How to Fix WordPress Problems and Get Your Site Back Online
Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more
WordPress powers more of the internet than any other content management system (CMS).
Since it’s initial release in 2003, it has grown from a simple blogging application into a flexible platform that can used to create a content-rich website that incorporates a many different types of content and interactions.
In this guide we’ve pulled together the best tips and tutorials for intermediate and advanced WordPress users. We aren’t going to cover the basics like installing WordPress, selecting a theme, and the like. Instead, we’ve pulled the best resources we could find to help you with:
- Chapter 1: Site and Server Configuration
- Chapter 2: Moving with WordPress
- Chapter 3: Remove Hidden WordPress Theme Links
- Chapter 4: Fixing a Broken WordPress Site
- Chapter 5: Fixing a Hacked WordPress Site
- Chapter 6: Secure Your WordPress Site
- Chapter 7: Further Reading.
As one of the most popular pieces of software on the web, there are a lot of resources to choose from, but we’ve curated this list to represent only the best tutorials, guides, and articles.
If you’re trying to fix a specific issue, then you should just head straight to that section. But if you don’t have a fire to put out right now, we invite you to take your time and check out all of the resources we’ve pulled together.
Whether you’re a beginner or an experienced developer, you’re sure to find something you didn’t even know you were looking for.
Site and Server Configuration
These guides, tutorials, and articles cover topics that will help you optimize your WordPress site for best performance, and customize it specifically for your situation.
These aren’t beginner’s guides. These are intended for intermediate to advanced WordPress users and admins who want to move their WordPress site to the front of the pack.
Speed Up WordPress and Boost Performance
You have WordPress installed and you’re ready to start building your site. Not so fast. Before you go any further now is a great time to optimize your WordPress installation for speed and performance.
The tricks you’ll find in these articles aren’t being implemented by most WordPress websites. So if you do take the time to optimize your site, you’ll find you have a better performing website than most of the competition.
- Smashing Magazine: How To Speed Up Your WordPress Website
- InMotion Hosting: How to Optimize WordPress
The WordPress Codex also contains some great information to help optimize your site to better accommodate a rapidly growing audience.
How to Install WordPress Locally
The vast majority of web developers will agree: do your serious development work locally, and then push the completed work to the web server.
So how do you install WordPress locally? Well, first you’ll need to get a web server running on a local machine. Then you’ll need to install WordPress in a directory that the local web server recognizes.
We located resources that will help walk you through the process of installing WordPress on a Windows PC, Mac, and even on a USB thumb drive. So take your pick.
- WPMU DEV Blog: How to Install WordPress Locally for PC/Windows with XAMPP
- WordPress Codex: Installing WordPress Locally on Your Mac With MAMP
- iThemes: How to Install a WordPress Staging Site on a USB Drive
Update WordPress Manually
WordPress can be updated automatically using the built-in updater in the Admin Dashboard. However, if you ever find yourself in a situation where you need to update WordPress manually, it’s an available option.
It should go without saying that before you undertake this process you should create a complete backup of your website including all files and directories on the server as well as your database. With that complete backup in hand check out these resources that will walk you through the manual update process.
How to do A/B Split Testing
If you’re considering a few different page layouts, and want to test how visitors respond to each, A/B Split Testing can help you determine which page will give you the best results.
By feeding the different page designs to different visitors, and keeping score of what each visitor does, you can determine which design your visitors respond most to most positively.
You can set up A/B testing by implementing Google Analytics in your WordPress website. For full details and step-by-step instructions on how to conduct A/B Split Testing using WordPress and Google Analytics check out this tutorial.
- Stu Miller Blog: Simple A/B testing in WordPress with Google Analytics site experiments
Redirect Your 404 Page to Home
The dreaded 404 page. No one ever wants to see this page. The only way to do that is to eliminate all links that don’t point to a valid location.
In the real world, you will probably never completely eliminate a visitor landing on a 404 page when they access the website in ways you didn’t anticipate. So what can you do?
Well, for starters you can design your 404 page to be as friendly as possible. If you want to take it a step further, consider using .htaccess to redirect a visitor who lands at the 404 page back to the homepage. If you want to give this a try check out this guide.
Create a Simpler Login URL
If you’re building WordPress-powered websites for clients who aren’t familiar with WordPress you might consider giving them a logon address that’s easier to remember than /wp-admin or /wp-login.php. Thankfully, it’s actually pretty easy to change the login page URL.
You could use one of the free plugins available from WordPress.org that have been created for this purpose, or you could do it with a code hack. We found an article that will show how to do it by adding just one line of code to .htaccess.
As we mentioned, you can also change your login URL with a plugin. One popular plugin that does that, and a heck of a lot more, is Better WP Security. This guide will walk you through setting up this plugin and customizing your login URL.
