When WordPress is due for an update, it can be tempting to ignore it and continue to use the site as-is. Whether you’re nervous about navigating the newer version or you just don’t feel like going through the process, it’s important not to ignore WordPress updates — they serve to improve functionality and create a better user experience. Of course, updates can be complicated. That’s why we’ve created this guide to help you on how to update WordPress safely.

Why Should I Update WordPress?

Before we examine how to safely update your WordPress site, let’s review why updates are important. By using the latest version of WordPress, you’ll enjoy the following advantages:

  • Increased protection: Outdated WordPress plug-ins, WordPress themes or WordPress core increases the likelihood of getting hacked.
  • Improved performance: Updating WordPress boosts speed and functionality. It also fixes bugs that might be interfering with the WordPress site performance.
  • New tools: If you’re not using the latest WordPress version, you won’t have access to the newest features and tools.
    Installing updates is the best way to ensure you’re using the highest-quality version of the site. Now that you understand the benefits, here’s how you can safely update WordPress.

How to Update WordPress Safely?

If this is your first time updating WordPress, it might seem a bit difficult. However, over time, this process should get easier — you’ll soon become expert at executing these updates. Here’s everything you need to know.

Secure Your Files

Before you update WordPress, take the time to complete a thorough backup. This way, if anything goes wrong during the update process, you can still access your files. A backup should include core WordPress files and parts of your WP content folder, such as the following::

  • Themes and plug-ins
  • Uploaded media and images
  • Data

In addition to performing a backup, it’s advisable to turn off caching before moving forward with the update. Put simply, a cache is a high-speed layer of data storage. While it’s helpful during your regular WordPress operations, this function can interfere with the update. You can easily turn it off through your plug-in menu.

Find the Automatic Update

When a new update is available, you’ll see a notification at the top of your screen. You can quickly begin the update by clicking here. However, some users might not see the notification. This could be because you minimized it or because the site is hiding it. If this is the case, don’t worry — you can still access the update by going to the WP admin dashboard.

Once you’ve opened your dashboard, you’ll see an “updates” menu. There should be an option to “update now” — just click this to start the process. During the update, you won’t be able to use WordPress for a few hours or so.

Conduct a Manual Update If Necessary

Usually, the automatic update is all you need to get the process started. However, in some cases, it may not work. While this can be frustrating, you can still take advantage of updates by carrying out the process manually. This requires the following steps:

  • Get a free File Transfer Protocol (FTP) software package
  • Download the most recent version of WordPress as a zip file
  • Upload your zip file to your FTP
  • After the upload is complete, you can find the update in your WP admin panel. Although this process is more complex than conducting an automatic update, you’ll be able to enjoy all the perks of the new WordPress version once it’s done.

Update WordPress Themes

Updating the “themes” section of your WordPress website is a slightly different process. You can find the update in your “Appearance” menu — of course, before you click on it, make sure everything is backed up.

If you have any customized themes, or child themes, you’ll want to save them before the update. Most WordPress users base their themes on an original version, or parent theme. Start by noting all the differences between your theme and the parent theme. This should include the following:

  • Style
  • Functions
  • Files

Copy all these changes to a blank child theme, then go ahead and update the parent theme. Once it’s updated, you can copy the changes again and move them back to the parent theme. You can also turn caching back on at this time.

Make Sure Everything Is Working

Once the update is done, you’ll have a fully functional, high-quality version of WordPress on your hands. However, you should run a quick check just to make sure everything is working. There are two ways to do this:

  • Run a manual check
  • Use a visual regression tool

You can conduct a manual check by navigating through the site and testing features out on your own. Of course, this process is time-consuming, and there’s no guarantee you won’t miss something. Thus, it’s recommended to use an online visual regression tool that can check for you. Using online services can save time and effort while reducing the risk of making a mistake. For the best results, you should always rely on a high-quality resource like WP SitePlan.

artKenya’s Managed Web Hosting: Your Resource for Safe Updates – and so much more!

If you’re looking for WordPress management assistance, our team at artKenya is here to help. In addition to performing secure, regular updates, Managed Web Hosting includes the following services:

  • Daily data backups
  • Monitor uptime in real time
  • Consistent security scans
  • Page speed optimization
  • Monthly reports
  • Database optimization
  • Web hosting
  • Domain renewal
  • Content updates

We’re happy to customize our services to meet your needs. Enjoy safe updates by contacting us today!

When your WordPress website is hacked, a million things go through your mind. What did the hackers find, change and steal? Who else is in danger — are your employees, partners or customers at risk now too? And how did the hackers get into your site in the first place?

Before you can take the next steps, you have to stay calm. The truth is that hacks do happen, regardless of how well-protected you believe your site is. The good news is that this is a common occurrence and there are established to-dos to start tackling right away.

