A hacked WordPress site is something pretty normal these days. Is your website hacked?! Don’t panic. Let me show you how to fix it.
This is a two-part series on WordPress security. In this first post, I’ll go over the process of FINDING & FIXING a redirection malware in a WordPress site. In Part 2, I’ll describe how to set up a protection strategy, covering all the hardening applied on my website to PREVENT hacking attacks.
- MY WORDPRESS SITE IS REDIRECTING TO SPAMMY SITE!
- CONFIRM THAT YOUR WEBSITE HAS BEEN HACKED
- THE SHORT WAY TO FIX A HACKED WORDPRESS SITE
- THE LONG WAY TO FIX A HACK: FIND IT AND REMOVE IT
- QUARANTINE YOUR WEBSITE
- BACKUP YOUR WEBSITE
- CHANGE YOUR PASSWORDS
- FINDING THE HACK (SIMPLE ANALYSIS)
- FINDING THE HACK – DEEP ANALYSIS
- ANALYZE RECENT CHANGES IN CODE FILES
- CHECK AUTHENTICITY OF WORDPRESS CORE FILES
- ANALYZE ACTIVITY IN YOUR ACCESS LOGS
- CHECK AUTHENTICITY OF YOUR THEME FILES
- CHECK AUTHENTICITY OF YOUR PLUGINS FILES
- CHECK AUTHENTICITY OF THE DATABASE
- THE HACK! BUSTED!
- REMOVE THE HACK
- TEST YOUR SITE. CONFIRM IT’S OK NOW.
- BACKUP YOUR WEBSITE
- POST-HACK ACTIONS
- PUT YOUR WEBSITE ONLINE
- PREVENTING HACKS. HARDENING YOUR WEBSITE SECURITY.
- FINAL WORDS
- We’re going to use free tools plus manual techniques.
- Your hack might not be the same that I describe here, but the steps taken in this guide are useful for finding any malware in a hacked WordPress site.
- The process is pretty technical, but even if you’re not a techie, this guide will help you to understand the big picture and get closer to the problem before you pay for some professional service or tool.
MY WORDPRESS SITE IS REDIRECTING TO SPAMMY SITE!
Days ago, I opened my website and I was redirected to a spammy .biz domain, which then displayed the typical popups, messages and ads of malicious websites.
CONFIRM THAT YOUR WEBSITE HAS BEEN HACKED
Browse your site on different devices (computers, smartphones) to confirm that the problem is in the website and not just in your computer. Sometimes it’s our computer that has been hacked, so our browser might be redirecting because of local viruses or malicious browser extensions. If your website has the same behavior in all devices, your site is compromised.
Why is your WordPress site hacked? Because there are hackers and there are vulnerable sites.
A hacked WordPress site does something is not supposed to do because there’s some malicious code that is not supposed to be there.
THE SHORT WAY TO FIX A HACKED WORDPRESS SITE
The quickest way to “fix” a hacked website is to restore a healthy backup.
The problem with backups is that many website owners don’t have any when they are first hacked, so maybe this is not an option for you. Even if you have backups, it’s a good idea to find out what happened, so you can patch your security breach. If your “healthy” backup has the same security issues, you’ll be hacked again.
THE LONG WAY TO FIX A HACK: FIND IT AND REMOVE IT
If you don’t have a backup or you just want to find out how the malware got in your website, follow this process to detect the malicious code and fix your website.
QUARANTINE YOUR WEBSITE
Put offline your hacked website. Your visitors and Google must be prevented from following the malicious redirection.
In my case, the hacked WordPress site is hosted with Bluehost, which includes a default “Coming soon” mode available on my site. If you’re with Bluehost, go to WordPress Admin > Settings > General. Look for “BlueHost Coming Soon” section. Check the “Enable” option. Click Save. After this, your website will display a coming soon page instead of the infested site.
If you don’t have this option on your admin area, you can use a “Coming soon” plugin.
BACKUP YOUR WEBSITE
Whether you use a plugin-powered solution, or you do it manually, backup your hacked WordPress site at this point (files and database). If you break something in the process of fixing, we can go back to this point and start over.
For backups, I personally use the UpdraftPlus plugin.
CHANGE YOUR PASSWORDS
The first thing to do on a hacked WordPress site is to change all your passwords. Even though we don’t know much about the hack yet, many times the attack happens because somebody got a username and password to access your site. You must interrupt this unauthorized access by resetting all passwords.