Moving with WordPress
Whether you want to move a local WordPress website to a web server, convert a Tumblr blog to WordPress, or migrate an existing WordPress website from one host to another there’s a guide for that, and we’ve found it. If you have a situation that calls for moving to WordPress, read on.
Move From Anywhere to WordPress
This article is long, detailed, and covers the steps necessary to transition any website from another platform to WordPress. Also, it’s from WPMU DEV, so you already know it’s going to be great.
The WordPress Codex also provides basic instructions on importing content from a wide variety of platforms to WordPress and is worth checking out.
Move From WordPress.com to WordPress.org
WordPress.com is a great free way to learn the ropes of using WordPress. However, if you ever want to go big you’re going to have to move from the confines of a hosted WordPress.com blog to a full-blown self-hosted WordPress website on your own domain.
Thankfully, migrating from WordPress.com to WordPress.org is pretty straightforward, and there are lots of useful resources to ease the transition. Check out the links below for two of the best guides to help you ramp up quickly.
- WordPress.com Tools: Moving to a Self-Hosted WordPress Site
- Bluehost Web Hosting Help: Migrating an Existing WordPres.com Blog
Move WordPress to a New Server
Sometimes it’s just time to move on. If that’s the way you feel about your hosting provider, and you’ve already picked your new hosting partner, it’s possible to move your site to your new hosting account without having to rebuild your site.
The WordPress Codex has a helpful tutorial to guide you through this process.
Move Between a Web Server and a Local Server
Most developers agree: you should do your development heavy-lifting in a local environment, and then push updates to the web server once they’re ready for public consumption.
However, if you’ve never moved files, directories, and database tables from a local environment to a web server and then back again it can be a little daunting. We found guides that will walk you through the process using either a plugin or the old-fashioned manual method.
- WPMU DEV Blog: The Quick and Easy Guide to Migrating a Local WordPress Installation to a Live Site
- Smashing Magazine: Uploading A WordPress Website From A Local To A Remote Installation
Move to a New Domain Without Hurting SEO
If you’ve decided to move your website to a new domain it’s important to think through any SEO impacts.
While any move to a new domain will hurt SEO rankings in the short term, you can avoid long term damage, and minimize the length of the short term damage, by implementing the proper redirects and notifying search engines appropriately.
If you’re ready to make the move, this guide is for you.
Move From Joomla to WordPress
Joomla! is another popular content management system that lots of developers love. There are even many flexible developers who will use either Joomla! or WordPress (or another CMS such as Drupal) depending on the specific requirements of a given project.
Other than post a 140-character #rant to Twitter, what should you do when you start a project with Joomla! and then later decide it’s really better suited to WordPress? Move it.
There is a plugin available specifically for this purpose and we found a guide that will walk you through the migration process.
Move From Blogger to WordPress
Blogger is another free blog platform that many WordPress users get started with. However, when it’s time to get serious about your blogging career, a Blogger site just isn’t going to cut it. If you want to switch from Blogger to a self-hosted WordPress site it can be done.
Importing data from Blogger is the easy part. In addition, you’ll want to be sure properly set-up permalinks, set-up redirects from your old Blogger site to your new WordPress site, redirect Blogger feeds to your new WordPress site, and lastly make sure you bring all of your media files with you.
If you think you could use some help with the process let this tutorial be your guide.
Move From Tumblr to WordPress
If you’re blogging on Tumblr and you want to switch to your own self-hosted WordPress site the built-in Import function can help. Importing your posts from Tumblr, and pointing your old Tumblr blog toward your new domain can be a little tricky.
Thankfully this tutorial will walk you through the process. If your run into trouble read through the comments below the article, quite a few relevant questions have been asked and answered.
Remove Hidden WordPress Theme Links
The popularity WordPress enjoys makes it a tempting target for hackers and other ne’er-do-wells of the Internet. WordPress themes from unreliable or untested sources can contain hidden links and malicious code.
These nasty surprises can be built right into the theme, or added to your site by hackers who “inject” them with fake media files (eg, image files concealing malicious code), modifications to your .php files, and other dirty tricks.
These links are almost always invisible to both you and the visitors to your site. They can be hidden using CSS, disguised in code, or camouflaged with text the same color as the page background.
The damage can be large. These links can redirect your visitors to inappropriate sites, run malicious code, or even gather and send protected info (like your customer’s online activity or financial information)to hackers.
Whatever their source, these links are definitely bad news. Hidden links and malicious code can:
- Grind your site to a halt. Whether they’re designed to pull traffic elsewhere, simply redirect your users, or execute bad code, hidden links consume bandwidth and other resources. This can slow down or even crash your site – and every minute your site is down or compromised is a minute you’re losing credibility and customers.