Also, sometimes websites go a little bonkers — it doesn’t mean you’ve been hacked. A misbehaving website, malfunctioning update or odd comment on a blog post are not surefire signs that your site’s been hacked. You’ll want to dig deeper to make sure you know what you’re dealing with before you try to solve the wrong problem.

How To Tell if Your WordPress Website has Actually Been Hacked

Here are the signs that you’re dealing with a bonafide hack — hopefully, you can say “no” to everything on this list. (And if not? We’ve got lots more help for you.)

  • You’re unable to log in to your WordPress website.
  • You’ve noticed a severe drop in traffic.
  • There are website changes that you haven’t made.
  • Your website is redirecting to a different site.
  • When anyone tries to access the website or even search for it in Google, a warning shows.
  • The server logs show unusual activity.
  • Your security plugin or hosting provider has notified you that there’s been a breach or unusual activity.

Let’s get into some of these a bit more.

Can’t Log In to Website

The most common reason why someone can’t access their website isn’t a hack — it’s because they forgot their password (or think they know it but actually don’t). Reset your password to see if that’s the problem.

 

Now, if you can’t reset your password, that could point to a potential hack. Hackers will often remove a user or change their password to keep them from accessing the site. If you’re not able to reset your password, it could be because someone removed your user account. Usernames that contain the following are particularly easy to hack:

  • Admin
  • Administrator
  • Root
  • Test

Also, if you are able to reset your password but you notice other red flags that we’ve listed, you could still be the victim of a hack, so read on.

Drop in Traffic

When a high-performing website stops seeing an influx of traffic for no known reason, it’s possible it’s been hacked. Redirected traffic, a decreased user experience or Google blacklisting your site can cause traffic to plummet.

Unrecognized Website Changes

Often, hackers will change your website in big and obvious or tiny and hard-to-catch ways. It could be as clear as the home page being overwhelmed by ads or the theme being totally different. Or, it could be as difficult to find as teeny links hidden in the footer. It’s also common for the added content to be of an illegal nature.

Often, this type of added, unexpected content doesn’t fit with the design scheme or take presentation into consideration. That means that there may be a black ad over a black part of the website, keeping a lot of it concealed.

You can also see if any pages have been added to your site by doing a Google search for site:yoursite.com (replacing yoursite.com with your actual URL). Skim through the results to see if there’s anything you don’t recognize.

Before you assume this is the work of a hacker, check with the rest of your team to find out if any admins or editors made the change. Even an outlandish change could have been a complete accident.

Website Redirects Somewhere Else

It’s common for hackers to add a script to your website that redirects visitors elsewhere, like a dating site or something untoward. You may not notice this yourself, as some hackers will only show the redirects to non-administrators, so it will look normal to you. But if you’re getting feedback from visitors that they’re being sent to another site, listen up.

Browser or Google Warnings

Yes, a browser warning that says your site’s been compromised could point to your WordPress being hacked … or it could mean that there’s code in a plugin or theme that has to be removed. There could also be a domain or SSL problem, which your host can probably help you figure out. The browser warning may provide you with some info that you can use to start troubleshooting the problem.

A Google warning is similar, though more straightforward – it’ll probably say, “This site may be hacked.” This can happen when a website sitemap is hacked, which impacts how Google crawls the site. Like with a browser warning, you have to take whatever info you’re given to start diagnosing the problem.

If you’re still hearing from users that your site is flagged, it could be that they’re getting a notice from their anti-virus product. Even if Google whitelists you again, you’ll have to follow the instructions for the anti-virus products to take you off their list of dangerous websites.

Unusual Activity in Server Logs

If you’re worried that you’ve been hacked, log in to your cPanel via your hosting provider. There are two types of logs to look at:

  • Access Logs: Who accessed your WordPress site and through which IP.
  • Error Logs: Errors that occurred when your WordPress system files were modified.

Look for any unusual activity. If you find IP addresses that shouldn’t have access to your site, block them.

Understanding Why and How WordPress Websites Get Hacked

There are a number of reasons why WordPress is hacked. The top three are:

  • Insecure Passwords: Every user of your site, along with your FTP and hosting accounts, needs a highly secure password.
  • Out-of-Date Software: Plugins, themes and your WordPress installation need to be updated regularly, whenever a new version is out. Without updates, you leave vulnerabilities for hackers to take advantage of.
  • Insecure Code: Low-quality WordPress plugins and themes can put your site at risk.

