The last correspondence a web designer wants to get is an email from a client telling you their site has been hacked. They know immediately because the hosting company freezes their website and notifies them. This letter gets forwarded to you by the client and you now spring into action. First: Calm down client. Second: Tell them to ignore paying huge sums for a fix!
The hosting company, Bluehost, in this case, has a professional relationship with Site Lock. Site Lock immediately offered an expensive and unnecessary contract that would cost at least $50 per month. Not only that, they called the client numerous times to talk them into it, even though I had already talked to Site Lock and the client about my solution. This is not only disappointing but bad for Bluehost’s ongoing business relationships with designers and developers.
After dealing with this annoyance, I looked on the server and immediately saw a recent folder with suspicious php files in it. I deleted these files first and then, with the help of my developer Pat, replaced the good working folders with a previous backup from two weeks prior to the hack. (always back up your site at least once a month!) Next, all I had to do was chat with Bluehost and ask them to run a virus check. Everything was good and It was up and running soon after.
After a hack, It’s imperative that you reset all the passwords both to the server side and to WordPress. In this case, the client’s password to the site was not secure enough. These days, you need at least 12 characters. Most people, including myself, resist using the complicated combination of key characters that are always selected by password generators. One way around this is to use a password keeper such as Last Pass. It will pull up your password automatically for you.
Another new idea being talked about is to use a long phrase that you can remember, such as hanselandgretalleftbreadcrumbsonatrailandwererescuedbythehunter. You will still have to use unique phrases for each login.
In addition to backing up your site to the cloud, maintain your software (WordPress, Theme, Plugins) by updating it every week. Remove any unwanted comments or spam comments. Check your WordFence or Sucuri plugin. Ask your hosting company to apply the https:// to your website. (See my post on this for more information.) If you don’t have time or patience for these preventions, ask your consultant to do these for you for a reasonable fee.
Use safe practices when working on your computer at a coffee shop or public place. Never store passwords in a file on your desktop. Use a password keeper instead. Also, don’t click any suspicious links sent by email… especially when invited to “unsubscribe”. That link could lead you to a nightmare in the form of a lot of lost time, frustration and fees.