- Hurt your marketing, destroy your credibility, and knock your site down in search engine results. Hidden links can get you in deep trouble with Google AdSense, as Google forbids the use of any hidden content on sites that use AdSense.If you’ve got a bunch of hidden backlinks, Google can shut down your AdSense account altogether. And since almost all hidden links lead to spam-laden or malicious sites, your ranking on search engines like Google and Yahoo! can take a serious hit when they crawl your site.
- Take your visitors on unwanted journeys. Hidden links can redirect visitors to your site to sites full of malware, “scareware” sites (i.e., malware that claims the viewer’s computer is infected and must be “scanned”), and other intentionally harmful sites.
- Give hackers control of your site and access to sensitive info. Using hidden links and other malicious code, hackers can take control of your entire site, install malware, or even steal account histories, financial information, and more.
Identifying and Removing Suspicious Content
If you’re using a free theme from a site other than WordPress.org, or believe your existing theme might contain hidden links, it’s critical that you give your whole theme (and all your site files) a once-over.
- Make a backup of your site and all your content. The most important step is to preserve your information and content. If something goes wrong during the repair process, you’ll be able to restore your content (if not your theme files) using your backup.
- Search your code manually. If you’re comfortable with code and know how to identify suspicious content, a few passes through your site files is a good way to start the process. Keep an eye out for links to unrelated sites and content, suspicious media files (including any you didn’t add yourself), and .php, database, and .htaccess files that are not associated with your theme’s original files.A direct comparison between the original theme files and the versions on your system can help you quickly identify bad files. Download a fresh copy of the theme from the provider, then download your site files. Compare each file side by side, using a text editor.
If you find links and code that don’t match, or if your site contains suspicious files not present in the original theme, you may have been hacked.
Remember, though, that some free themes come with these hidden links already embedded, so it pays to check out anything that’s out of the ordinary.
When you check your .php files, be sure to pay extra-close attention to the header and footer of the files, as many times hidden links are embedded in these locations (and may even be labeled as “DO NOT REMOVE” by the enterprising hacker).
If you do a line-by-line search, start with your index.php file. Pay special attention to unfamiliar .php files; you may also find bad code in legitimate .php files like sidebar.php. Carefully note the location of each suspicious item.
- Use WordPress-approved tools. If you’re not comfortable with manually searching your code on your own, several plug-ins and utilities are available to help you track down unwanted links and code.One of the most popular is Exploit Scanner, a free WordPress plug-in that searches all the files on your site, including the post and comment tables of your database files, in order to ferret out hidden links and suspicious code.
It doesn’t remove anything you find (that task is left up to you), but it gives novices an edge in identifying code and links that don’t belong in a healthy WordPress site.
Another popular tool is the Theme Authority Checker (TAC) plug-in. This free utility scans the source files of every theme you have installed for malicious code and static links.
You still have to remove anything it finds, but the utility makes this vastly easier by identifying the offending theme file, the specific line of code that’s suspicious, and a brief snippet to help you find it fast.
- Clean out the junk links and code. After identifying all the suspicious content, you can remove by navigating to the suspect files in your FTP application, downloading them, and then editing each one with a text editor such as WordPad or Notepad.Once they’re clean, re-upload them and test them to make sure they work. If the malicious links are infecting your databases, you can use a tool like phpMyAdmin to open and update your database files.
- Secure your site. Once you’ve removed any hidden links or malware code, be sure to tighten up the security on your site to help reduce and prevent future problems.
- Keep your WordPress install up-to-date. Outdated WordPress installs are an electronic welcome mat to hackers.
- Delete any unnecessary files (databases, media files, .php files, etc.) to reduce the chance hackers will use them to infiltrate your site.
- Adjust your file access permissions to the highest level that still allows for normal site function, and delete any unneeded administrator accounts.
- Password-protect all your folders and databases containing sensitive information. For most WordPress themes, only the /uploads folder is editable by users; if you don’t intend to allow users to submit images or other content, secure this folder as well.
- Use strong passwords, and change all your passwords -hosting account, FTP, WordPress admin, and user – regularly.
- Consider using only themes from approved WordPress providers, eg, WordPress.org.
NOTE: While scanning tools are incredibly helpful in identifying suspect code and links, always make sure you have a back-up of your site. and only remove code from your site that you’re absolutely sure doesn’t need to be there.
It’s clearly important to remove malicious code from your site, but remember that removing essential code can damage or even break your site completely.
If you’re unsure about a change to one of your files, seek help from your hosting provider, the WordPress community, or an experienced WordPress developer before deleting something forever.