There are several savvy methods hackers use, and the techniques are improving all the time. As sites get safer, hackers get smarter and more creative. Here are just a few of the main routes that are taken to hack WordPress:

  • Backdoors: A backdoor hack bypasses all the traditional ways of getting into your site. The hacker may find a way in through hidden files or scripts.
  • Brute-Force Login Attempts: Automation is used to figure out your password and get into your site. The weaker the password, the easier it is to crack.
  • Cross-Site Scripting (XSS): This is a vulnerability that’s often found in plugins. Scripts are injected that let a hacker send malicious code to the user’s browser.
  • Denial of Service (DoS): If there’s a bug or error in the website code, the hacker can use those to overwhelm a site until it breaks.
  • Malicious Redirects: A backdoor is used to redirect your site.
  • Pharma Hacks: Rogue code is inserted into an out-of-date WordPress version.

10 Steps To Recover a WordPress Website That’s Been Hacked

If you’ve been hacked, do the following as soon as you can. Try to stay calm as you go through this list — panicking will only make it harder to work efficiently, and you could miss important steps along the way.

Put Your Site in Maintenance Mode

If you’re able to access your website and log in, put it in maintenance mode. You want to do this even if there’s nothing obvious that users will see when visiting your site. As you’re working on it, maintenance mode protects their devices and information, as well as keeps it under wraps that you’re dealing with a hack.

Find Your Backup

You’re going to contact your hosting provider in the next step, but sometimes, when a host finds out you’ve been hacked, they delete the site immediately to prevent further problems. That’s why you need backups of your site and database first.

If your backups are stored on the same server as your website, they’re likely gone once you’ve been hacked. However, consider checking these spots in case you have one saved there as well:

  • Your Backup Plugin: If you use a backup plugin, there’s probably a backup stored in the provider’s cloud service.
  • Your Cloud Account: See if you’ve manually saved a website backup to your cloud service, like Dropbox or Google Drive.
  • The Hosting Provider: It’s possible that the hosting provider you use has a backup of your site that you can still access.

Contact Your Host

Depending on the type of hosting package you have, your provider may be able to take the reins and handle a hack for you. Early on, contact your host to (a) let them know your WordPress website has been hacked and (b) find out what help they offer. If you’re not able to gain any access to your site at all, you may need the host’s help to get anywhere.

Reset WordPress Passwords

You won’t know which password was hacked, so it’s safest to change all of them ASAP. While you’re at it, reset any and all passwords associated with your WordPress, like your database, host and SFTP passwords. Also, contact admin-level users right away and have them change their passwords as well. Moving forward, aim to change your WordPress login every couple of months or so.

Update Everything

Make sure your WordPress installation, plugins and themes are all up to date. Doing this early on means that you may patch a vulnerability that the hackers initially got through. If you wait too long to do this step, you could go through the trouble of fixing your site only to have it hacked again through the same outdated plugin or theme.

On top of updating your plugins and themes, do the following:

  • Deactivate and delete anything you don’t use.
  • Are you worried that one of them is from an unreliable vendor? Deactivate and delete it.
  • Remove and reinstall any that you think may be giving you trouble. Or, better yet, remove the plugin or theme and then replace it with something else from the official directory.
  • Check the support pages for the themes and plugins you have installed. There may be recent comments from people who are having the same issue.

If you want to delete plugins from your SFTP instead of the WordPress dashboard, you can. Make sure that you delete the entire directory for the plugin, not individual files. You’ll look for wp-content/plugins/[plugin name] and delete the entire directory and everything in it.

You can do the same for unused themes by going to wp-content/plugins/[plugin name]. Keep in mind that if you’re using a child theme, you probably have two directories to retain so that your theme stays intact.

Remove Unnecessary Admin Accounts

Check through all of the site’s admin accounts and get rid of any that you don’t recognize or that are no longer relevant. For those who still need access to your site but aren’t admins, change their access level. Also, it’s a good idea to check with admins to find out if they changed their account details before you delete an account that’s actually legitimate.

 

Remove Files That Shouldn’t Be There

You’ll probably need a security plugin for this step. Running a site scan should alert you to files that are there but shouldn’t be. We’ve rounded up the six best WordPress security plugins for your site.

Clean and Resubmit Your Sitemap

If your sitemap’s been hacked, it could have malicious links or foreign characters in it. Your SEO plugin should let you regenerate a fresh, clean sitemap. You’ll then have to submit that to Google via the Google Search Console. Let Google know that your site has to be crawled again.

This can take up to two weeks, so know that the search warning may not be cleared until then. To check if your site’s back in good standing, you can go to this URL: http://www.google.com/safebrowsing/diagnostic?site=http://yourwebsite.com/

 

Reinstall WordPress Core

When nothing else seems to work, the only way to repair your site when WordPress was hacked is to reinstall it entirely. You can do this through the admin dashboard or through your file manager.

Clean Out the Database

Lastly, clean out your database. Your security plugin should be able to tell you if the database was compromised, and it may also be able to clean it out and optimize it.

How To Prevent Getting Hacked in the Future

We know you never want to go through this again. Here’s what you can do to prevent your WordPress site from being hacked in the future.