- Change the password of all users on your site. Use strong passwords. If your site have just a few users, you can do this manually; or you can use a plugin like Sucuri Security to bulk reset users’ passwords.
- Change your hosting account passwords (cPanel, FTP).
- Change your server’s email accounts password. This may be a bit paranoid, but I did it anyways.
- Change your database server’s password. Update wp-config.php with the new password.
FINDING THE HACK (SIMPLE ANALYSIS)
A hack is nothing more than some malicious code added to your website’s files and/or database. We need to find those lines of code. To find the hack, let’s move from general, simple analyses to deeper examination of your website’s components, taking note of anything that looks suspicious.
In my case, I found the malware by analyzing my server’s Access Logs. Depending on the complexity of the hack, you’ll go through more or less analyses on your hacked WordPress site.
For every potential fix that you perform during this process, you must test the site to see if the hack is gone and to confirm that you didn’t break something authentic. If you test and the hack is still there, restore what you changed and move to the next step.
Let the hunting begin!
LOOK FOR SOME CLUE OF THE MALWARE IN YOUR PAGE
Your hacked WordPress site is executing malicious code: redirection yong, sending emails, displaying ads. Start by looking up some clue of this behavior in your page’s code.
In the case of a redirection to a spammy site, see if you can find the URL of that site in your source code. On Chrome browser, press Ctrl + U to open the source code in a new tab, or press F12 to open the Developers Tools. In any case, then press Ctrl + F to find text. Type some fragment of the URL you’re being redirected to (i.e.: domain.biz). Chrome will highlight any text that matches. Doing this, I found a malicious line of code in my website.
Now, we need to find out where is this script coming from. Which component in your website is putting this code there?
LOOK FOR OBVIOUS MALWARE IN YOUR WORDPRESS INSTALLATION
Before you go deep into your investigation, review some usual places for malware, looking for very obvious stuff. Maybe you’re lucky and the attack was a simple one to find and fix. If you don’t find nothing by simple analysis, continue to deeper analyses.
Sometimes the attacker will create a user on your hacked WordPress site. Browse to WP admin > Users. Check that you don’t have weird users there. If your site is a membership site with a lot of users, this might be difficult to do. But if you’re site has only a few users; any suspicious account will be easy to spot.
You can also use plugins like Exploit Scanner to discover any hidden user with admin privileges.
Remove any user that you’re sure it is not supposed to be there.
Theme files hacked?
Another common attack is to modify your theme’s files. Inspect these files on your hacked WordPress site. Browse to WP admin > Appearance > Editor. There you can see a list of your theme’s files. If you don’t see this Editor option, maybe you have it disabled in your wp-config.php (define(‘DISALLOW_FILE_EDIT’, true)). In this case you can alternatively open these files via FTP. They are in your theme’s folder: /wp-content/themes/[yourtheme].
Check header.php, footer.php, index.php, 404.php, looking for any obvious malicious code. This might not be easy depending on the amount of code in your files, but remember, we’re just looking for any obvious attack before we go into a deeper analysis. If you don’t know or you don’t see anything, it’s OK. We’ll check these files later in a more effective way.
If you do see malicious code, remove it. Save the file. Test the site and check if the hack is gone and if the site works properly. Roll back this change if the hack is still there.
Browse to WP Admin > Plugins. Review your installed plugins, looking for any unknown/suspicious plugin.
If you see any plugin that you didn’t install yourself or that you don’t know, deactivate it. Test and check if the hack is gone and if the site works properly. Roll back this change if the hack is still there.
.htaccess file OK?
Open /.htaccess file in your site’s root directory. Check if there’s some malicious code there. Look for any redirection rule. If your hacked wordpress site is redirecting, inspect this file in detail.
Search for ‘http’ to get all redirect rules that may include malicious redirects. Also, search for “HTTP_USER_AGENT”, as some malicious redirects only redirect based on user agent.
If you see any suspicious rule, delete it. Test the site and check if the hack is gone and if the site works properly. Roll back this change if the hack is still there.
Open /index.php file in your site’s root directory and see if there’s some malicious code there. If you see any suspicious code, delete it. Test the site and check if the hack is gone and if the site works properly.
Open /wp-config.php in your site’s root directory file and see if there’s some malicious code there. If you see any suspicious code, delete it. Test the site and check if the hack is gone and if the site works properly.
PHP files in your uploads directory?
