While WordPress is a relatively secure platform, it can still be hacked. In fact, out of the 11,000 hacked websites Securi analyzed in 2016, 75 percent of them were running WordPress.
If your WordPress site has been hacked, fear not. By following these tips you can fortify your site and kick wannabe hackers to the kerb.
And provided you act quickly, your WordPress site’s SEO traffic—and even its reputation—can recover within 24 hours.
Here’s what you need to do.
Tip #1: Kick Out the Malware
The first step towards getting your site back into Google’s top SERPs is to make sure it isn’t harbouring hidden malware – malicious code the hacker has inserted into your site. If you don’t, all your repair efforts will be wasted. Worse still, you could end up infecting the computer of anyone who visits your website.
And while you’re at it, get rid of any spam, installed content or other suspect material you find.
Tip #2: Add Your WordPress Site to Google Search Console
Next, make sure you’ve entered your website into the Google Search Console GSC. It will reveal your site’s overall status, and help you understand which URLs on your site are being affected by the hack. You can even use it to take down your site’s blacklisting.
Of course, you should already have GSC set up for your site as it can help enormously. But it can be especially useful when your site has been hacked. For example, it can send you a warning email when the message “This site may harm your computer” appears in Google’s search results — a sure sign your site has been hacked. Just make sure the email address it gets send to is one you monitor regularly.
You’ll need to go through a submission process to assure Google your site has been fixed and you’ve removed all malicious code. They will then remove the message from their search results.
Tip #3: Request a Malware Review
Google can review your WordPress site for malware and unwanted software. It’s a simple process, and it’s definitely effective. Navigate to the Google Search Console “Security Issues” report and request a review.
Tip #4: Download These Plugins
Once you’ve started recovering your website’s rankings, you should download a couple of plugins that are conducive to long-term security. Check out:
These plugins can secure your website from all angles, and give you complete control over unwanted visitors, admin permissions and keyword tampering.
However, try to minimize the number of plugins on your site. The fewer you have, the less chance there is of your site’s security being compromised.
Another option is to use a combination of Cloudflare which hides your site’s actual IP address, making it harder for hackers to find and a secure host such as WP Engine.
The post-hacking pick-up process is a long one. But it’s not impossible to overcome.
Tip #5: Find Out How You Were Hacked
If you’re dealing with a WordPress website hack, you need to understand how you’re being hacked. Narrow down the options, and look for inconsistencies. Ask yourself:
Is my WordPress site being directed to another website?
Does my WordPress site have any illegitimate links?
Has Google marked my website as Insecure?
These factors all play a major role. Once you’ve answered each questions, contact your hosting company. If your weak point was a plugin, remove it and protect your site from that vulnerability.
Tip #6: Clean up your Index
If your site has been infected with irrelevant pages, they can dilute your content and affect your rankings. Google may not recognise the hack, and take them into account when ranking your content. And if that content weakens your original content authority, your rankings will suffer.
These pages usually contain links that divert traffic away from your site. And it can be difficult to understand why why your rankings are dropping if they’re still being indexed.
To fix the problem, you need to isolate and manually remove the URLs from your index. Fortunately, it’s easy to do. Just go to Search Console, and under the Google Index section select ‘Remove URLs’.
And once they’re gone, you’ll need to monitor any crawl errors and re-submit your site maps.
Example of a Government site that has been hacked and cached by Google.
Tip #7: Move to a Secure Host
Your blog’s first line of defence begins with strong security from a robust hosting provider. That’s why we recommend WP Engine. It has exceptional security, and won’t let you install plugins that could compromise the security of your site.
Tip #8: Protect Other Avenues of Entry
If you’re using shared hosting, your other websites may have also been affected. So talk to your provider, and see if they can identify any backdoors that may have led to your website being hacked. They may even be able to set up an additional login step that hides the real login page.
And don’t forget to change your passwords.
Tip #9: Consider Restoring your WordPress Site
Always keep backups of your WordPress site so you have the option of restoring it if necessary. If your WordPress blog is updated daily, you may have lost a lot of blog posts, comments and other content. If that’s the case, you may need to consider restoring it from a recent backup.
Even if you haven’t lost much content, it may still be worth restoring an earlier version to ensure your site isn’t harbouring unwanted content, visitors or other material.
You may also want to invest in an online security scanner, which can identify any WordPress files that have been compromised.
If you’d rather do it yourself check these files on your WordPress site:
You should also check your uploads and wp-includes directories.
Replace any compromised files, and if necessary reinstall the WordPress core files. But be careful. And stay up to date with WordPress’ new features, updates, bug fixes and news.
Chances are you’ve put a lot of work into both the design and the content of your website. So make sure you protect it by following these tips.
But always remember that if the worst comes to worst and your site is hacked, it’s not the end of the world. And with a bit of hard work you can recover your site and your Google rankings.