When it comes to web security, housekeeping and maintenance is just as important as proper development. For WordPress, housekeeping should ideally be done at least once every three months.
Luckily, maintaining a WordPress website isn’t too hard.
- Make sure your plugins and themes are up to date.
- Make sure you use plugins that are actively maintained.
- Take proper backups of database and files.
- Remove plugins and themes that you do not use.
An old client of mine, whose name won’t be mentioned for obvious reasons, recently reached out to me when Google showed the warning message, “This site may be hacked”.
Here is what I did to revive the website and remove the warning.
- I started by making a full backup as I always do. Saved a local copy of the backup just in case.
- Made a screenshot of all the inactive plugins and deleted them.
- Deactivated and removed plugins that were no longer essential.
- Deactivated and removed duplicate plugins.
- Deleted default themes and themes that were not used.
- Updated WordPress to the latest version.
- Updated all plugins to the latest versions while testing for changes in the front end.
- Installed Wordfence Security plugin and ran a scan to discover potentially infected files. The scan also revealed plugins that were no longer maintained.
- The scan revealed malware infection in couple of files. Removed that manually.
- Replaced the plugins that were no longer maintained with plugins that had an active development cycle.
- The host was on Bluehost and was paying quite a bit for shared hosting. I recommended that they move to DigitalOcean which was cheaper and had better resources than their current plan.
- I setup the DigitalOcean server and moved the website to the new host.
- Hardened WordPress for maximum security.
- Installed Let’s Encrypt SSL certificate and setup a cron job to auto renew every 90 days.
- Scanned website for broken links and fixed if any.
- Installed browser caching.
Final Step – Removal Of ‘This Site May Be Hacked’ Warning.
This requires a manual review by someone at Google. I added the website to my Webmasters tools and requested a review explaining the steps I took to clean up the install.
The review took about a week and the result was positive. Another happy client!
I recommend using something like https://wordpress.org/plugins/really-simple-ssl/ to save time. It basically converts all http calls to https such as stylesheets or blog images. Just plug and play for most installations. WordPress does not provide a way to bulk change the image path called within a post, so if it is a huge site, this plugin helps.
Hey Anand, thanks for the plugin recommendation!
Being a plugin minimalist, I do it with: https://interconnectit.com/products/search-and-replace-for-wordpress-databases/ . Since it is a one time task, I do not mind it too much.
There is also a WordPress plugin that does similar stuff: https://wordpress.org/plugins/better-search-replace/