A hacked WordPress site might have been infested by uploading scripts to this vulnerable, writable folder. There shouldn’t exist PHP files in your /wp-content/uploads directory. Review .php files in your uploads directory.
Note: even though it’s not a good practice to put .php files in this directory, some authentic plugins or themes might do so, therefore if you delete any suspicious file here, make sure that you test your site to confirm you’re not deleting a valid file and that you didn’t break something.
FINDING THE HACK – DEEP ANALYSIS
At this point, maybe you have found something obvious and you have removed the hack with the steps of Simple Analysis. In my case, I didn’t find anything, so I moved to deeper analyses.
Your hacked WordPress site comprises a lot of code files and a database where the malware can hide.
You can look for suspicious code in your site from different angles. Any of the following methods can get you to the hack, depending on your specific malware.
ANALYZE RECENT CHANGES IN CODE FILES
Let’s say you find that your site is hacked today, but you’re pretty sure that it was OK one week ago, so the attack took place during the last week. Analyzing recent changes to your files, you can find a recent hack.
In my case, Bluehost required me to call them and verify my account to open SSH access, so I paused this analysis for later, then I found the hack by other means so I never got to do this.
Note that if you have had some malware in your website for a long time, this approach won’t give you any clue of this. This is why you should perform manual AUTHENTICITY CHECKS for your whole WordPress installation (core files, theme files, plugins file, other files, and database).
CHECK AUTHENTICITY OF WORDPRESS CORE FILES
Let’s discard malware in your core WordPress installation.
Install and activate Sucuri Security plugin on your hacked WordPress site. Now you’ll see a “Sucuri Security” menu item on your WP Admin.
Activate Sucuri diff tool by going to WP Admin > Sucuri Security > Settings. Click the Scanner tab. In section “WordPress Integrity Diff Utility”, click Enable.
Now go to WP Admin > Sucuri Security. In section “WordPress Integrity”, the plugin will tell you if there are modifications to your WordPress core files.
- Modified files (purple flag). This is a strong indicator of malware. There shouldn’t be any modification to WordPress core files. Click on the file name to see the modifications.
- Added files (green flag). Maybe you have log files or .htaccess files which are OK. Or maybe you see other weird files.
- Missing files (red flag). This might be an error on your installation. You’re missing a core WordPress file and you should restore it.
As a general rule, you should only see added files (green flags), if any, and you should confirm that each of these files are legit. Delete any added files which you’re sure are not authentic nor required in your website.
If you have modified files (purple flags) or missing files (red flags), download a copy of the modified files (in case you want to analyze them further), and reinstall WordPress (WP Admin > Dashboard > Updates). This will restore original WordPress files.
ANALYZE ACTIVITY IN YOUR ACCESS LOGS
By analyzing your web server’s logs, you can find suspicious activity. When it comes to a hacked WordPress site, the attack starts with malicious HTTP requests. Let’s check these logs using a log viewer tool.
Download your server’s logs from the last 30 days.
Somewhere in your hosting control panel, you have the option to see your server’s access logs.
If you’re with Bluehost, login to your user account. Browse your cpanel (https://my.bluehost.com/cgi/cpanel). Scroll to the “Statistics” section and click “Access Logs” (if you’re with another hosting provider, find out where you can access your server logs).
Scroll down to “Archived Raw Logs” section, where you’ll see a list of monthly log packages (.gz or .zip files containing your domain’s name and month in the filename). Click the most recent log package to download it.
Open logs with log viewer tool.
- Download the Apache Log Viewer tool. It’s FREE.
- Once is downloaded, click the executable to install the tool.
- Once installed, open Apache Log Viewer.
- Go to File menu > Add Access Log. Select the extracted log file that you downloaded from your server.
- When prompted for log format to use, select Combined. Click OK.
- Now you have your server logs ready to be analyzed.
Exclude your trusted IPs to narrow down the search.
You’re looking for unknown suspicious requests to your hacked WordPress site. To ease your analysis, exclude trusted requests from your IPs. In my case, I normally browse my site from three different IPs which are fixed. You can use a service like What is my IP to quickly find out your current IP.
- In the Filter bar, IP Address field, type your trusted IPs separated by semicolon. Example: 22.214.171.124; 10.11.12.13.
- In Type of Filter (dropdown list to the left ot the IP field), select Exclude.
- Click Apply filters so that requests from your trusted IPs are not displayed anymore.
