I was recently asked to assist a new client in restoring their hacked website. The client is a small alternative medicine practice with a self-hosted WordPress installation that seemed to suddenly have developed a mind of its own. Banner ads appeared without warning, content was replaced by political rants, and sometimes the site wouldn’t even load. It was a nightmare for the client.
A quick review of the files showed that the culprit was two-fold. First, the WordPress install had not been updated in two years. In WordPress time two years is forever and definitely left the site open to vulnerabilities. Although only five plugins were used, none of them had been updated in two years either. However, lack of updates wasn’t the culprit here; it was the theme.
About a month prior to noticing the hacked site, the client had asked an employee who claimed to be WordPress savvy to update the site. She had found a free theme somewhere (she couldn’t remember where), installed it, made a few content changes to the site and then didn’t check back until a patient advised that the site was hacked around a month later.
There are a number of problems at work here; problems that I see quite a bit with small businesses and, frankly, I’m guilty of some of them as well.
Check your WordPress site at least weekly.
Once a week load up your site just like a customer would. Look at a couple of pages and verify everything looks fine. You don’t need to look at every page, but if you have a store on your site check that the store is working properly, i.e. pages load, you can add things to the cart, etc. Next, log in as an admin and check for updates. Updates appear in the top toolbar:
You can see here that I have two updates on my site. Now, I have a backup that runs weekly and had just run, so I didn’t run another before updating. Assuming you have backups (see below), just click on the link and it will take you to a page where you can run your updates.
Back up your site at least monthly, preferably more often.
With a backup, if something happens your site can be back up and running in an hour. Without a backup you may lose all of your content! Case in point: I’ve had four former clients who chose to save money by having their friend/teenager/employee/volunteer who “knew about WordPress” move their WordPress website to another host. The sites were moved and…they didn’t work! The person moving the site in each case hadn’t realized that all of the content is stored in a database. Since they’d cancelled their former hosting, everything was lost. In one case it was ten years of daily blog posts!
I run weekly backups of both the database and site files because I don’t post as often as I should. If I posted daily, I would run daily backups of my database and monthly backups of my site files. Why monthly? Because site files don’t change very often. I also run a backup before installing new plugins or updating plugins. I only keep two backups. That way if my last backup was bad I have another I can fall back on.
In this case the client did have a backup from about a year previous. Since they didn’t make many content changes, I was able to use it to fix their site.
“Free” WordPress themes may not be free.
Needless to say, use extreme caution in downloading free themes, even from otherwise reputable places like Themeforest. While Themeforest vets paid themes, I’ve heard of problems with some of their free themes. The only free themes I recommend using are ones from WordPress.org. They are closely examined and should be free from malicious code or other nastiness.
Like everything “free” you get what you pay for. My client ended up paying around $750 for me to restore their site. (I actually gave them a discount since they were referred by a friend.) This included the initial troubleshooting, attempting to clean the database (before the client realized they had an old backup), re-installing a fresh installation with the old backup, and changing all passwords, including ones for their hosting and FTP accounts. Additionally they virtually disappeared from search engines because for a month their site was seen as spam. If they had just purchased a paid theme they would have spent $29 – $150.
WordPress is not hands-free.
The main take-away is that WordPress is easy to add content to, but it isn’t hands-free. Someone needs to be checking your site on a regular basis, both front-end and admin side. Run updates when they appear and make sure regular backups are occurring. Most important, don’t rely on free themes unless you can read code and are willing to look at every theme file to ensure it isn’t harboring malicious code.
If you can’t spare time for this yourself, many WordPress professionals offer service contracts that cover backups, updates and site checks for less than $50 a month. I charge $500/yr for this service, which also includes a file change notification plugin. Every time the files on your WordPress installation change I review the report to make sure the changes are legitimate (updates, page changes, or new blog posts) and not malicious (hacked files).