I host a bunch of websites. I love doing it because I’m in control of every aspect that goes on with them. I can monitor server load, I can make edits to my server to install new versions of PHP, or mem_cache, or whatever.
One thing that I’ve been harping on a lot is security. I have a plugin called Ninja Firewall on a few of my sites that monitors any file or DB change.
Now this never happened to me before but last night, around 11:30 (still awake, getting tired) I received 3 emails, back to back.
The first was Email Change, then New User Registration, then WordPress Login.
I know the user of the site personally so I KNOW that this is not normal behavior. Also, the name that was being registered was none other than…. trump (dot) clinton at usa dot com! HAHAHA
So I actually got to stop this hack while it was going on, I felt like a super hero, lol.
So here are some steps that I did to remove the hack, because I’m finally getting good at this 🙂
Step 1 – Clean WordPress
The first thing I did was delete everything except the
wp-content folder and the
This makes sure that any core affected files are gone! After I delete them, I unzip a fresh download of WordPress, and upload all the files except for wp-content.
MAKE SURE YOU UPLOAD THE SAME VERSION OF WORDPRESS OR SH*T WILL BREAK.
Now I have a fresh WP install.
Step 2 – Go Into WP-Content
I keep all my builds as simple as possible so I have a pretty good grasp on what should and should not be in my WP-Content folder. A great way to check would be to organize what’s in the WP-Content folder by edit date. Check to see if anything was edited recently, and if it was a file, determine if you actually need that file.
A lot of times, what ends up outside of the plugins or themes folder is backups, caching files, things like that. Verify the plugins on the site to make sure that those files are actually being used. Most of the time, if you delete one of these files and then log into WordPress, you’ll get a warning or error message in your dashboard, so don’t stress too much. Delete what you don’t need.
Step 3 – Remove What You Don’t Use
Give your site a quick audit. If you’re not using the 2015 theme, then remove it. Anything you know for a fact you’re not using, delete it. Plugins are a little trickier but do the date thing again. See what was edited recently and check to see if it’s active on the site. If it’s not, DELETE!
Step 4 – Do A Scan
I like to use the plugin Anti-Malware Security and Brute-Force Firewall. It’s very thorough, and it’s free so you can’t beat it. I don’t like using Sucuri or anything like that because to me, it’s always missing something. I’ve had some great luck with the other plugin though and was able to fix/quarantine hacked files.
Step 5 – Harden Your Install
For this, I will either use the iThemes Security Plugin, or my favorite which is currently SecuPress. Both are free, both will harden your website. Just follow the instructions when you install them and you should be good to go!
BONUS – Track Things
If you want to take an additional step, you can install a file monitor. I use NinjaFirewall (which is how I noticed all the things happening on the site). But you can use whatever you feel comfortable with. There are some site audit plugins out there that will email you when things happen on the website, so feel free to look into any of those.
ALWAYS BACK UP!
The worse case scenario is you can’t fix it. Now what do you do? You can hire someone OR you can restore a clean back up. So make sure you’re sites are always backed up!
If you’re reading this thinking to yourself, “man I don’t want to deal with that crap,” then let us help you out. We don’t offer clean up services, but we do host website which we treat as if they are our own! Send your clients our way for hosting needs, we promise we’ll take care of them! (White Labeled too, so you can take all the credit.)