Include only successful POST calls
Filter by POST requests with response status equal to 200 (success). These are requests which sent data to our server. Your hacked WordPress site was injected some malware through some of these requests.
Find suspicious requests: No referer calls
From this point on, we’re trying to discover uncommon requests. This task is more art than science. There isn’t an exact formula to identify suspicious requests, but we can use common sense to spot potential issues.
Requests with blank referer are not supposed to happen in the normal functioning of our websites. These are requests made from outside the website. Take note of these requests. In my case, I found two external calls to wp-comments.php.
POST /wp-comments-post.php HTTP/1.1 200 Portugal
POST /wp-comments-post.php HTTP/1.1 200 Poland
These seemed as failed attacks to my site’s comment system. I didn’t have any spammy comment, so I didn’t analyze these further.
Find suspicious requests: Weird calls
We don’t know exactly what we’re looking for. We should search for requests which look different from the bulk, identifying potential red flags to investigate.
Click the Request column header to sort by request. This way you’ll see groups of similar requests.
Identify most common patterns and use them as a reference of “good requests”. As a norm, a lot of “similar” requests on different dates indicate normal activity on your website. Let’s treat these requests as normal patterns so we can focus on requests that differ. For example, I had a lot of requests with these patterns:
- POST /wp-cron.php?doing_wp_cron=XYZ;
- POST /wp-admin/admin-ajax.php HTTP/1.1;
Assuming these calls as normal, I would analyze any other calls, looking for those that look suspicious.
I had 4 calls to POST /wp-admin/admin-ajax.php?action=thim_update_theme_mods.
These requests were weird. As per the action’s name, it seemed like some configuration being applied to my theme. This is not me updating something via backend because my IPs are not listed here. And the frontend has no business calling this. Suspicious!
Investigate suspicious requests
Now analyze those suspicious requests to your hacked WordPress site.
In my case: POST /wp-admin/admin-ajax.php?action=thim_update_theme_mods
What does this call do? Is this the hack? Maybe…
- Download a copy of your website.
- Search your files for the suspicious action and see if something around it is wrong. In my case, I searched “thim_update_theme_mods” in all my website’s code files. For text search, I personally use Visual Studio IDE which I have already installed on my computer, but you can use any tool that searches in file contents.
- Once you have located the code, verify if it’s original or if it has something weird. The best way to do this is to compare the code file with its original counterpart. If you’re on Windows, you can use WinMerge tool to compare files easily.
- If the file is modified, analyze the change and see if that’s the hack. Restore the original file. Test the site to see if it’s good now.
- If the file is original, the code isn’t hacked, but go further in your analysis of what that action is doing, because it might be writing malicious code in your database. Remember, you’re investigating weird requests from unknown IPs, so don’t discard them too soon even if the code is OK.
- In my case, after some research on this action “thim_update_theme_mods”, I learned that it updates my theme’s customizations. These customizations are written in the database into ‘wp-option’ table, where each installed theme has its own record with key ‘theme_mods_[mytheme]’.
- My theme’s customizations are also editable via backend under Appearance > Customize menu, so I could inspect each customization value.
This was the hack in my case. I still went through other analysis looking for anything else, but the redirection on my website was caused by this injected theme customization.
CHECK AUTHENTICITY OF YOUR THEME FILES
Even though there are plugins like “Theme Authenticity Checker”, they don’t really check for authenticity of your files. What they do is searching for common malware code and reporting that to you, so you can look at it. The problem with this scanners is that you get a lot of false positives because there is always legit code that looks like malware.
Therefore, better than using scanner plugins, it is way more effective to manually compare your theme files against the original theme files. The same way Sucuri compare your WordPress core files against the original version from WordPress.org, you can manually compare your theme installation against the original package.
Validate theme files on your hacked WordPress site:
- Download your website’s theme folder via FTP.
- Download an original copy of your theme. If it’s a free theme, go ahead and download it from WordPress.org. If it’s a premium theme, proceed to your buyer account and download the same version of the theme that you have installed.
- Install WinMerge or another file comparison tool.
- Compare both folders: your current website’s theme folder with the original theme folder.
- See if there are differences. If you haven’t done any customizations to your theme’s code, and if you’re comparing the same versions, there shouldn’t exist any difference.
- If some difference is found, go ahead and analyze what is it and why is there.
Note: if you find the hack by some of the other analyses and you want to skip this one, you can just reinstall your theme to make sure it’s clean.
