What To Do If Your WordPress Site Gets Hacked

wordpress-security-checklistWith all the news of the heart bleed bug and a soon to be client sending a frantic email about being hacked last week, I thought it might be a great idea to run down a little pre-hack checklist of things you can do before something bad happens as well as what to do if fall victim to the dark side of the internet.

This list only applies to self-hosted WordPress blogs but it’s also good to know if you ever plan to go self hosted in the future!


I get that being proactive isn’t everyone’s strong suit but this stuff will take you maybe 30 minutes, maybe only 25, so schedule a time today or tomorrow or this weekend to make sure that you run down this list. You won’t be sorry you carved out a few minutes to do this!

1. Check (and enhance) your password. To login to your blog do you use an easy to guess password? That’s the first place to start beefing things up. Go for at least 8 characters and a mixture of upper and lowercase, special characters ($%&, etc.) and numbers.

2. Update your plugins and WordPress core. When that little numbered circle pops up on your blog, it can often make you feel a little bit anxious. It’s not uncommon to wonder: “What if I click that button and the update breaks my blog?”

The thing is, those updates are, more often than not, security updates to plugins and WordPress that are fixing issues they’ve identified that can cause you to be vulnerable to a hack. Ignoring updates means you are leaving doors open to hackers that you can easily close.

If you feel scared every time you press the update button and as a result don’t update your blog properly, investigate automating this through services like Maintainn.com and WPCurve.

3. Have a backup strategy (the more automated the better). There are a number of plugins that will help you backup your blog but there are 2 approaches that I have found work best for low tech folks.

The first is the BackUp Buddy plugin. This plugin is great if you spend the time to set it up properly for automated backups and offsite storage. The plugin can store your site’s backups in your DropBox account among others.(their website has tutorials and video walk throughs.) Backup Buddy is $80 for a 2 site license renewed annually.

The next option is VaultPress. By the makers of WordPress, VaultPress is a service that backs up your blog either in real time or daily (depending on your plan) and all that is required of you is to sign up and install a plugin. The VaultPress service is $5/month or $55/year.

4. Clean out unnecessary plugins. One of the most fun parts of a self-hosted blog is that you can install plugins and get all the cool bells and whistles. BUT too many plugins open too many doors into your blog and can cause a host of security issues. Review your plugin list and get rid of what isn’t necessary. Delete them, don’t just deactivate.

A bonus to removing unnecessary plugins is a faster running site too!

5. Add some security. My favorite security plugin is Wordfence. With a free and premium version (free is fine for most blogs) Wordfence has a lot of features that range from alerting you when a plugin needs updating to locking out a Russian hacker who is trying to brute force their way into your site.

6. Know your logins, passwords and FTP credentials. If you do get hacked the folks cleaning it up need certain information to gain access to the infected files.

Having your blog information handy will cut down on your down time immensely. Not to mention when you’ve been hacked or defaced you’re so stressed out that you’re not always in the best frame of mind to calmly make phone calls or hunt this info down.

The information you need to know is your blog logins (username and password), your hosting company (username and password) as well as FTP credentials (hostname, username and password). If you need further explanation about how to find your FTP info, check out this post that has a handy blogging emergency printable and a full definition of what it means.

What To Do If You Get Hacked

Once you realize your blog has been hacked, I recommend contacting the experts.

With your information in hand from #3 above, contact Sucuri.net. (You can do a free scan on their homepage to check for any malicious code on your blog if you’re curious.)

Sucuri specialize in cleaning malware and hacks and are usually pretty darn fast to boot. Their service will run you $90 but you get a full year of support for that price.

By following this simple guide you now have enhanced security on your site to prevent issues in the first place, a full blog backup to restore your site if something happens plus a plan of action should your site ever get hacked. You’re all set except for the actual doing part of the list and that is up to you!