WordPress is the most popular Content Management System in the world, and a significant percentage of the sites on the Internet use it. That popularity is well-deserved, but it also makes WordPress an irresistible target for hackers who want to spread malware.
How to Tell if Your Site’s been Hacked
Sometimes it is obvious that your site has been hacked. Occasionally hackers will simply redirect the site to a different server, so that visitors to your domain end up at a site infected by malware, a site displaying advertising the hacker can profit from, or a porn site. But often hackers add malware or spam links to a site which they want to remain undetected for as long as possible. Having a hacked site can infect your visitors with malware, and it will almost certainly result in a huge hit to your SERP rankings, or even blocking by search engines, so it’s important to be vigilant. There are a number of tools available to webmasters to determine whether a site is vulnerable and whether it has been hacked.
The WP Security Scan extension won’t tell you whether your site has been hacked, but it will check for possible attack vectors and vulnerabilities, and offer suggestions for fixes. Of course, often the vulnerabilities will not be in WordPress itself, but in some other part of the software stack. The best way to ensure that there are no known exploits that hackers can use is to keep your software as up-to-date as possible.
Google’s Safe Browsing Diagnostic
Google has a service that enables webmasters to see whether they consider a site to be dangerous to visit. Copy the following URL into your browser address bar and replace the part following ‘?site=’ with your site’s URL.
Sucuri offers a free site scanning service that will catch major problems, and a paid for monitoring and cleanup service that can help if you are hacked.
Using these tools together can help you ensure that your site remains safe.
What Should You do If You’ve Been Hacked
Unless you are an experienced and expert developer or website administrator, cleaning a site with any level of confidence by yourself is almost impossible. Even if you think you have found all the malicious files and removed all the spam links, the files that make up WordPress itself may have been altered so that they reinfect a site after an attempted cleanup.
Contact your hosting provider and let them know you’ve been hacked. You might not be the only victim and the host provider’s sysadmins may already be taking action.
Securi, as mentioned above is an excellent tool, and it will attempt to auto-clean your WordPress installation. Should you choose not to use Securi, or hire a professional to clean your site, then the next best option is to delete the site and restore it from backups.
Hopefully, your site is hosted with a provider that offers a comprehensive backup service, in which case restoring the site to a previous version should be very simple. If not, we are going to assume that you have been making regular backups of your WordPress database.
Download a fresh install file from WordPress.org, to replace any files that may have been altered during the attack. Do not use the same passwords on the new install as you used on the hacked site.
After you have installed a fresh version of WordPress you can restore the WordPress database from a backup that you know to be clean.
Since you know that your site has been hacked once, and that there were vulnerabilities that malicious parties were able to exploit, if possible, it may be best to completely reinstall the server and restore from backups. At the least very scan the server with an anti-malware tool. If you are reasonably sure that the infection was limited to WordPress, then you should update all of your software to the most recent versions, to close vulnerabilities. If you’re using shared hosting your provider should take care of this for you.
If you haven’t been taking database backups, it may be possible that the WordPress database has not been breached, and that a fresh install of WordPress using the existing database is enough, but in that case be extra vigilant of alterations, follow the rest of the above advice, and start taking regular backups!
About Daniel Page — Daniel is the Director of Business Developement for ASEOhosting, a leading provider in SEO hosting and multiple IP hosting. Follow ASEOhosting on Twitter at @aseohosting.
I’ve been coding with WordPress for a long time now. All the way back to when there was a my-hacks.php file. Shortly thereafter WordPress introduced plugins and widgets. Over all these years I find myself going back to a few key WordPress concepts that make blogs really functional.
- Popularity of Posts – The plugin I use, and hack often, is Alex King’s popularity plugin. If you download it from wordpress.org, it works great, but if you really want to make some cool features, you are going to have to hack it.The popularity plugin displays the most popular posts based on time frame, or category in a list (<li>)by default. I’ve hacked it to get the the raw posts, so I can do my own formatting. You can see an example in my “hot list”.
- Related Content – Notice how I didn’t say related posts. Finding related content goes much deeper then posts or pages.Related content is a must to build loyal readers (repeat visitors). You have to guide your readers and help them find content THEY are interested in. Remember, most people will find your content from Google, so feed them some related content and grow your user base. Related posts are easy to get, you simple have to a fulltext index to your database. You can then match terms to keywords.