Themes are an incredibly useful and powerful way to create a successful website, but they can also open you up to attack. Use only reputable and safe theme files, keep your WordPress install up to date, and make sure all your content is secure and password-protected.
Doing so can help you keep your website running smoothly on the inside and hackers – and their nasty surprises – on the outside.
Fixing a Broken WordPress Site
Fix Maintenance Mode Message After Updating
When WordPress updates, a maintenance files is created and displayed for visitors who happen to land on your site during the few seconds WordPress is in the process of updating.
If something goes wrong it’s possible for this message to stick around rather than being deleted as it should have been. If this happens to you, fixing it is pretty simple,and the WordPress Codex can tell you how.
Fix Posts Returning 404 Error
One of the main reasons for using a CMS like WordPress is that it automatically organizes your content, adds new links, and creates customizable URLs or permalinks for every piece of content.
One of the bad things about a CMS like WordPress is that if something goes haywire in your permalink naming protocol virtually every page of your website could become inaccessible.
Finding and fixing a permalink error in WordPress can be confusing and frustrating if you don’t understand how permalinks work or if you’ve never faced the issue before. If you find yourself seeing the dreaded 404 error page when you try to view posts and pages check out this tutorial.
Fix a Broken Database Connection
If you ever have reason to tinker with your website’s database settings, you might see a message the next time you visit your site telling you that there has been an error establishing a database connection.
If you haven’t dealt with database errors before it can a bit jarring to realize how quickly all of your content can be “lost”.
The good news is that if the issue is just a broken database connection, you actually haven’t lost anything at all, just lost track of it.
To fix the connection and find your data try out one of these guides. They will walk you through the process of identifying the issue and reestablishing a database connection.
- InMotion Hosting: “Error Establishing a Database Connection”
- WordPress Codex: Error Establishing Database Connection
- Elegant Themes: How To Fix “Error Establishing A Database Connection” In WordPress
Fix Internal Server Error
Internal server errors can be tricky to fix because a variety of configuration errors can cause an internal server error to crop up. So fixing this error begins with troubleshooting to identify the actual cause of the error.
Potential culprits include corruption of the .htaccess file, PHP memory limit issues, plugin issues, corrupted WordPress core files, or other server issues your hosting provider will need to help out with.
If you’re getting internal server error messages check out this tutorial, follow the recommended potential fixes, and if all else fails get in touch with your hosting provider.
- WordPress Codex: Internal Server Error
- InMotion Hosting: Fixing the 500 Internal Server Error with WordPress
Fix Immediate Updates
Caching issues tend to be the culprit when you have a WordPress site that isn’t updating immediately after you add new content. There are a few different potential caching entities that could be involved: your browser, a caching WordPress plugin, and any caching that a content delivery network might be doing to speed up website delivery.
Figuring out caching issues with your CDN is beyond the scope of a WordPress tutorial, and will vary depending on the CDN you’re using. However, fixing browser and plugin issues that delay website updates is something a WordPress Codex tutorial can help with.
Fix Fatal Error
If you’re hosting your WordPress site on a shared server, as is the case for the vast majority of WordPress sites, then at some point you’re going to run into certain limitations your hosting provider has put in place to protect against abuse of server resources by shared hosting customers.
One of those potential limitations is maximum PHP execution time. Thankfully, you can increase the allowable execution time either manually using .htaccess, or with a plugin.
Fix Email Issues
There are a couple of reasons you might be sending emails from your WordPress site. Maybe you have a contact form that emails submissions to your email address. Or maybe you’re using WordPress to send emails to blog subscribers.
In any event, if you’re having trouble with emails not sending as they should you should check out this tutorial to troubleshoot the issue and find a fix.
Fix a Recurring Logout Issues
If you’ve ever found yourself in the frustrating position of being unable to log into WordPress you know that it can be a very frustrating issue.
The problem is that there are many potential causes of login issues, and the issue is compounded by the fact that you probably can’t login to your Admin account to troubleshoot the issue.
So what do you do in a situation where you can’t login to the Admin area at all? How do you fix the settings in that instance? Just follow the steps in this tutorial.
Unlock the Admin Area if You Get Locked Out
One of the most frustrating situations you can encounter is the inability to even access the WordPress admin login page. How can you fix configuration issues when you can’t even login?
The answer is: you find and fix the issues manually using your hosting account control panel or FTP software. There are a variety of reasons that you might not be able to reach your Admin login area, and if that’s where you find yourself check out this helpful guide.
Fix Too Many Redirects Issue
If you inadvertently create a situation where two pages are redirecting back and forth between each other you’ll see an error message telling you the browser is caught in a redirect loop.
There are a couple of potential causes of a redirect loop. To troubleshoot the issue and fix the problem check out these guides.