Set Secure Passwords and Two-Factor Authentication

If you haven’t done this already — or if you did but you rushed because you were panicking — make sure that all of the passwords for your site are strong. Then, add two-factor authentication to your site, which will make it tougher for a hacker to create a false account.

Use a Security Plugin or Service

We’ve mentioned this so many times already that you’re bound to know by now that you need a security plugin for your site. The biggest benefit to this type of plugin is that it will alert you if there’s an issue so that you can take preventative steps before it gets out of hand.

Need even more protection? There are security services that will monitor your site for you and fix any issues that arise. And if you are hacked again in the future, they’ll handle all of the troubleshooting steps for you.

Keep Your Website Up to Date

Everything on your site should be up to date, from the WordPress version to any plugins and themes you have installed. Updates usually have security patches, so leaving them out of date means that hackers can easily find their way in. If you’re not in your site regularly to perform maintenance, use an auto-updater to handle it for you.

Use SSL On Your Website

SSL is standard with most hosting packages, and it adds another layer of security to your site. Check with your host to see if SSL is included. If it’s not, you can install a dedicated SSL plugin, or check if your security plugin includes it.

Use a Firewall

A firewall acts as a bouncer between your site and the rest of the world, blocking anything dangerous before it has the chance to cause a problem. You can use a security plugin or service, but first check with your host to see what type of firewall protection you already have.

Be Careful With What You Install

Only install plugins and themes that come from reputable sources — the official WordPress directory is your best bet. And even then, make sure that what you’re choosing has been tested with your version of WordPress. Avoid plugins and themes from third-party sites. If you must get one from somewhere other than the WordPress directory, research to find out if the vendor has a good reputation.

Clean Your WordPress Installation

Anything that’s hanging around that you don’t need anywhere should be deleted, including:

  • Files that you no longer use
  • Plugins that are inactive or active but unused
  • Themes that are inactive that you won’t use again
  • Old WordPress installations
  • Unused databases

Old WordPress installations are especially vulnerable. Often, your backups are kept in a subdirectory of your site. So while your main website may be secure, a hacker can get in through those old installations.

Try to walk through this cleanup routine regularly, like every three months, to keep your website more protected against getting hacked.

Wrapping Up

When your WordPress website has been hacked, your site often isn’t available to your visitors, which could impact everything from your brand’s reputation to your income. Acting quickly and smartly is necessary to get your site back in working order. Then, the next most pressing matter is how to keep your site healthy and hack-free moving forward.

Luckily, many of the maintenance suggestions we’ve covered are no-brainers. You probably already know that stronger passwords and up-to-date plugins mean a healthier site, just to name a couple best practices. By following the advice in this article, you have a better chance of fixing your WordPress site after it’s been hacked and avoiding the same headache in the future.

If your domain isn’t registered in the same account as your hosting or it’s registered elsewhere, use the following DNS records for your cPanel shared hosting account’s Web hosting and email.

NOTE: DNS changes can take up to 48 hours to take effect across the Internet.

Mandatory

Record Type Host Points to
A (Host) @ Your hosting account’s IP address. For more information, see Finding Your Hosting Account’s IP Address.
CNAME www @
CNAME mail @
MX (Mail Exchanger) @ mail.[your domain name], for example mail.coolexample.comNOTE: Use MX Priority 0

You must delete any other MX (Mail Exchanger) entries in the DNS zone file for your email to work. The MX entry listed above should be the only MX entry.

If you have your cPanel site set up on a subdomain (e.g. cpanel.coolexample.com), replace each instance of “@” with your subdomain and use the domain name including the subdomain in the MX record.

If your domain is registered here, you can make these changes through your domain’s DNS manager. For more information, see Managing DNS for Your Domain Names.

Optional

You do not need to add all of these records to your zone file, but doing so will make certain functions work, such as Autodiscovery through Outlook.

Record Type Host Points to/Value
A (Host) admin Your hosting account’s IP address. For more information, see Finding Your Hosting Account’s IP Address.
CNAME autoconfig @
CNAME autoconfig.admin @
CNAME autodiscover @
CNAME autodiscover.admin @
CNAME cpanel @
CNAME ftp @
CNAME mail @
CNAME webdisk @
CNAME webdisk.admin @
CNAME webmail @
CNAME whm @
CNAME www.admin @
TXT @ v=spf1 a mx ptr include:secureserver.net ~all
TXT admin v=spf1 a mx ptr include:secureserver.net ~all
Record Type Service Protocol Name Priority Weight Port Target
SRV _autodiscover _tcp @ 0 0 443 cpanelemaildiscovery.cpanel.net
SRV _autodiscover _tcp admin 0 0 443 cpanelemaildiscovery.cpanel.net

You can also remove the following DNS entries:

CNAMEs — email, imap, pop, and smtp