In the last few months, I have unintentionally branched into a new area of service: fixing hacked WordPress blogs.
Honestly, I’d much rather spend my time doing search engine optimization, marketing, or coding new themes, but when I get a panicked email from a hack victim, I understand that getting their blog up and running again is (naturally) their number-one priority.
This post explains why WordPress blogs get hacked and how to keep it from happening to you.
How bloggers discover they’ve been hacked
Many times the hackers are pretty slick, and you might not even know you’ve been hacked until you start to lose traffic or see a weird error. I had a few blogs hacked about a year ago and it took me a while to notice because I wasn’t regularly monitoring my traffic.
Some symptoms I’ve seen (on my own blogs or on my clients’ blogs):
- Delisting, a dramatic drop in rank, or a “caution” page from Google. You’ll usually find out about this a while after the hack, either when you search for yourself on Google, or (if you usually get a lot of traffic from Google) when you notice your traffic go down. Sometimes you’ll get an email from Google that alerts you to the situation.
- Strange links in your posts that just “appeared.” You’ll usually only spot these if you go back and edit an existing post, so many bloggers don’t notice these right away, either.
- Weird blog behavior, like blank pages or “secret” pages that only show up if you try to go to a page that doesn’t exist. Not all of this points to being hacked (for instance, an out-dated plugin can cause a blank page) but it’s often the first clue that something’s wrong.
Why isn’t it easier to spot? The hackers purposely hide most of the evidence from you, and intentionally set it up so that search engines (like Google) see the new “content” they’ve added, but regular visitors (including you) do not. That makes it harder to catch the hack right away and makes it more likely the hackers will accomplish their goals.
What’s in it for the hackers
Most of the hacks I’ve seen have one goal: promoting spam sites. No doubt there are some purely malicious hackers who simply enjoy damaging blogs, but most seem to use hacking as a means to an end.
When they hack your blog, the most common thing they do is put in links to other sites, often porn, pharma, or other lucrative targets that are presumably paying for the effort. Why? Because when your site (presumably a respectable blog that Google knows is not a spam site) links to their site, they get a little boost with Google.
Google knows this happens and actively tries to stop it, but until they recognize that the linked sites are spam, those sites get some benefit. Google usually catches on pretty quickly, though, and when they do, your blog gets penalized right along with the spam sites it’s linking to.
This doesn’t bother the hackers much, because they’re already automatically hacking the next unsuspecting blog (and they sure as heck don’t care that their gain is your loss).
How they hack your blog
By far, the number one cause of hacked WordPress blogs is not having the most recent version installed. WordPress is software, and like any software, the people who wrote it try their best to make it as secure as they can, but occasionally there’s a bug. Sometimes these bugs, if not fixed, can allow hackers into the software.
With desktop software, like Windows or Photoshop or Firefox or Word, when a bug is discovered, the software company creates an update that fixes the bug and the software asks you to upgrade. This is the purpose of services like Windows Update—to make sure you have the latest version of the software, and all known bugs are fixed.
With software like WordPress that’s installed on a web host, it’s a little more complicated. Just like desktop software, when a bug is discovered, an update is created and the software prompts you to upgrade. However, the actual process of upgrading involves downloading and uploading files, backing up your database, and other tasks that non-techies find similarly intimidating. So many bloggers just don’t upgrade.
Though the bloggers often assume that they’re only missing out on new features when they don’t upgrade, the much more important fact is that they’re also leaving known security flaws wide open for hackers. Just like Windows, you only get the protection of the update if you install it. That’s why it’s so important to always have the latest updates (both with Windows and WordPress and any other software you use).
How you can avoid getting hacked
After that last section, this will be obvious, but it bears repeating: always install WordPress security upgrades.
How do you know if you need to upgrade? Log into your WordPress blog’s admin panel and go to the very bottom. It will have a version number, something that looks like 2.3.1 or 2.5 or 2.5.1 (or some other number—but it will follow the basic pattern).
If the number is lower than 2.3 (for instance, 2.2 or 2.2.3 or 2.0.1), you definitely need to upgrade.
If it’s 2.3 or higher, you’ll see a line near the top of your WordPress admin panel that notifies you when it’s time to upgrade:
That’s a good clue that it’s time to upgrade. 
What if you don’t want to do the upgrade?
This is the root problem for many bloggers. They don’t have the time or the technical skills (or the time to learn the technical skills) to do their own upgrades, so upgrades don’t get done.
Trust me when I tell you that it’s almost always more expensive to fix a hacked blog than to keep up on upgrades, even if you have to pay someone to do it.
And that’s the answer: if you don’t want to do them yourself, pay someone to keep your blog up-to-date. We offer upgrades as a monthly subscription service, or you can talk to the person who set your blog up for you, or you can hire someone on oDesk or Elance when you need an upgrade. No matter which route you take, the temporary relief of ignoring the upgrade is not worth the much bigger headache of dealing with a hacked blog.
A few other precautions
While out-of-date versions of WordPress are far and away the primary cause of hacks, there are also some other things you can do to help protect yourself and recover in the event of a hack.
If you’re a DIY-type, check out this excellent list of WordPress security tips. These are additional things you can do to secure your blog (we do them by default on blogs we set up).
Having good backups on hand (of both your files and your database) can make it less painful to restore your blog to its former glory if you do get hacked.
Another precaution you should take is to create some “standard” email addresses for your site. When Google detects that your site may have been hacked, they usually try to contact you at the following email addresses:
- contact@yourdomain.com
- info@yourdomain.com
- support@yourdomain.com
- webmaster@yourdomain.com
If you don’t have at least one of these set up, you’ll probably be the last one to know if you do get hacked. This won’t prevent a hack, but it will give you a good shot at fixing things before too much damage is done.
If you need more details on any of the above, leave a comment; I’m considering covering these topics in future posts.
What if you’ve already been hacked?
Because there are different types of hacks and different levels of blogger expertise, there’s no one-size-fits-all fix. Usually it involves upgrading, digging into the files, and searching for any remaining hack code. Honestly, it can be tricky if you aren’t a WordPress code buff (because you don’t know what “normal” looks like).
Your best bet is to get a pro to do an upgrade and once-over. If you don’t want to pay, and you’re feeling adventurous, a much-cited post called “Has Your WordPress Been Hacked Recently?” is a good place to start. When you are confident that the hack has been undone, you can request reconsideration of your blog from Google as a first step in getting it back to normal.
What else?
I hope this post has helped you understand a little more about blog hacks and how to prevent them. I know there is a lot of ground to cover here, and I’ve just scratched the surface, so please share your questions, experiences, and tips in the comments!
This is stellar advice! Thanks so much!