- Categories – WordPress is nothing more then a way to organize your content, hence the term CMS (Content Management System). 80% of my traffic from Google comes from a relation to WordPress categories. Either trying to display top level categories without children, or trying to build a top menu/submenu navigation menu.Working with categories in WordPress can be pretty frustrating. I wish there was better information. Luckily there are a lot of help from the WordPress Community.
- Images – Magazine themes are the most popular style of theme on the Internet. It’s all about the cool graphics and images to get reader to click on posts. Content sliders and featured content sections with large graphics can be a pain to manually update, which is why you need to learn how to manipulate the images from your posts.
There you have it. If you want to be a WordPress hacker and make killer websites, you gotta have a good working knowledge of those four topics. Thanks for reading my post, and as always, don’t be scared to ask me for help.
This guest post was written by Matt Dunlap who blogs about website development.
Twitter is all the rage these days and it doesn’t seem like it will be going anywhere any time soon. With that said, it often surprises me that many WordPress blog owners don’t offer a convenient way for their readers to retweet their content. Anyone can grab a Twitter WordPress plugin to tweet their new content as it is published, but what about your older content?
Rather than passing up all that potential traffic, I’ve found that offering a link somewhere within your post (optimally at the bottom of each post) is a great way to help your readers and incoming search engine traffic to promote your content for you. When people find great content they like to share it with others, so why not make it easy for them?
Not only is adding a “Tweet This!” link a great choice, but it is really easy to do. Chances are if you do a search on Google for code to use you’ll find something like the following:
<a href="http://twitter.com/home?status=Currently reading <?php the_permalink(); ?>" title="Click to send this page to Twitter!" target="_blank">Tweet This!</a>
This code works just fine, but is not the most optimal solution in my opinion. Depending on the permalink structure your WordPress blog uses, combined with the length of your domain name, it may be difficult to fit the link into a 140 character tweet. It also doesn’t leave room for the person to add their own comments to the tweet.
As a proposed solution, I recommend using some WordPress code like the following:
<a href="http://twitter.com/home?status=RT @HackWordPress <?php the_title ();?> <?php echo get_settings('home'); ?>/?p=<?php the_ID(); ?>">Tweet This</a>
This code will automatically insert the “RT” and your Twitter account name (the above example uses our Twitter account, @HackWordPress) then use the ID form of your post with the tweet. When people click the link in the tweet, they will then be redirected to the actual post using your blog’s selected permalink structure, making a convenient and typically short URL.
Have you integrated Twitter into your WordPress blog? Share your strategies in the comments!
While most sites don’t need incredibly deep page navigation there are situations that justify a hierarchy beyond the typical 2 – 3 levels. Unfortunately that can be cumbersome for top navigation drop-downs (more than 1 level of drop down is too much IMHO) so another solution needs to be found. I ran into just such a situation for a client and while I”m also not a fan of left hand navigation it was the decision of the client to utilize it in conjunction with their top navigation, and in retrospect it made sense for them. To keep things easily navigable we also implemented breadcrumbs (which is a good practice anyway).
The mission was to display sub-pages of the current page you are on in the left nav and once you hit the bottom of the hierarchy to show pages which are parallel to that page within the same branch of the hierarchy.
After some digging and experimentation I came up with the following which executes perfectly in only a few lines of code.
$children = wp_list_pages("title_li=&child_of=".$post->ID."&echo=0&depth=1");
if ($children == "")
$children = wp_list_pages("title_li=&child_of=".$post->post_parent."&echo=0&depth=1");
<?php echo $children; ?>
<?php endif; ?>
Of course you style to taste…
That’s it! Used in conjunction with a standard WordPress top-navigation and breadcrumbs you can easily display page sensitive multi-level navigation for your super-complex multi-level site!
While I was away over the weekend, it appears that a large number of bloggers who use WordPress have been hacked and a lot of damage has been done. It seems this problem has shown up for a large number of people, including some very high profile bloggers. Among them was Robert Scoble, whose blog was among those websites which were hacked. Damages on Scoble’s site included porn information being placed in old posts, 2 entire months of content being deleted, and more. Of course the porn then led to his blog being completely banned from Google! Scoble is not the only one having these problems, however, and even lesser known bloggers have been attacked. You can read more in this WordPress support forum thread.
If you are wondering what the one thing all of these WordPress sites have in common, the problem is they were all using old versions of WordPress. As someone that owns and operates well over 100 WordPress installations, I certainly understand the pain it can be to upgrade to the latest version of WordPress every time a new release happens, but I hope this goes to show why it is so important to take the time to upgrade all of your WordPress installations be using the most recent version of WordPress.