Why my WordPress website get hacked/injected malware?
In most circumstance, you may have –
- Out-dated WordPress core installation, and/or
- Out-dated WordPress themes, and/or
- Out-dated WordPress plugins, and/or
- Weak Control Panel password, and/or
- Weak FTP/MySQL account password, and/or
- Your desktop computer contains malware, which captures login credential (username/password)
Any symptom of being hacked?
There are some potential symptoms when a website is being hacked (or injected malware)
- Receive a number of bounced back email (where you do not send), or
- Suspicious high website traffic usage, or
- In WordPress admin panel, it contains suspicious (admin) user, or
- There are other unknown/suspicious files in your website folder, or
- The file last modification date time are not in sync, or
- From 3rd party notification, or
- Being blocked by Google safe browsing, Microsoft SmartScreen filter, etc.
Am I targeted?
For small business websites, in most circumstances, you are not targeted.
Hackers use automated vulnerability scanners to scan and detect website vulnerabilities, and upload the malware (e.g. File Manager, backdoor) onto the vulnerable website, and proceed the malicious activities (e.g. to gain financial benefit)
What are the impacts of a hacked WordPress?
- It makes your business embarrassing, and negatively impacts reputation,
- It negatively impacts your website search engine ranking,
- It uses your website and legitimate mail server to send spam (affect IP and domain reputation),
- It uses your hosting space to host inappropriate malware software via your domain,
- It redirects your website visitor to malicious URL (and even install malware in visitor computer silently),
- It uses your website to participant DDoS attacks (i.e. become part of the botnet member),
- It uses your hosting space to host phishing website (e.g. faked bank login) in your domain (it can be a ground to delete your domain registration),
What can I do to minimize being hacked in future?
You shall consider –
- Ensure your desktop is secured (e.g. free of virus/Trojan/malware)
- Always Update your WordPress (core, themes, and plugins)
- Remove inactive themes (keep active theme only)
- Remove unnecessary plugins
- Ensure themes and plugins are up-to-dated (minimize to use plugins without updates (e.g.) over 2 years)
- Ensure you have regular backup (website files + database), and store it in a safe place (e.g. some remote backup)
- Ensure the backup is able to restore
You may consider –
- Disable WordPress direct file editing inside WordPress admin panel
- Install SSL to encrypt the connection between your desktop and website server (protect your admin password during login)
- Lock down WordPress admin panel login (or enable some 2 factors authentication)
RecoverWP.com is managed by web hosting professionals, who have been working on web hosting, WordPress website, security and vulnerabilities area since 2003.