google also has some great advice on what you can do on your own, including how to get off their blacklist and have your site reconsidered after you clean your site.