7 Jan 2024
- Fact: Restoring an old backup is NOT a permanent solution for a hacked website
- Fact: Updating plugins does not solve the hack
- Myth: Once secured, always secured
- Myth: There is a known or hired hacker personally targeting my site
- Fact: A hacker can manipulate the website regardless of server security measures
- Myth: A more expensive hosting provider guarantees a safer website
- Myth: Paid premium plugins are safer than free plugins
- Myth: More registered members mean a higher risk of being hacked
There are many WordPress users, even website developers, and hosting companies who are not aware of the following:
Fact: Restoring an old backup is NOT a permanent solution for a hacked website
This may seem like a solution to many, as they often think that the hacked files are removed from the server. However, they are surprised when signs of the site being hacked reappear within 1-7 days. How is that possible?
Often, only the file responsible for spam or data transmission is removed, but the vulnerability still exists. This vulnerability could be an old version of WordPress, a theme, or a plugin.
What to do
After restoring the backup, you cannot sit back; that’s when the real work begins!
- Update/replace all plugins
- Update/replace WordPress
- Check for theme updates
- Secure the website
- Secure the server
- Change database and user passwords
Fact: Updating plugins does not solve the hack
When you click “update” in your WordPress plugin area, only the files are updated (at the time of writing), not the entire plugin.
In short, hack files may still remain, and they are not removed.
Myth: Once secured, always secured
If only that were true. No matter how well you secure the website now, the plugins you currently use are tested by many hackers for possible exploits. If they find a vulnerability that bypasses WordPress rules, there is no security measure that can stop them. This is simply because a plugin has administrator rights, allowing it to write files in intended folders.
Myth: There is a known or hired hacker personally targeting my site
No, in 99% of cases, no one is specifically targeting your website. Unless you are Porsche, Nike, or royalty.
These are automated programs trying thousands of WordPress sites and entering those that are not properly secured or not up-to-date.
So, why was my WordPress website hacked?
Someone wrote a script a while ago that searches for WordPress websites and places advertisements using known vulnerabilities.
Fact: A hacker can manipulate the website regardless of server security measures
The hacker doesn’t need to upload or modify files on the server to hack the website.
Even if your entire server is blocked so that each file is only readable and not modifiable…
The hacker can give commands to existing files through vulnerable forms (XSS) or the navigation bar of your website. In this way, they can add information to the database, leaving your site open or adding unwanted texts & links to your website.
Myth: A more expensive hosting provider guarantees a safer website
You can think of it like a Ferrari dealer; no matter how well the car is developed and maintained, they have no control over how you drive it and cannot prevent accidents or theft.
Myth: Paid premium plugins are safer than free plugins
We often come across cases where paid plugins are hacked. These plugins are widely used and promoted on various websites, reaching a large audience.
Also, creators of paid plugins often have just as busy schedules, if not busier, than hobbyists creating plugins. This means that security updates may be delayed.
Myth: More registered members mean a higher risk of being hacked
Each additional member is an additional entry in the database, but members with the roles of subscriber, writer, or editor have specific rights and limitations that prevent them from accessing plugins or settings.
