WordPress Security: How to Check if your Website is Clean
WordPress is a hugely popular content management system (CMS) and it powers nearly 30% of the world’s websites. Unfortunately the sheer volume of websites also makes WordPress an attractive target for hackers. Their goals range from sheer boredom to monetary gain, e.g. by promoting their own products (usually pharmaceuticals or adult content) or redirecting a website to their own website.
This can of course lead to loss of income for business owners and loss of customer trust. It is usually very difficult to unhack a website as the hacks are quite complex these days and often involve code back doors which allow hackers to get back in even if you think you have cleaned it all up. If a website has been hacked, it often has to be wiped as it is frequently impossible to clean it up. Ideally you would have a clean backup from before the hacking occurred, but if this is not the case, the website may have to be rebuilt from scratch.
WordPress itself is a robust and secure software, but it does need to be updated regularly to keep it secure. The same goes for the plugins that are used to add functionality to the website.
These days hacked websites are not always obvious as hackers become smarter at concealing their hacks to increase the time a hacked website is live on the internet. The hacks may be so well hidden that you might not notice them for months. Here are some examples that I have seen over the last few years:
- On some websites hackers had left the website intact but somehow created hundreds of additional, hidden pages on the domain. The additional pages promoted pharmaceuticals that they were trying to sell.
- One website looked completely fine on desktop but had adult content showing in the mobile view
- The home page of some websites looked fine but certain sub pages showed hacked content
- On one website only one particular page and the website logo at the top linked to an external website promoting Viagra
Sometimes the first you know of your website is being hacked is because Google shows a message below your website link saying “this website may have been hacked”. Not a good look! By then your website will already be blacklisted by Google.
This also means that any clean backups may be several months old by the time you realize what is happening, so you would lose any newer content when the hacked website is deleted and the backup is restored.
There are several ways to keep an eye on your website and make sure you find out quickly if it does get hacked. A combination of methods is usually best:
- Install a security plugin such as WordFence. Set it up to run regular malware scans and alert you if anything fishy goes on.
- Register your website with Google Search Console. This can also pick up on malware and alert you if Google believes that your website was hacked.
- You can also use this tool (by Google) to check whether any website has been listed as compromised: https://transparencyreport.google.com/safe-browsing/search
- Check your website regularly and have a bit of a click around to make sure everything looks ok visually.
If we have built your website in the last year or two then we would have usually set up WordFence on it already, and we also always submit websites to Google Search Console so we would receive alerts from them.
Of course this is all great to know but really by the time you find out your website was hacked, the horse has already bolted! So what can you do to prevent hacking in the first place? Click here to read my tips: “How to Outsmart Website Hackers and Keep Your WordPress Website Secure”