Fix the Image Upload Issue
If you aren’t able to upload media files it’s probably a case of incorrect permissions. This is an unusual problem to face, and tends to crop up on shared servers with potentially incorrect configuration settings.
If you do have this problem the fix is to adjust directory permissions to the correct settings.
You will also want to think through how the problem occurred in the first place which may call for changing all of your WordPress website and hosting account passwords, and potentially consider a new web host. For help fixing file permission issues check out this tutorial.
Fix the White Screen of Death
The white screen of death is just that: a white screen where your website should be.
This issue is one of the more challenging issues to fix since it can be caused by a variety of technical issues – most having to do with PHP memory limits and database issues. To get your site back on track check out these resources.
- WordPress Codex: The White Screen of Death
- Bluehost Web Hosting Help: WordPress White Screen of Death
Fixing a Hacked WordPress Site
The WordPress content management system (CMS) has become one of the preferred methods for creating websites, particularly for those who want to create a site without needing to learn coding.
WordPress is loved by fans around the world for its versatility and flexible customization options. But that same popularity has also made WordPress installations increasingly attractive targets for hackers looking to cause mischief and mayhem.
If your site is hacked, your customer data is in danger, and content can be vandalized or even destroyed. And every second your site is down costs you time, customers, and credibility.
Whether you’re a seasoned webmaster or a WordPress neophyte, tackling a hacked site — and taking steps to help prevent future attacks — is critical to protecting your site and your business.
How WordPress Sites Get Hacked
While the main WordPress application is relatively resistant to hacking efforts, it’s important that it be kept up to date. Having an out of date WordPress installation is the number one vulnerability to hacking attacks.
The same plug-ins, themes, and other add-ons that make WordPress so flexible and powerful also leave it open to attack. Themes and extensions are both vulnerable to a variety of attacks.
- Backdoor Attacks: Hackers can take advantage of poorly-coded themes and plugins, or an out-of-date WordPress installation, to gain access to your site. Backdoors are a serious threat to your site, because a hacker with access to the administration area of your site can not only damage your site, but push malicious code to your visitors.
- Redirect Attacks: In a redirect attack, the hacker forcibly re-routes traffic from your site to a malicious one. Malicious sites can be full of questionable content, steal personal info, or install malware or viruses on visitors’ systems.Redirects are related to backdoor attacks in that many hackers will use custom software to scan WordPress sites for vulnerabilities, gains access, and sets up the redirect.
- Script Injections: This hack takes advantage of vulnerabilities in your site’s code that allow forms (eg, the WordPress login form) to pull information directly from their associated database(s).Once installed, they often attempt to install software on a visitor’s own machine by spoofing or pretending to be a legitimate application. One of the most common schemes is a pop-up that says the user’s machine is infected and must be “scanned.”
Take an in-depth look at how hackers infiltrate WordPress sites:
Repairing A Hacked WordPress Site
Regardless of how your site has been compromised, once you discover the hack, your most important goals are to repair your site, remove the damage, and to prevent it from happening again.
Fixing the Hack
The first thing you should do is take down your site for repairs. If you’re not familiar with the WordPress backend, be sure to consult your hosting provider for specific instructions on restoring your site on their systems.
In order to take your site offline but retain access to your content, you’ll need to access and change the passwords you (and WordPress) use to access your database files. These files store all your content (but not your media, themes, or plug-ins).
You can generally access these passwords through your hosting control panel. Take careful note of the specific information (your username, password, database name, host, and table prefix).
All of this information is necessary to connect your database to your new WordPress installation.
NOTE: you’ll also need to update your wp-config.php file to reflect your password changes. If you’re not comfortable editing PHP files, contact your host, a WordPress developer, or WordPress itself for assistance.
Now it’s time to take down the site itself. This is most easily accomplished by renaming the directory where you’ve installed WordPress to something like “yoursite.old” (ask your host or IT staff for assistance if you’re not familiar with this process or comfortable doing so).
Create a new folder with the same name as the folder you just renamed (eg, “yoursite”).
Your site is now offline, and the old WordPress installation is isolated. This is a critical step because if you leave the site up, another hacking attack could infiltrate your site through the same or even a different vulnerable point.
It’s also important to make sure the hack is limited to your site, and not the entire Web server. A repaired site on an infected server is a tempting target for future attacks. Be sure to speak with your hosting provider to get any and all information about potential hacks.
NOTE: this is most relevant if you have a shared hosting plan, since other sites likely share the same server and may be the source of the infection.
Most Virtual Private Server (VPS) hosting accounts run in their own memory space, and dedicated hosting plans give you full control over your Web server, but it’s still wise to scan both your site and the server.
