10 Steps to do to recover hacked WordPress on shared hosting account
A few weeks ago, our shared hosting account on a famous hosting provider was compromised. The WordPress websites were attacked by a virus which corrupted files with malware. The virus was even able to penetrate more than one sites (being shared hosting, they all share one Linux user) and do a bit of a damage. Now we use a mix of WordPress and other open source programs for our contents but this article will help anyone using PHP.
Luckily, our Programmers were able to recover hacked WordPress website and we were back on track. This is also a part of our suite of services where we provide software advice & rescue or upgrade or finish pending work.
1. Change all passwords!
And I mean all passwords. These include your Cpanel passwords, FTP passwords, hosting password and go on. Also, store the passwords in a safe location (Google Drive) instead of a text file lying around. Always generate long strong passwords instead of trying to be clever and come up with your own passwords. At The Right Software, we love thebitmill.com to create long complex passwords.
2. Keep your computers clean (Duh!)
This is sort of over-used cliché but most of the time viruses do generate from the local computer where they can steal information like FTP or Database passwords and broadcast. So always keep an anti-virus program installed and regularly updated. Plus it will keep your computer from slowing down as well.
3. Never store FTP Passwords in FTP software
We all use FTP to upload files. It’s convenient, it’s fast and it doesn’t ask questions (like git :)). Here’s the catch though. In our convenience we save live passwords into FTP client like Filezilla or CuteFTP. This is a big no. These passwords are saved in flat files without any encryption and any resident malware will know the common paths to try and extract FTP passwords and use them to inject live site. Wherever possible, use FTPS (or FTPES) instead of FTP.
4. WordPress: Not all themes and plugins are created equal
We all look for bargain deals. Free WordPress plugins and themes make our eyes glint. But please remember, plugins downloaded from third party sources (other than wordpress.org) don’t go through a security and compliance review. Therefore, making them more susceptible to security breaches. Similar is a case with themes. So always keep your WordPress version, plugins and themes updated.
5. Apply steps devised by WordPress itself
WordPress itself provides a handy list of steps to make it hard to crack. Do follow them and apply all of them. Link given below.
6. Make regular backups online
Make regular backups of your online websites as shared hostings don’t provide this service except for last 24-48 hour backup and even that may already be tainted by the virus. So it’s better to keep your own backups. Hosting providers quarantine infected files so it’s better to not rely on them to bail you out. You can use UpdraftPlus plugin for creating backups.
7. When in doubt, wipe the server clean
With handy backups available and if you feel like the rot is too big, we advise you to clean up every domain account and start from zero with fresh passwords.
8. Never mix production and development environments
For small businesses, production and development machines are an extra cost. It’s better to deploy a one-time in-house server with a public IP than to use same hosting for live websites and showing client concepts.
9. SSH is your friend
Most shared hostings do provide SSH access so keep the file and folder access in check as outlined by WordPress itself. 644 for files and 755 for folders. Create and secure the private keys for SSH access and use them to your advantage.
10. Change Hosting
One option could be to switch to a more secure hosting with better reviews and check and balance mechanism. We provide a very short list of web hosting services that we can personally vouch for. You can view here list of trusted web hosting services.
Bonus: Save wp-config outside httpdocs
We found this handy discussion of why saving wp-config.php file outside your public html directory is perfectly fine and appreciated. You’ll need to make no changes to your WordPress installation and your FTP/Database credentials will not be printed on screen by any glitch.
This is not an exhaustive list but it will be a good start if your WordPress website gets hacked. You can add your bit in the comments below.
If you need help with recovering a hacked WordPress website, send us an email. We’ll be happy to do a quick review of the situation with you.