You know I've been on a mission to help rid ourselves of all the problems we see with sites being defaced, hack'd, crack'd, and pillaged. Frankly, if you have a WordPress blog that hasn't been upgraded to the latest version (currently 2.5.1), it's not a matter of IF but a matter of WHEN you can expect to see it attacked.

Luckily, I'm not the only one who has been noticing the ever-increasing problem, and lucky for all of us, there are now some steps you can take to help defend your sites from these kinds of attacks. Below I'll list the various actions you can take (or point to resources) - some are preventive measures, and some are after-the-fact cleanup steps. Either way, you need to have as much information at hand as possible to effectively deal with this problem. (Note that although some of these steps are specifically for WordPress, some can be used elsewhere. I'll note that as we go along).

Preventive Steps

  • Install the Login Lockdown WordPress plugin. This will prevent brute force attempts at grabbing your admin password. (WordPress only)
  • Install the WordPress Database Backup plugin. You can set this plugin to automatically backup your blog's database every night and email it to you, so you never have to remember to backup. This is essential for being able to revert back to a known-good state. Once installed, test it, and make sure you get a good backup right now. (WordPress only)
  • Backup your site's files now while you know they are clean. You can grab a backup from CPanel if your host uses that, or you can just FTP all the files down. In the comments below, Paige points to a nice post showing how to automate the CPanel backup here.
  • Install the WordPress Automatic Upgrade plugin. It makes upgrading WordPress blindingly easy, and the easier that step is, the more likely it is that you will actually DO it. (more info on the plugin here). Once installed, use it! (if you aren't already running the latest version, that is) (WordPress only)

After The Fact

  • Even though this tool detects problems after the fact, you need to sign up for SERPGuard NOW. This is a brand new tool that Nick Wilsdon has graciously created for us all, and it's an essential tool in this fight. (more info on the service here, here, here, and here). Basically, what SERPGuard does, is monitor Google's malware and phishing blacklists, and alerts you if your sites are on them. This happens frequently when your site is attacked, and the sooner you find out about it, the better. Google does list this information in the Webmaster Tools, but if you aren't using WMT, or you just don't regularly visit it, you won't know that you've been hit. (Google claims to email webmasters, but I've seen people get hit and never get an email). SERPGuard definnitely lets you know, and there are various ways to be informed (email and RSS). This won't prevent an attack, but it will warn you QUICKLY if you've been attacked. (For all sites, not just WordPress).
  • Once you know you've been attacked, it's time for the cleanup process. Smackdown has a comprehensive post about cleaning your hacked WordPress blog, so I'll just link to it here. Obviously, I hope you never have to use that post, but if you need it, it will be a lifesaver for you. (WordPress only)
  • Finally, if Google has kicked you out of the SERPs (and they probably have), you can request reinclusion and explain what happened, and that you've cleaned everything up. You'll need to do this via the Webmaster Central, however, so you'll have to sign up there if you haven't already. (ADDED LATER FROM COMMENTS BELOW: You can also get your site reviewed through StopBadware.org . This can be useful if you do not want to create a GWC account for the site. However this will likely be a slower process than Google, who is looking to get a 24hr turnaround on requests.) (For all sites, not just WordPress)

Google has also blogged about this subject, so if you want to see their advice, you can get that here and here. (For all sites, not just WordPress)

If you take the proactive steps to protect your blog, you may never need the "after the fact" steps, but keep them handy - just in case. They'll help prevent your blood pressure from exploding when you're trying to figure what the heck to do.

Final note: The first person who complains about the inappropriate use of the term "hacker" instead of the more appropriate term "cracker" gets a virtual SLAP from me. Even Google uses the term "hacker" in their posts above, so I figure it's ok for me to do so as well.

About the Author: Donna Fontenot

Donna Fontenot, aka DazzlinDonna, is an Internet Entrepreneur and SEO, who has long utilized search engine optimization and affiliate marketing to create a successful online business. Her goal as an ebusiness coach is to help others make a living online from the comfort of their homes (and in their pajamas). Her motto is "You'll never shine if you don't glow."

Related Posts

Related Articles

View All

  • How AI Is Changing the Way We Get Things Done

    The way we interact with computers to complete tasks has evolved dramatically. We’ve moved from writing complex code, to clicking [...]

    Wisam Abdulaziz
    Wisam AbdulazizMay 5, 2025

  • Why Self-Hosted WordPress Is Still the Best CMS for SEO, Speed, and User Experience

    Reliable. Scalable. Trusted. The Proven Leader in Website Platforms. There’s no shortage of content management systems vying for your [...]

    John Medina
    John MedinaApr 30, 2025

  • Two Decades of Google Ads: How the Platform Has Evolved Since 2003

    When Google first launched its advertising platform in 2000, few could have predicted how deeply it would shape the [...]

    Joanne Quipp
    Joanne QuippApr 29, 2025

  • 8 Ways to Optimize Your Digital Marketing Without Reducing Your Budget

    In today’s fast-paced and uncertain economic conditions, both large and small businesses often face difficult decisions about their marketing budgets.  [...]

    Brian Tatarnic
    Brian TatarnicApr 14, 2025