Attacks on websites happen all the time. It is easy for criminals to look for vulnerabilities in your website’s code and to try to gain access to a control panel. A quick look at the stats for your website will almost certainly show a large number of hits on files such as wp-login.php and xmlrpc.php from lots of different IP addresses – even if your website doesn’t run WordPress. Most of these requests are malicious.
It is usually obvious when your website has been compromised. Often, hacked websites redirect users to a dodgy website or show malicious content. Sometimes, though, compromised websites are more difficult to spot. For instance, if an attacker manages to install a crypto-miner you might only notice that your website is very slow.
Please always contact us if you notice anything suspicious on your website. Even if you think that it is probably nothing, do contact us. We got the knowledge, tools, skills and expertise to quickly check your website. If it turns out that there are no issues then everybody is happy, and if something is wrong then we can try to fix the issue.
Most hacks happen because of one of two reason: out of date software or weak passwords.
To start with the former, any complicated code contains bugs, and bugs can potentially be exploited. And, there is no shortage of criminals trying to exploit bugs. As said, attacks on websites happen all the time. It is therefore important to keep software up to date and to not run software that is no longer maintained.
WordPress is a good example. The content management system is widely used, and the code base is large and complex. That makes it an attractive target for attackers. To keep a WordPress website secure it is vital that you apply updates. Old versions of WordPress have known vulnerabilities that can easily be exploited. Similarly, make sure that any plugins and themes you use are still actively developed and up to date.
As an aside, it is of course not just WordPress that is vulnerable. The same is true for any website that uses a server-side scripting language and/or a database.
A second common reason for hacks are weak passwords. Or, to be more precise, weak login credentials. Don’t use admin as the username for an administrator account, and make sure you use a long, random and complex password. Also, use two factor authentication. It is slightly inconvenient, but it will make your website much more secure.
In most cases a hacked website has modified and/or new files. For instance, in the case of WordPress hacks the index.php and wp-settings.php files are often executable (which they should not be) and they often include a decoded
@include statement. There are typically also files that are not part of the WordPress install, while other files are hidden scripts. It can be difficult to find all the infected files, in particular if the hack is relatively unknown.
In most cases we can find out when a website was hacked and restore the site from one of our backups (we take nightly backups which are retained for seven days). In other cases it may be necessary to manually reinstall the core WordPress files. The latter is not ideal, as the attack might well have spread to for instance the uploads directory. That directory can’t be deleted and reinstalled, as it contains images and other files you have uploaded.
Of course, the WordPress core files, plugins and themes also need to be updated. And, if the hack was caused by a plugin or theme that is no longer maintained then the plugin or theme needs to be disabled. In addition, it is good practice to reset all the logins, including the database password.
Speaking of the database, it is also worth checking if there are any unusual WordPress users – and in particular users with administrator privileges. You can do this via the WordPress dashboard (under Users).
Backups are a real life-saver. As mentioned, we got daily backups for the last seven days. In most cases, we can use our backups to restore your site. However, if your website was hacked more than seven days ago then there isn’t much we can do. This is one of the reasons why we recommend making regular backups via cPanel.
Alternatively, you can also make automatic backups via Softaculous or a WordPress plugin. The downside of that approach is that backups are typically stored on your hosting account. The backups can use a lot of disk space, in particular if your website includes lots of images and/or videos, so you may run into disk space issues.
If your website runs WordPress then you can also use security plugins such as Securi or Wordfence. Other than that the above-mentioned advice applies: keep your code up to date and use strong login credentials, including two factor authentication.