You may have recently seen this message on one of your WordPress sites:
The plugin xyz has been deactivated due to an error: The plugin does not have a valid header.
What does that mean and why did it happen?
All plugins deactivated means you were hacked
I know that’s not what you wanted to hear, but that’s what happened. You can verify the hack by using an FTP program to access the files of your site (or use your cPanel File Manager) and view the contents of any PHP file. At the beginning of the file you will normally see one of the following codes:
<?php $qnedbrboae =
Or something similar to one of those. You will know it’s strange because every PHP file in your entire system has this at the beginning of it.
There are also normally extra files added to your WordPress installation, such as
options.php. The date these extra files were added to the site is normally the date that your site was hacked.
Why did they all get deactivated?
They were deactivated because all that strange code at the beginning of the file interferes with how WordPress reads plugin files.
As far as how your site hacked, it’s almost always weak passwords on the site and easy to discover administrator usernames. Just because you’ve changed the administrator username from “admin” to something else doesn’t means a hacker can’t discover the username easily.
How does someone find my administrator username?
There are normally two ways:
- Your sitemap.xml tells them: many sitemap generation plugins will show all authors with their usernames as part of the sitemap. If you are using the Yoast SEO plugin, you can go to SEO > XML Sitemaps > User sitemap and mark “Disable author/user sitemap” to help prevent others from finding your username.
- Your blog posts tell them: On many themes, the name of the person who wrote the article is displayed. If you haven’t set your preferred display name (by going to Users > Your Profile and setting “Display name publicly as” to something that is not your username), then you may be advertising your username. Other times, your theme won’t display the information to visitors, but it is available by reading the HTML (which is what bots sent by hackers read). To change your theme’s display of this, you may need a child theme with some custom coding to remove the issue.
Now what do I do?
Ok, so I’m hacked, now how do I fix my site and reactivate all of my WordPress plugins?
- Get your website cleaned up, properly.
- Get your database checked and cleaned if needed.
- Get your site secured.
- Keep your site maintained.
1. Get your website cleaned up
Unless you are a developer and quite familiar with WordPress core files, get a professional. You need to have your entire WordPress installation cleaned and checked. This is not a small undertaking, and needs to be done correctly and throughly or the hack will just come back and worse the second time.
Need to get started? Click here to download the “Help my site was hacked, can you fix it” questionnaire >
2. Get your database checked
This hack is normally a file only hack, but not always. So your WordPress database needs to be checked for any issues and cleaned if needed.
3. Get your site secured
Now that your site & database are clean, you need to add security to your site to prevent this type of attack in the future. This needs to be done immediately after cleaning before your site can get attacked by anyone else.
Some of items on the checklist to securing your site are:
- Get a quality WordPress security plugin like iThemes Security.
- Change all your passwords.
- Verify everything on your site is up to date.
- Install a firewall if possible.
4. Keep your site maintained
Security patches and feature updates are released very regularly, and these updates need to be installed to keep your site secure. You also need to have regular security checks of your website to make sure that everything is working as intended.
Why should you have your site professional maintained?
Hosting companies are responsive for providing servers to host your website on, support for those servers and tools for those servers. That’s it. Hosts are not responsible for keeping your website secure or functioning properly.
That’s YOUR job as the site owner. In fact, some people who have had their site hacked found out that by “letting a hacker in” they violated the hosting terms of service. They were dropped by their hosting company. This left them with no website at all.
If you are reading this and haven’t been hacked, congrats! Now please make sure that you have your secured & maintained by a professional. If you have been hacked, click here to download the “Help my site was hacked, can you fix it” questionnaire >