It’s a lovely day. You’re just going about your business and figure hey, I’m going to go visit my business website and admire its awesomeness.
You go to your website but instead of seeing your beautiful homepage, there’s a strange red screen showing in your Chrome browser that says “The site ahead contains malware.”
Now it’s time to lose your ever-loving mind!
Just kidding. Don’t do that.
Take a deep breath. It’s not irreparable.
Chances are good, though, that your website has been either hacked or infected with malware.
I realize your heart rate might have sped up reading that but don’t panic trying to figure out what’s wrong and leap into your website to try fix it without a plan. That’s the best way to make big mistakes.
Next week, I’ll be posting an article about how to determine if you have been hacked or infected with malware, but, for now, let’s assume that it’s clear to you your site has been compromised.
Fine, I won’t freak out. But what do I do?
If you have been working with a website developer you trust, or at least know one, now might be a good time to give them a shout and loop them in to support you.
I am going to give you a number of suggestions of things you can do right now, but having a professional in your back pocket definitely wouldn’t hurt.
Change Your Passwords
Before you do anything else, go right now and change your passwords on every account related to your website, including:
- Web Hosting
- Control Panel (this may be the same as your Web Hosting login)
- WordPress for any administrative users (e.g., your account, your developer’s account, your SEO specialist, etc.)
- Domain Name (sometimes you don’t need to do this, depending on the circumstances, but since we can’t know your unique situation from here, it’s just a good idea to do this one as well)
- Database User (this is similar to the domain, such that it may not be necessary but it’s better safe than sorry, and this can be done through your hosting control panel)
- FTP information (review all FTP accounts, remove ones that are no longer needed and change the passwords on ones used; you may want to have a developer support you on this if your response to this item was “FTP-wha?”)
If you use a service like VaultPress and you update your FTP info as outlined in the list above, it will have to be updated in VaultPress as well before you’ll be able to do any restoring.
Contact Your Website Hosting Provider
Now that you’ve changed your passwords, you need to submit a support ticket or call your web host. Ask them to check your logs to see if they see any suspicious activity. If there are any IPs that seem suspicious, it would be wise to block them, in case any of them are the culprit.
Get the Infection Removed
Malware is the devil. It’s website cancer and you need to get rid of it, STAT. The absolute easiest and quickest way to do this is to use Sucuri.
Once you sign up with their service and provide them with the information they require. They will remove all malware and provide you with things you should do to follow up, like change passwords (which you’ve already done, right?).
Please, please, PLEASE, do not DIY this.
Cleaning up a hacked or infected website is technically advanced and something you really need to outsource to the pros.
The great thing about Sucuri is that you’ll pay your annual fee and they’ll clean it up, but then you’ll have the benefit of their services for a full year, including malware monitoring, alert and clean up.
Note that you will need the support of a developer to fully implement all of Sucuri’s features, such as their firewall, which will stave off another malware infection.
Once Sucuri confirms they’ve completely removed the malware from your site, you may discover that some (or all) of your data has been lost. This is when that website backup I’ve been preaching about forever comes in handy.
Hopefully you have VaultPress in place and can easily restore from a backup and be up and running immediately. If you haven’t already set up a third-party back up service, now is the time, because you don’t want to find yourself re-reading this blog when you need it and hitting yourself for not heeding this advice.
Upgrade Your WordPress Installation
There are a number of ways hackers can get into your website, but the most common cause is because a WordPress website hasn’t been updated and a fix that would have avoided the hack or infection wasn’t run.
This is why updates are so important! But that’s a whole other blog.
So, make sure your WordPress updates are brought up to date. This includes your core, plugins and theme. Make sure any plugin or theme that has a license is not expired and if it is, renew it now so you can receive updates. Often licenses expire without anyone noticing, leaving you with an outdated version on your website, making it vulnerable.
Occasionally plugins purchased from third-parties may end up being installed without ever being updated if you ignore emails from the plugin author indicating the plugin has been updated.
With some plugins, the only way to update them is manually (i.e. not though WordPress’s updates dashboard), so if you ignore update emails about those plugins, you may have outdated plugins and not even realize it.
Depending on how long it’s been since you last updated your WordPress, you may require a developer’s support to ensure that the updates don’t break your site.
This might be a good time to read my article Yes, You Could Be Hacked, to ensure you’re following other best practices to avoid being hacked.
Re-Submit to Search Console
Once the hacking or infection is fully resolved and your site is cleaned up, you may need to resubmit your website URL to Google.
This is usually only necessary if you received a notification from Google that your website was found to be infected. If you catch it before Google does (for instance, if you have malware monitoring on your website) and fix it immediately, this step likely needed.
But if you did get a notification from Google about having an infected website, don’t skip this step, as it’s is important in order to let Google know that you’ve addressed the problem.
You can learn more about what Google’s Search Console does, here.
How to protect yourself in the future
Once the hack or infection is resolved, and your site has been resubmitted to Google, it’s time to do a review of your website to identify where your vulnerabilities were before your site was compromised, and where they are now, so you can put in steps to protect yourself in the future.
This would be a good time to get a WordPress Health Checkup for your website to help identify any possible security vulnerabilities.
Then, do the following:
- Run your WordPress updates regularly.
- Make sure your passwords are strong (here is Google’s advice on how to create a strong password)
- Check to see if you’re on a good quality hosting provider. Not sure? Be sure to grab a copy of my Ultimate Guide to Planning Your Next Website which includes a checklist of what to look for in your hosting provider.
- Periodically review your WordPress health: specifically review inactive/unused plugins and review your user list.
- Consider signing up proactively for Sucuri or, look into another security plugin like iThemes Security Pro. (Learn more about all of those options in Yes, You Could Be Hacked)
I know that sinking feeling you get in the pit of your stomach when you realize you’ve been hacked or infected, all too well.
My goal isn’t to scare you and tell you that you’re vulnerable to a hack at this very second, but I’d be lying to you if I said it’s not worth checking over your website to ensure things are in tip top shape.
By making sure you know how to protect yourself and how to resolve issues should your website be compromised in the future, you will be prepared to quickly address a hacked or infected website, so that you can get back to doing the business that you love.
Some of the products listed in this article are affiliate links, but I only recommend tools that my team has experience using. If you do use one of the affiliate links, it will cost you nothing to use but I will receive a very small commission …. which I will use to fund my iced chai latte habit (and eggnog lattes in the winter!).