CHECK AUTHENTICITY OF YOUR PLUGINS FILES
You should manually check your plugin files for malware by comparing your installed plugins with their original version.
This might be a cumbersome task, since you need each plugin’s original copy – the exact version that you’re using. If you have a clean backup, use the plugins folder there.
To compare your plugins’ files with the original version, follow the same procedure to compare files as when comparing theme files.
Note: if you find the malware by some of the other analyses and you want to skip this one, you can just reinstall your plugins to make sure they are clean.
CHECK AUTHENTICITY OF OTHER FILES
We checked the authenticity of WordPress core files using Sucuri plugin. We manually checked the authenticity of our theme and plugins comparing them with original packages. But your hacked WordPress site has more files for which we don’t have original counterparts to compare with.
To complete your analysis you should manually review those “loose files”. You can use Sucuri scanning feature for a first quick review, plus further manual inspection by you.
Scan with Sucuri
Go to your WP Admin > Sucuri Security menu. Check if the plugin reports some issue with some file(s). If everything looks good, this is still not guarantee that we have no problems. Scanner plugins might oversee a lot of things, especially if you’re using the FREE version.
Check your files manually
Inspect PHP files in your /wp-content/uploads/ folder. If you have a previous healthy backup, compare your current uploads folder with the one backed up, looking for weird differences. If you don’t have a backup, you can search for .php files in that folder and inspect them manually.
I like to download the folders from the server and open them with some IDE like Visual Studio or JetBrains PhpStorm, where I can easily search for any filename pattern. In this case, search for *.php files.
In theory, there shouldn’t be any PHP file in your uploads folder. However, some legit plugins might put some there. Hence, carefully inspect any code file you find and mark them as legit or malware. There’s no a bullet-proof signal of malware or authenticity, you simply go through the code looking for some obfuscated code and determine if it’s good or not.
After you finish cleaning the uploads folder, repeat the process for any subfolder in /wp-content distinct from plugins, theme and uploads.
CHECK AUTHENTICITY OF THE DATABASE
Most scanner plugins and manual analyses focus on files, but malware can be hidden in the database as well. Some plugins like Exploit Scanner can search for malicious code in posts and comments, but the database is much more than that. My hacked WordPress site had the malware in the database, injected in my theme’s options (wp-options table), where scanner plugins don’t look.
If I had manually checked my database for malware in the first place, I would have found the hack sooner.
Let’s scan the database the same way plugins scan files, this is, searching for common signs of malware:
- Log in to your hosting cPanel.
- Open phpMyAdmin to see your databases. Look for phpMyAdmin tool and click it.
- Once inside phpMyAdmin page, expand the databases tree on the left and click the database that your site uses. Make sure you open the correct database by checking the database name on your wp-config.php file (define(‘DB_NAME’, ‘[db_name]);).
- Download your database: click the Export tab. Then click the Go button to download a copy of your database to your local machine.
- Open the downloaded database script (.sql file) with some tool that can search text in the file. Again, Visual Studio IDE, JetBrains PhpStorm or any other tool of your preference.
- If you find some matches, investigate that entries (what table is it, which component writes there), and use your judgment to see if it’s malware or not. Typically, there shouldn’t be any of these statements in your database, so any match is a strong indicator of malicious code.
THE HACK! BUSTED!
The hack was this value in one of my theme’s customization settings:
That code was being loaded by my theme and it was written to my page’s Head element. In runtime, the code translated into the following line of code – the one that I was seeing in my page’s code.
And that line of code loads an external script which is the final responsible for the redirection.
REMOVE THE HACK
To FIX your hacked WordPress site, you need to remove the malicious code and to patch the security breach that allowed it to get there.
- Remove the malicious code from your files or database. In my case, I could edit the infested theme’s customization setting via backend under WP Admin > Appearance > General > Utilities. The malware was set in the Google Analytics setting. So I deleted that value and saved the changes.
- Patch the security breach. The malware got there because of a vulnerability in my current theme version, which had this sensitive customization action unprotected, so anyone who knew the proper action and parameters could update that value in my database. After updating the theme, this vulnerability is gone.
TEST YOUR SITE. CONFIRM IT’S OK NOW.
Now let’s test our website in different environments to confirm that it’s working OK for everybody: desktop users, mobile users, google bot. The reason to do this is that there is malware that only target certain types of visitors, so maybe we don’t see any problem on desktop but the malware is there for mobile users or for Google Bot.