Once you’re ready to clean up your site:
- Let customers, employees, and anyone else with access to the site know about the hacking, and keep them posted with your progress during repairs. Putting up a plain text, placeholder homepage explaining your site is down for repairs will minimize confusion and let your visitors know you’re on top of the situation.
- Using FTP or a logging application, retrieve your site and server logs for info on how the hackers accessed your WordPress installation (if you don’t have access to your entire server’s logs, contact your hosting provider for more info).
- Back up your current installation on a separate drive or backup location. You may want to examine your files later to learn more about how the hack happened.
- Scan and clean your backed-up database and other content with malware and virus scanning software.
- Uninstall all your themes and plug-ins. These are the weak points in most WordPress installations, and you want to start with a clean slate.
- Install a fresh copy of WordPress in the new directory you created. You may need to uninstall the old version if you used your hosting provider’s one-click install application (Fantastico, Softaculous, etc.) before installing to the new directory.
- Review your existing database (which contains all your content) using PHPMyAdmin or another database management tool, keeping an eye out for suspicious code, eg, super-long strings of hex code or “preg_replace(“/.*/e”. Your database is less likely to harbor malware or infections than your themes and plug-ins, but it pays to be thorough.
- Make sure your .htaccess file is intact, and make sure no other copies are present in your backup file.
- Connect your new WordPress installation with your existing database (this is how you will retrieve your content). Your hosting provider can walk you through this process, depending on whether or not your database was salvageable and where it is located on your Web server. You may need to upload it from your backup (once it’s passed muster and is known to be clean of infection).
- Set up a new administrator account, set it to inherit all permissions from the current administrator account, and then delete the current account.
- Adjust access permissions on your files and folders to the highest level that still permits normal site use by visitors.
- Log into WordPress with the default theme. If your content appears, and the hack is absent, congratulations — you’re ready to customize your site once more.
- Download and reinstall your theme and plug-in files directly from the Admin Dashboard in WordPress. It is extremely important that you use only fresh copies, as the old ones may have had their code altered by hackers.
- Restore any media files by uploading your backup file of the old wordpress/uploads folder (again, making sure it contains no suspicious code or content. Hackers love to put rogue files in this directory, so if you don’t have a lot of images or other media, you may be better off re-uploading them from offline sources and scrapping the /uploads directory altogether.)
- Disable any and all PHP files from executing in your /uploads folder, which is generally the only folder in most WordPress site installs that needs to be write-enabled from the browser. You can do this from your hosting control panel, and doing so will help prevent future shenanigans if hackers do place malicious code in that directory.
- Thoroughly document the incident, including all information you gathered from the logs, in order to create a reference for (and to help prevent) future incidents.
- Test your site. If your content, theme, and plug-ins are all working normally, you’re ready to go!
If you’re not comfortable tackling all or any of the restoration process yourself, many hosting providers have on-demand assistance plans. You can also hire a professional WordPress management and restoration service to get you back on your virtual feet.
Protecting Your Site from Future Hacks
WordPress is very flexible and powerful, but it can also be a very complex environment to maintain, let alone repair. By taking a few basic precautions, you can help protect your WordPress site from hacker attacks.
- Back up your data. Backing up your site can save the day when things go wrong, and bringing a hacked site back to life is infinitely easier if you don’t have to re-create lost content.Your hosting provider may offer backup services as a part of their hosting packages or as an add-on service. In addition, you’ll probably want to keep your own backups offline for extra peace of mind.
- Take advantage of managed hosting. Not every webmaster has the time to become a WordPress guru, or needs to do so. Invest in a host that specializes in WordPress management, or add a third-party WordPress management service.It might seem pricey at first, but it’s most likely a bargain compared to the costs of having your site down, your content destroyed, or your customers’ sensitive information compromised.
- Monitor your website and server. Even non-WordPress specialists generally offer monitoring tools and services in their hosting control panels.Using these tools helps you monitor site and server traffic. Many hosts also offer premium support plans and monitor traffic, track file and page changes, and keep your software and security updated.
- Keep unnecessary files and user accounts to a minimum. Hackers are masters of manipulating forgotten files or accounts for their nefarious purposes.Whether it’s testing environments, extra databases, or test accounts for users, keep things neat and delete files when they’re no longer needed.
- Tighten up your security. Set your server access to secure FTP (SFTP) or Secure Shell (SSH). Use a password generator to create strong passwords, and change them regularly. Limit administrator accounts and keep a tight reign on access permissions for all users.
Chances are, you’ve got enough on your plate just managing your site and running your business — you don’t need to add dealing with hackers to your list. When your site is compromised, every second you’re out of commission can cost you plenty.
