Earlier this year, a WordPress security breach affecting tens of thousands of websites around the world was uncovered. WordPress developers reacted quickly, creating a patch and distributing it to WordPress hosting companies and developers. Their quick action prevented widespread damage, but things could have been worse.
The hack was based on a backdoor vulnerability discovered by hackers. The problem was not necessarily with WordPress itself; it was the result of poorly designed plugins that have not been updated to include the latest security fixes.
Our WordPress blog posts usually deal with tips and tricks that you can use to make your site better. Today’s post is a bit different. We first want to give you some concrete ways you can tell that your WordPress site might have been hacked. This is something every WordPress user should know given the fact that the CMS is the most used on the internet.
In the second part of the article, we’ll give you some suggestions you can implement to protect your site and avoid being hacked.
Has my Site Been Hacked?
The first thing to keep in mind that continuing to operate a hacked website could compromise the privacy and security of your visitors. That could lead to litigation. If there’s any chance your site has been compromised, the best thing to do is shut it down until you get things figured out.
Here are five ways to tell your WordPress site may have been hacked:
1. Your Host Has Disabled Your Site
One of the first things web hosting providers do if they suspect hacking is disable the site in question. You may try to visit your site only to get a ‘page not found’ error. In such a case, log on to your hosting account, open the file manager in cPanel (or whatever control panel your web host company utilizes) and check to see that all your pages are still there. If your web host has disabled your site, you should notice that your index page has been renamed.
2. Your Website Has Been Blacklisted
Search engines like Google, Yahoo! And Bing don’t want to risk the security of their users, so they blacklist any sites they suspect of being hacked. You’ll know your site has been blacklisted if you search for it on your favourite search engine, click on the link, and then get some sort of message warning you the page is not safe.
3. Your Site Started Doing Strange Things
Another sign that your site has been hacked is that it starts doing strange things. An extreme example would be a pop-up ad every time you click on one of your recent blog posts. Unless you created an ad campaign utilizing pop-ups, this is a sure sign you’ve been hacked. Other strange behaviours include things such as sending out unsolicited e-mails and generating strange comments that cannot be tracked to a particular user.
4. Your E-Mail Has Been Flagged
If you send e-mail through your hosting company’s servers rather than your own ISP provider, you’ll want to watch for e-mails being frequently bounced back. Frequent bounce-backs could be a sign that other servers have flagged your e-mail as spam. This could be an indication that hackers have taken control and are using your site to send out hundreds of thousands of e-mails.
5. You Notice Unauthorized Users
Lastly, you may suddenly realize that your site has unauthorized users engaging in unauthorized behaviour. This is a guarantee your site has been hacked. If you notice any users you know were not authorized by you or your representatives, shut your site down and get it fixed.
How to Prevent Backdoor Hacks of Your Site
While web hosting companies and developers do their best to keep WordPress and its plugins secure, things do slip by. Therefore, it’s in your best interests to do everything you can to prevent backdoor hacks of your site. Here are some suggestions for protecting your site:
1. Use Only Updated Plugins
Plugin developers who truly care about security keep up with security issues and offer regular updates coinciding with official WordPress releases. Their plugins are the only ones you should use on your site. Never install a plugin that hasn’t been maintained for the last six months or longer. Such plugins are too much of a risk.
2. Use Approved Plugins (Managed WordPress)
If your WordPress site is hosted by a company providing managed WordPress hosting, it’s quite likely that they have a list of approved plugins that have been tested for reliability and security. If possible, use those approved plugins over those your web hosting company has not approved. This will not eliminate the risk of backdoor security breaches entirely, but it will reduce them substantially.
3. Invest in Encryption
One of the easiest and most cost-effective ways to substantially boost the security of your site is to invest in secure socket layer (SSL) security. Most web hosting companies will add encryption and create a certificate for your site for either a one-time fee for a low annual fee. Secure and encrypted sites can be easily identified by looking for the ‘https’ prefix in the web address.
4. Pay Attention to WordPress Security Alerts
WordPress developers issue security alerts after receiving notification of a breach. Sometimes those alerts go only to web hosting companies and developers, other times they are released to the public. Keep an eye out for such alerts by paying attention to technology news. Generic services like Google News and most of the major news networks are useful resources for information. If an alert is issued, contact your web hosting company’s support department to find out what you can do to protect your site.
There is no such thing as a 100% secure content management system. So rather than banging your head against the wall looking for one, familiarize yourself with what it takes to keep your WordPress site secure. Then take the steps necessary to do just that. You’ll be glad you did.