Clear your server cache
If you’re logged in to your WordPress site, you’ll see the Admin Bar at the top of your pages. From there, clear your WordPress cache under Admin Bar > Caching > Purge All. Also, clear any other cache you have in place, for example the W3 Total Cache plugin cache, under Admin Bar > Performance > Purge All Caches.
On Chrome browser, type “chrome://settings/siteData” into the address bar and hit Enter. This takes you to the cookies page. Type your domain in the “search cookies” box to see your site’s cookies. Then click the bin icon besides your domain name to delete all your site’s local data. This action will log you out from WordPress, It’s important to do this because the malware might have written stuff in your cookies.
Test the site as anonymous desktop user
Reload your website. Confirm that the malicious code is gone from your page’s code. Confirm that it doesn’t redirect anymore.
Test as a mobile user
On Chrome, open an incognito tab (Ctrl + Shift + N). Press F12 to open the Developers Tools. Click the Network tab. Click the three-dot icon in the upper right corner, and select More Tools > Network Conditions. This will open a Network Conditions tab on the bottom. In User Agent section, uncheck “Select automatically”, then expand the list of user agents and select some Android or Safari user agent. Load your site. Confirm that it doesn’t redirect.
Test as Google Bot
Follow the same steps as in previous step, but this time select Google Bot as the user agent. Load your site. Confirm that it doesn’t redirect. This testing is important because some malwares might target Google Bot’s visits only.
BACKUP YOUR WEBSITE
At this point, backup your site so you have a clean copy of your website.
Nice! We’ve detected the malware, we removed it from our site and we confirmed that the site is OK now. Now let’s take some post-hack actions to finalize the cleaning process.
Sucuri plugin has a nice set of recommended actions after fixing our website.
Go to WP Admin > Sucuri Security > Settings.
Go to the Post-Hack tab.
Update Secret Keys
Click the Generate New Security Keys. This will generate new keys and write them in wp-config.php file. This will terminate any opened user session. After updating the secret keys, login to your site again.
Return to WP Admin > Sucuri Security > Settings > Post-Hack tab.
Reset User Passwords
This option can generate a new password for every user on your site and notify them via email. If the hacker is in possession of some account, this is a good idea. Even if you changed all your passwords when starting the fixing process, do it again at this point.
In my case, there isn’t any user other than me, so this was a no-brainer. If your website has a lot of users, you should consider that changing their passwords will force them re-set a new one. Select those users whose password you want to reset, and click the Submit button. If you selected your own user, you must re-login after this.
Reinstall all your FREE plugins
Sucuri can reinstall all your FREE plugins. This is the best way to make sure that your plugins are clean. As Sucuri warns in the “Reset Installed Plugins” section, this procedure can break some plugins depending on how they’ve been written, which is why you must have a backup ready to restore before doing any post-hack actions.
Before reinstalling, make a list of your Premium and Semi-Premium plugins (semi-premium are those plugins with free core plus paid addons). Select only those plugins which are completely FREE. Click Submit. Wait until all plugins are reinstalled. You’ll know when it’s finished when you see no more “Loading” labels in the version column.
Reinstall PREMIUM and SEMI-PREMIUM plugins
Go over your paid plugins (those completely paid and those with paid addons) and update them following the instructions of each plugin provider. In my case, I had UpdraftPlus as a semi-premium (paid addons) and several premium plugins that came with my premium theme. I reinstalled all of them, one by one.
Reinstall your theme
This is the best way to make sure your theme is clean. If your theme has some update available, update it. If not, reinstall it by deleting it and installing it again.
PUT YOUR WEBSITE ONLINE
If you used the Coming soon feature on Bluehost hosting, go there and disable it so your site opens normally again. If you used some coming soon plugin, disable the suspension using that plugin’s settings.
PREVENTING HACKS. HARDENING YOUR WEBSITE SECURITY.
In this post, we went over the process of FINDING and FIXING a hack in a WordPress site. We were REACTING to an attack, mainly because the site was not set up to PREVENT attacks. In Post 2 of this WordPress security series, let’s put in place some protection to secure our website, so our online business doesn’t stop because of this kind of things.
I spent many hours fixing the site, with the blog offline to avoid black-listings. However, I’m glad that the attack happened on that particular website because it doesn’t have much traffic or sales yet. This was an opportunity to learn early on about this security business and prepare my site to PREVENT future attacks. The security aspect is something highly overseen in online business courses and you must put the pieces together by yourself when it comes to Wordpres security.