What to Do When Your WordPress Site is Attacked

What to Do When Your WordPress Site is Attacked

Michael Kaulkin WordPress 0 Comments

Have you ever had your hosting account suspended without warning by your hosting company because your WordPress site had been compromised by malicious code? It happens a lot, and it’s not fun. And usually, by the time this happens, Google has figured it out and started throwing up red flags to your users cautioning them that your site is dangerous — a major setback for whatever SEO you’ve built up over the years.

Over many years of building and maintaining WordPress sites, mostly on cheap shared hosting accounts, I have frequently found myself in the position of having my account suspended or even threatened with termination because of some spambot or other malicious code buried among my WordPress or plugin files thanks to who-knows-what exact vulnerability.  So far, I have yet to experience one of these hosting companies making any effort to help me isolate the problem.

Most of the big, popular hosting companies are big and popular because they offer extremely inexpensive access to shared hosting environments that are configured to serve the widest variety of possible needs.  Many of them are fine companies that serve their customers well; others less so. Without getting into too many technical details, the problem is that WordPress has special needs around security and performance, and the ideal WordPress hosting environment is configured in ways that could limit its usefulness for non-WordPress purposes.  The big hosts serve the lowest common denominator, and your WordPress site is in need of more attention and care.

Unfortunately, WordPress is not a perfect solution, particularly around security, which is something the developers struggle with every day. This, combined with its popularity, makes WordPress a tantalizing target for hackers, who are constantly figuring out ways to sneak hidden php files into WordPress sites to run spambots and serve other malicious purposes.

A Solution for Chronic Malware Attacks

Over the past two years or so, a handful of hosts have cropped up who aim to address this problem by only hosting WordPress sites.  This enables them to tighten down their configurations so as to mitigate the vulnerabilities in WordPress that hackers exploit. They typically do not allow the hosting of non-WordPress sites and they’re also a bit more expensive.

TSecure WordPress Hosting Lightning Basehe one I use now exclusively, and always recommend to clients is Lightning Base. For one thing it is the least expensive, at least as of the time I was shopping around, and while you might think that service would be at a lower standard, it is in fact some of the best service and support I’ve experienced anywhere in or out of the web hosting industry.  Lightning Base is run by a pleasant and patient fellow named Chris, who, in my experience, personally handles support requests, and very quickly.

I find it interesting that, while over a period of many years I have had this experience of malware attacks on my own sites and clients’ sites countless times, but since moving  dozens of client sites, and finally my own, it has not occurred once (knock on wood). I won’t say “never,” but I think Lightning Base and presumably their competitors (see Pagely, WPEngine and a number of others) in this space of Managed WordPress Hosting have this figured out for the time being, and I’m happy to pay a little more for the peace of mind.

What If I Don’t Want to Switch Hosts?

Well, I don’t blame you.  The process is no picnic. But, measured against the time one spends fighting this stuff on the big hosts plus the likelihood that it won’t be the last time, it seems worth it.

There are a handful of basic steps you need to follow if your site is compromised.  (If your host suspends your account, they should at least send you these instructions.) Unfortunately, it’s a bit of a project. Here are some basic measures you should take:

Change all of your passwords, including WordPress admin and FTP/cPanel

Hackers got into your stuff somehow, and it’s most likely through a “brute force” password guessing attack.  Change your passwords to the most unintelligible nonsense you can come up with. Consider using a password maintenance service like LastPass. Their browser extensions will give you the option to auto-generate a secure password on the fly.

Check your WordPress Users

You need to make sure there are no admin users there that you don’t know about.  One hacker tactic involves creating an admin user that lets them run amok over your site and do whatever they want. You can look at the Users list right within the Dashboard, but to be really certain it’s clean, you have to look directly at the wp_users table in the database, which can be accessed easily if you have a cPanel setup on your hosting account. I’ve had this happen to me. They added a user with admin privileges with nothing in the “date created” field, which caused it not to show up among Users in the WordPress dashboard.  Dastardly.

Reinstall Everything

Yeah, this is the fun part. You basically have to reinstall WordPress, your theme and all of your plugins. The problem is that the malicious code that’s compromising your site is scattered among the deep file structures of your site including themes, plugins and uploads, as well as WordPress core files. It is a good idea to delete any themes in the wp_content/themes directory that are not being used and pay close attention to what plugins are in use at any given time.

Scan the Bejeebus Out of Everything

Normally I’m against indiscriminately installing plugins left and right, but if you’re not going to switch to Lightning Base, then you should install a security plugin. There are a number of good ones. Personally, I’m pretty happy with WordFence, which has a pretty good malware scanner and firewall features. For a deeper scan there’s also the Exploit Scanner plugin. Running these scans will hopefully alert you to anything that you missed in the process, and whether there’s anything of concern in the database (which would not be addressed by reinstalling WordPress).

What If Google is Still Flagging My Site?

The best way to proceed is to link your site to Google Webmaster Tools through the Search Console there.  There is a form you can fill out there to request a rescan and reevaluation of your site.  In my experience they get to it within a few days, but a word of warning: They don’t always approve it the first time, and you have to go through all of the above again.


If you’re running one or more WordPress sites, save yourself a lot of trouble and think about switching to a managed WordPress host like Lightning Base. If you need help with that, or any of the steps described above, get in touch. We deal with this stuff all the time!

Michael Kaulkin on EmailMichael Kaulkin on FacebookMichael Kaulkin on LinkedinMichael Kaulkin on Twitter
Michael Kaulkin
Michael Kaulkin has been building, managing and maintaining web sites since 1998, with a focus on WordPress since 2005. He founded Oakland, California-based Cantus Firmus LLC in 2010 to provide WordPress web development and consulting services to businesses and non-profits of all sizes.

Leave a Reply

Your email address will not be published. Required fields are marked *