Ouch, my Wordpress site got hacked...

- April 28, 2015

For not the first time, we have recently been working with a customer whose site got hacked. Searching on their name got back results like this from their own site.


When someone searches for you and they see results which have various medications in the titles in between your real results, it can do real damage. In this case the estimate from the customer was a 33% drop in sales in the 30 days after the hack. Quite astonishing, even for a business which relies on a constant stream of new customers.

So what happened? 

Simple answer is that the site is based on Wordpress and hadn't been kept up to date. However, there have been quite a few situations in the last couple of years where even an up-to-date Wordpress install has been compromised through a plugin or other exploit. And a new one yesterday.

This all sounds a bit scary. Should I stop using Wordpress?

The real answer to that is: "it depends on your budget and how much you have to lose". Wordpress is a great way to deliver a relatively complex (and extensible) set of functionality onto the web on a low budget. Its popularity makes it a big target for the bad guys. Its extensibility with plugins is amazing for adding functionality, but for each plugin you add you (normally for free) you open up your site to a potential security hole. Should you stop using it? There is no real answer to this question: especially as there are some very big and popular sites using Wordpress...

That's not an answer!

Nope. Stopping something means doing something else. In many cases the cost of putting in place another solution will be more than running a Wordpress site properly. As far as I know, there isn't another solution out there for most 'small business' situations which will be cheaper to implement than fixing and running properly a Wordpress site. When I say 'small business', I actually mean simple online business: showing information, taking in forms. If you are doing something more complicated, there are probably better paths forward, but again it does depend on the budget.

What to do with a hacked Wordpress site?

This is not an exhaustive list, you can find those elsewhere (not least, here), but a results-driven one:
  1. Find someone you can trust to get it fixed. If your current web-shop/designer/IT guy can't give a straight answer to why you are calling them about a hack (ie why they haven't seen it) and tell you what they will do within 12 hours, look elsewhere.
  2. Time is essential. Google (et al.) don't reindex every day, so each day you are showing 'v i a g r a' in the results counts. Sooner it it fixed, the sooner those results will disappear. 
  3. Analytics and Webmaster Tools - If you weren't looking at them before, do so now. Even if you have an external company managing your site, you need to own these and get the alerts.
  4. Remove all users who are not needed. Change all user passwords and make it clear people need to use new safe unique passwords. Change all passwords on hosting, servers and admin accounts. Assume all of them are public and compromised.
  5. Remove all unused plugins. Look at all used plugins to make sure they are being updated - replace if not.
  6. A simple clean-up on a hacked site might not be enough. Any compromised install of Wordpress may be at future risk. There are hundreds or thousands of files in there. All it takes is one bit of bad code and the bad guys may be able to get back in.

Moving on, what to do?

Even if you have an external provider, make sure you have someone in your organisation who is looking out for problems on the website. That means they are looking at the search results, Google Analytics (traffic, referrals), Webmaster Tools and generally what is happening to the site.

Get someone internally or externally to be responsible for the website. This is not just looking for hacks, but also making sure indexation is happening, performance is there and there are not broken links all over the place (among 100 other things).

For most businesses, a website is there to generate business. In some cases - like the one at the start of this post - the red light only starts flashing when something goes seriously wrong. In others, they just wonder why they don't generate more new business from their site (until they realise that 30% of their visitors can't use the site on a phone).

A working, attractive web presence is hard to get right. It's not impossible and doesn't always have to be stupidly expensive.

If you need a hand - Expat Audience can help ;)  - contact us

Read More