Iâ€™d always believed that, much like email scams and credit card fraud, having your website hacked is the sort of thing that happens to other people, but never to you.Â After all, Iâ€™d never be so foolish as to allow tricksters to get the better of me! Unfortunately, I fell foul of this fallacy last Friday.
Upon visiting my website I discovered nasty looking warning signs plastered all over the home page and in my WordPressâ€™ admin screen. Thinking it was probably a plugin playing up, I logged into my WordPress themeâ€™s support forum to get some answers.
Unfortunately, the issue wasnâ€™t so innocent or simple to solve.
In super quick time, I got a response from my themeâ€™s creator, Andon, with the words every website owner dreads â€“ â€˜Matt, I think your website has been hackedâ€™. Not exactly the best news to receive last thing on a Friday.
Thankfully, Andon also gave me some salient advice on something every WordPress owner needs to know, and how to protect against it: In Â July and early August there was a security vulnerability discovered with TimThumb scriptÂ used in some WordPress themes and plugins.
So if you havenâ€™t updated your theme in a while, you could be at risk, and should follow these steps to lockdown your WordPress website:
- Take a deep breath and try not to panic. Rushing through these steps could create an even bigger mess if you get them wrong
- Backup all your WordPress files and database (you can download your database with this plugin)
- Update your WordPress installation and theme to the latest versions. If you have a premium theme they should have put out a security update. If itâ€™s a theme youâ€™ve created yourself, it might be worth getting it checked over by a WordPress expert (feel free to post your details in the comments, if you are one)
- Check to see whether any new users you donâ€™t recognise have been added (as I discovered to my horror) and delete them post-haste
- Change your passwords if you havenâ€™t done so in a while
- Even after changing your passwords hackers can still login if you havenâ€™t cleared their cookies. You can do this by uploading WordPress security keys to your wp-config.php file
- Install WordPress Firewall 2 and AntiVirus plugins for an extra line of defence
Thankfully, the hackers didnâ€™t do much damage (as far as I can tell), and I was still able to login and rescue it from their clutches.
Thereâ€™s still some ugly warning messages all over my admin panel and for some reason three portfolio posts were sent to subscribers yesterday(?). But other than that, I think I got away lightly.
Otherwise I might not be writing to you now.