But by taking the time to keep your WordPress files, themes and plug-ins updated, and taking advantage of the wealth of management services at your disposal, you can keep hackers at arm’s length and your attention where it belongs — on your site.
You’ve Been Hacked
When recovering a website that’s been hacked it’s a good idea to check several resources to make sure you’ve not only fully recovered your site, but also found all suspicious code and files, and put in place safeguards to prevent a recurrence.
We’ve provided our recommendations and suggestions on recovering your hacked website, but there are many other great resources out there you should also check out.
Below you’ll find two of the best general guides for recovering a hacked WordPress site that we could find.
Identify a Hacked Site
A majority of websites owners with hacked sites don’t realize their sites have been hacked. That seems crazy until you think about the fact that the most common hacks are simple redirects, backlink insertion, spamming, and other relatively low profile activity.
Simply visiting the home page might not immediately cause the hack to manifest itself since many hacked sites haven’t been hijacked to the point that the hacks are painfully obvious. So how do you know if your site has been hacked? There are tools you can use to help confirm that your site is clean, or give you the heads-up if you have a problem to address.
To find some of the best tools check out this article.
Use a Plugin
Once you’ve cleaned up a hacked site it’s a good idea to find a plugin that will scan all WordPress files for compromises you may not have caught.
One such plugin is called Wordfence. There are others on the market, and you should do some research before running this type of plugin since you’re giving it pretty advanced access to your website backend.
The following guide to using Wordfence also includes a lot of great information about manual site cleaning methods you should go through before giving a site cleanup plugin a spin.
Close the Backdoor
Smart hackers, and we hate to admit that there is such a thing, will often leave a backdoor script that will let them back into a WordPress site after you’ve cleaned up allowing them to wreak havoc all over again.
Finding the backdoor script and removing it is a critical step to completing the hack recovery process. But, how do you find the backdoor script? The script will often be disguised and named to look like it belongs, and may be buried in a completely random directory.
We found this guide to cleaning up a hacked site that includes information about closing and removing backdoors in step 3. Check out this article, and head to step 3 for details.
Take It One Step At a Time
If your website is hacked there are many different things that may have gone wrong, each calling for a different response.
Recovering a hacked website is not a “one-size-fits-all” proposition. That’s why it often makes sense to work through a site recovery process from the most likely and easily corrected scenarios to the more unlikely and challenging scenarios.
The following guides will walk you through this type of process beginning with some general housecleaning.
If general housecleaning doesn’t take care of the issue the next step is to focus on your database.
With housecleaning complete, and your database intact, it’s time to find, install, and activate plugins that will help prevent a recurrence of your security nightmare.
Secure Your WordPress Site
Once you’ve recovered a hacked website you will need no convincing of the importance of protecting your site from future compromises.
If your website is vital to your business, then it is critical to carefully and skillfully protect it from hacking and other attacks.
If you don’t have the time to harden your WordPress security, you may want to consider a website protection service such as Surcuri Security — which monitors for hacks and viruses, and can fix hacked WordPress installs, as well.
If you can’t afford 3rd party protection, there are many steps you can take to make your WordPress site more secure, and we’ve pulled together the best recommendations and tools on the web.
Three Tips to Protect Your Site
Matt Cutts heads up the web spam team at Google. So when he makes recommendations about securing your website it’s a good idea to listen to what he has to say.
This post is a little dated, but the recommendations are still a good place to start. Check out Matt’s top three recommendations for securing your WordPress website.
Top Ten Security Tactics
If you want to cover a lot of ground quickly, and get a good view of the sorts of things you can do to make your WordPress site more secure, you should look into a qualified list of recommendations for improving security.
This type of list will give you a sense of the sorts of things you should think about doing, and provide instructions for carrying them out. Here’s one solid list of strategies to get your security thinking headed in the right direction.
Protect Against Unauthorized Admin Access
One of the most important steps for securing your WordPress site is to protect the login page. There are several ways to do this, and you should consider them all before deciding on a course of action.
We’ve pulled together several resources that walk through different ways to better protect your login screen.
The first option on the list is to use a plugin to limit the number of times someone can attempt to login to your site. Implementing this plugin will pretty effectively block all brute force attack attempts to decipher your admin password.
Another step that can be taken in conjunction with many other strategies is to password protect your login screen either through your hosting account control panel, or by using the .htaccess method.
If you really want to earn bonus points for securing your WordPress login page you can implement a two-step login procedure that incorporates Google’s Authenticator. In order to do this, you’re going to tie login to an authentication procedure on your smartphone.
The end result will be that anyone who tries to log-in to your site will have to get by two forms of authentication, one of which must be completed on your phone. As a result, unless someone steals your phone prior to attempting to hack your site, getting past both of these authentication steps will be near impossible.
