WordPress is the most widely used tool in the world for building websites, with thousands of themes (templates) and plugins (add-ons) that extend its functionality and appearance. That popularity also makes WordPress a frequent target for attackers, who scan the web for poorly protected sites to take over. If your site has been hacked, take a breath – this is a common situation, and there is a clear path back to a clean, secure site. This guide explains the immediate steps to take and the most common ways attackers get in.
First steps if your site has been compromised
If you suspect or have confirmed an intrusion, the priority is to stop the malicious code from running and causing further harm – to your site, your visitors, and your sender reputation if the attacker is using your site to send spam.
- Take the site offline temporarily. Putting up a maintenance page, or restricting access via .htaccess, prevents the malicious code from running while you clean up.
- Change all relevant passwords. This includes your WordPress administrator account, FTP accounts, the MySQL database password, and your Loopia Customer Zone (kundzon) login.
- Contact Loopia support at support@loopia.com if you need assistance. Our team can help you assess the situation and provide guidance.
- Clean the site. The most reliable approach is to reinstall the WordPress core files, replace plugins and themes with fresh copies from official sources, and inspect the wp-content/uploads folder for files that do not belong (such as unexpected .php files).
How attackers usually get in
The security company Wordfence conducted a survey in 2016 of around a thousand site owners whose WordPress sites had been compromised. The findings line up closely with what we see on Loopia: almost every intrusion comes down to one of a small number of causes, and each one can be prevented with relatively simple steps. See how to keep your WordPress site secure for a full checklist.
Security holes in plugins
Vulnerabilities in plugins are the most common cause of compromise, accounting for more than half of all intrusions in the Wordfence survey. You can reduce this risk dramatically with two habits:
- Always keep your plugins updated to the latest version.
- Do not use plugins that are no longer maintained. Check the WordPress plugin directory to see when a plugin was last updated – if it has not seen a release in a year or more, look for an actively maintained alternative.
Brute-force attacks
Brute-force attacks – where an attacker repeatedly guesses passwords until one works – accounted for over 15% of intrusions. You can protect yourself by:
- Using a long, unique password for your WordPress administrator account.
- Installing a security plugin (such as Wordfence or Limit Login Attempts Reloaded) that locks out attackers after a few failed attempts.
- Enabling two-factor authentication where possible.
Security holes in WordPress core and themes
Just as with plugins, it is essential to keep WordPress itself and any installed themes up to date. Together, outdated core and theme files account for a significant share of compromises. WordPress applies minor security updates automatically, but major updates and theme updates usually need to be applied manually from the dashboard.
Preventing the next intrusion
Once your site is clean, lock it down so the same thing does not happen again. Update everything, remove plugins and themes you do not use, set strong unique passwords, and consider installing a security plugin. See how to keep your WordPress site secure for the full set of recommendations.