Until now your site was working very well, without any problems, but suddenly it started to display ads to your visitors. You do not have a contract with an advertising agency, you wanted to offer your visitors a site without advertising and therefore you did not request this type of display on your website.
There are two main hypotheses that could explain these ads.
The first is the installation of an infected theme or plugin. According on where you or your web developer gets their plugins and themes, a source may contain code that can cause advertisements on your website.
An intrusion into your website, through a security flaw or a bad security setting of your site: several “gateways” exist to access a website if it is not sufficiently secured.
The first case, the one where you or someone else has unintentionally introduced on your site an infected theme or plugin, the most efficient is to restore a previous full backup of your site. This will delete hacked files.
If you don’t want to restore your site, or if you don’t have a backup (or one that is too old), there is also the possibility to “clean” your website: delete (with FTP(s)) the infected plugin or theme, identify database elements to be deleted… but be careful, we do not recommend this method (unless there is no choice): it is indeed difficult and time-consuming to make sure you have removed all traces of undesirable elements from your website. We recommend that you contact an expert for this type of action who, in addition, can offer you an audit of your website to identify potential flaws.
Reminder: it is important to fetch and download each element of your website from reliable, legal, controlled and recognized sources: the official website to download WordPress https://wordpress.org/download/, the official repositories of the themes https://wordpress.org/themes/ and the plugins https://wordpress.org/plugins/.
In the second case, it is necessary to do the operation proposed in the first case: restoring your website, but above all and imperatively you will have to find the origin of the flaw that allowed these advertisements to set up.
Here are a few steps to explore or secure :
- Have a secure hosting: if you decide to entrust your hosting to a provider, make sure that it is qualified to meet all the security constraints that a hosting must have. He will need to make sure that all measures have been taken and that the server is always up to date. The same applies to the database: accesses must be finely tuned so as not to risk unauthorized access with sometimes dramatic consequences (data theft, destruction of the database, etc.).
- Be up to date with WordPress: like your hosting, your WordPress installation must be up to date, as well as its different plugins and themes.
- Control access: limit the number of user accounts and grant only the necessary rights, check that your passwords are not too simple and change them if necessary.
- Have a strong backup strategy: several backups are recommended
- Check the origin of the elements on your site: you may have bookmarked the site on which you have downloaded a plugin or a theme… you could then find the origin of your problem. Feel free, if you can, to check the code or call on the WordPress forums for experts who can give you their opinion on a particular plugin or theme. Favour items that are well rated (with real reviews), downloaded many times and regularly updated.
- Analyze your computer: you can have all the necessary security on your website, if your computer is infected by a virus, you can give access to the administration of your website without even realizing it.
- For your hosting, make an inventory of activated services and their usefulness: do you use FTP instead of SFTP? Is it a good idea to log in to SSH?…
- Check the correct permissions setting for folders on your website: WordPress should be able to read and write to folders on your server, but it is dangerous to grant too many permissions. If you have a problem between WordPress and read/write access to a folder, ask beforehand to give THE right permission, without opening it too wide or to everyone
- Secure sensitive WordPress files and folders: wp-admin, wp-includes, wp-config.php. Many tutorials exist to help you do this.
- Increase the security of your WordPress: by denying the modification of files, by changing the access to the administration and by customizing the name of the administrator account, by installing a recognized security plugin to help you in these settings…
- Get an event logging strategy: in order to know what’s going on on your server or WordPress: unauthorized access, who logged in, when…
- Regularly check the good health of your WordPress installation: server up to date? WordPress up to date? Plugin and theme up to date? No items added “silently” since the last check? Backups and integrity checks on them? Folders, files and database without unwanted items? Log analysis ? … it is advisable to make a complete checklist to be reused regularly.
If you find a problem on any of these points above, you will need to take the appropriate steps to ensure that you do not run the risk of encountering problems again.