Last year I wrote a post about how to keep your website safe. It’s a good place to start, but what do you do when your website is hacked or under attack? Over the past year, I have seen a huge increase in attempted malicious logins to the sites I host. One site was under attack and registered over a million failed logins in the few hours before I was able to block access. Since then, I have made a few changes to my hosting. Let’s go back over my suggestions from the post last year.
- Choose strong passwords
- Choose a reputable host
- Keep backups of your site
- Keep everything updated
- Delete unused plugins and themes
- Use a good security plugin
- Don’t panic
- Pay someone knowledgeable to do it for you
Now for the changes I’ve made. I use WordPress for most of the sites I host, so the suggestions center around securing WordPress. I’ve worked with my host to increase the security. If you have a good host, they will help configure the server to resist most attacks. I’ve also switched all my sites to the iThemes Security plugin. It has great advanced features that help me lock out unwanted logins to the site. And finally, for the sites that are under attack, I’ve started using Cloudflare, which serves as a free Firewall preventing malicious logins. Even with all these precautions, there is still a chance your site will get hacked. So what do you do? Remember from above, don’t panic. Here are your options.
Option 1: Fix it Yourself
I’ve been able to fix a few hacked websites over the years. The first step for me is contacting the web host to get their help. My host has been helpful in working with me to find the point of entry for the hack. Once you know that, you can choose how to proceed. For the sites I worked on, it was because of outdated themes, plugins, and WordPress versions. Remember even an inactive plugin or theme can be the point of entry for an attack.
If you have a good backup, and you know exactly when the site is compromised. I recommend doing a full delete and restore. By deleting all files and databases, you ensure that you remove the infected files. This is scary, because you have to know your backup can be trusted. If you are unsure how to do this, then you can get the help of a web designer or web developer. For most people though, I would simply recommend hiring an expert to handle this for you.
Option 2: Pay to Get if Fixed
WordFence is a company that makes another good security plugin for WordPress. They have just introduced a flat-rate website cleaning service. For $179, they will clean your site and give you access to their premium security plugin for one year. I think this is a great deal and I will be using and recommending this to people when their sites are hacked.
Another long-term security company is Sucuri. They have a cleaning service for $299 that will again protect your site for the next 12 months. This is another good solution.
Once you go through this, you will quickly realize that prevention is much cheaper than fixing a site after it has been infected or hacked. Keep good backups, take precautions, and don’t panic when the inevitable happens.