If you have a static IP address you can also limit WordPress login privileges to your specific IP address. This is a very effective way of drastically limiting access to your login page but requires that you have a static IP address – and if you aren’t sure, it’s pretty unlikely you have one.
If you want a comprehensive list of tips and tricks for locking down your WordPress login screen check out this article. It covers everything we’ve talked about so far and adds a few more options to think about.
Principle of Least Privilege
This resource isn’t WordPress-specific, but is something you should read and allow to form the way you think of security. The principle of least privilege is a guideline security professionals use when determining the level of access to assign to users, files, directories, and applications.
In short, the principle of least privilege is that users, files, and directories should operate under the most restrictive privileges that don’t significantly impede their ability to function as required.
In other words, users should only have access to the parts of your site they are supposed to have access to, and once they don’t need that access anymore their profiles should be deleted.
By the same token, files and directories should have the most restrictive permissions possible that don’t prevent your site from working correctly.
So read up on the principle of least privilege and keep it in mind every time you’re dealing with a question of privileges, and be careful to implement this best practice.
Who better to learn from than the developer? If you want an extensive and in-depth technical guide to hardening every portion of your WordPress installation then check out this guide from the WordPress Codex. This guide isn’t for the faint of heart, or those looking for a quick fix.
It’s an in depth procedure to really take control of your website’s security. Getting through this guide will take time, effort, and dedication, but it will be worth it if it prevents your site from getting hacked.
Control PHP Execution
One common tactic hackers implement is to embed an executable script in a directory where it would not commonly reside. So one way to circumvent this hacking approach is to disable PHP execution within that directory. Step by step instructions in three, two, one.
If you’ve followed along every step of the way we’ve really covered a lot of ground. If you find yourself still wanting to dig deeper and keep going, and you aren’t sure where to go from here, we can help with that.
Here are our recommendations for further reading to keep your WordPress installation secure, and to get it back up and running if the worst should ever happen to you.
The WordPress Codex is an online manual for all things WordPress. Containing information for users at every level, and covering virtually every corner of the WordPress environment, the Codex should be one of your first stops when you run into a challenge with your WordPress website.
The Codex front page is as good a place to start as any. From this point you can head in whatever direction makes the most sense for where you are today.
The Codex includes some great WordPress lessons. These lessons are accessible for beginners, but also get into some more advanced topics such as theme development and the WordPress Loop.
If you want a cheat sheet on some of the most common WordPress errors check out this site. Several of the site breaking issues covered in this resource guide are covered on this page – as a matter of fact we’ve already linked to this page more than once.
WPMU DEV Blog
The WPMU DEV Blog stakes claim to the title “most read WordPress resource on the web”. We have no way of confirming or denying that their claim is true, we just know their blog is awesome.
ManageWP offers a WordPress management console to help you manage multiple WordPress websites more effectively. As you can imagine, with a product like that, they are WordPress experts, and their blog is a great source of information and tutorials.
Smashing Magazine is an online magazine for web designers and developers, and they’ve got an extensive database of WordPress resources.
If you like your resources in printed paperback or ebook format there are even more great options to consider.
Below you’ll find some of the best books on topics such as getting started with WordPress, moving into WordPress theme and plugin development, using WordPress as a web application framework, and using WordPress for full-fledged web developers.
- WordPress To Go: How To Build A WordPress Website On Your Own Domain, From Scratch, Even If You Are A Complete Beginner by Sarah McHarry. Available in Paperback and for Kindle.An introductory text that will walk you through all of the steps of creating a WordPress website including securing hosting, getting WordPress installed, and creating your website.
- WordPress 4.x Complete by Karol Król. Available in Paperback and for Kindle.A detailed introduction to WordPress that covers a lot more than the basics. If you are new to WordPress, but want to learn about theme and plugin development, this is the text for you.
- WordPress For Dummies by Lisa Sabin-Wilson. Available in Paperback and for Kindle.A popular WordPress guide that has sold over 100,000 copies in its various versions. A great text for beginners who want to learn the ins-and-outs of creating websites with WordPress without glossing over the details.
- WordPress Web Application Development, Second Edition by Rakhitha Nimesh Ratnayake. Available in Paperback and for Kindle.WordPress is a remarkably capable application. When you’re ready to step beyond building websites, and move into building full-fledged web applications built on a WordPress core this text will help you get there.
- Professional WordPress: Design and Development by Brad Williams, David Damstra, and Hal Stern. Available in Paperback and for Kindle.
One of the few texts designed to target WordPress developers. If you’re a WordPress developer looking for a book to teach you how to fully exploit the complete functionality of WordPress this book is a great place to start.