If you are running a popular blog or a site using WordPress then chances are it could get hacked. It can be quite stressful to fix your Hacked WordPress site. Not Only it affect your Google rank but also impact your business and readership. In this article I am going to share a step by step guide to fix your hacked WordPress site.
Before We Begin
It doesn’t matter which platform you are using. Whether it is WordPress, Joomla, Drupal etc – any site can be hacked ! If your website is a business then security should be your top priority. That’s why you should always use managed WordPress hosting, make sure you always have a good WordPress backup solution. Last but probably not the least, have a robust web application firewall like Sucuri. You can see the symptoms of the hacked WordPress site
All the above mentioned information is great unless your website is not hacked. But if your WordPress site is hacked then most of the above information does not apply in your case.
Let’s look at the step by step guide on how to fix your hacked WordPress site.
Steps to Fix your Hacked WordPress site
Basically there are three steps to fix your hacked WordPress site. First you identify the hack, then you remove the hack and then your fix the issue that caused your WordPress site to be hacked. Lets dig deep into these three steps.
1. Identify Hack
If your WordPress site has been hacked then the first thing you should do is to install a security plugin like Sucuri. It can help you Identifying which areas needed to be cleaned.
After installing the plugin scan your site to find malicious pay loads and malware locations. To scan WordPress for hacks using Sucuri plugin follow the steps given below:-
- Log into WordPress as an admin and go to Sucuri Security>>Malware Scan
- Click scan website
If you are hosting multiple website on the same server I recommend scanning them all. Cross – site contamination is one of the leading cause of reinfection. I recommend every website owner to isolate their hosting and web account.
Check the integrity of your core WordPress file. Most of the core WordPress file should never be modified. If the integrity of your core WordPress file has been compromised then use the backup to reinstall the WordPress file. If you don’t know how to perform these action manually then you should hire a professional to perform all these task for you.
You can also review the list of recent user logins to check if passwords have been stolen or new user have been created.
2. Remove Hack
Now that you have identified malware locations and compromised users, you can remove malware from WordPress and restore your Website to clean state. The best way to identify hacked files is by comparing the current state of the site with an old and clean backup. If the backup is available you can use that to compare the two versions and identify what has been modified.
If the infection is in your core files you can easily fix it manually. Follow the steps given below:
- Log in to your server via SFTP or SSH
- Create a backup of the site before making changes
- Identify recently changed file
- Confirm the date of changes with the user who changed them.
- Restore suspicious files with copies from the official WordPress repository.
- Open any custom or premium files (not in the official repository) with the text editor.
- Remove any suspicious code from the custom files.
- Test to verify the site is still operational after changes.
To remove Infection from your site’s database follow the steps given below:
- Log into your database admin panel.
- Make backup of the database before making changes
- Search for suspicious content (i.e spammy keywords, links)
- Open the table that contain suspicious content.
- Manually remove suspicious content.
- Test to verify the site is still operational after changes.
- Remove any database access tools you may have uploaded.
Beginners can also use the payload information provided by the malware scanner. Immediate user can also look for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace etc.
If you noticed any unfamiliar WordPress users, remove them so the hackers no longer have access. I recommend having only one admin user and setting other user roles to the least amount of the privilege needed(i.e Contributor, Author, Editor etc).
To manually remove suspicious users from WordPress
- Backup your site and database before proceeding
- Log into WordPress as an admin and click Users
- Find the suspicious new user account.
- Hover Over the suspicious user and click delete.
If you believe any of your user account is compromised you can reset their password. Generally hackers leave the backdoor behind to get back to your site. Often backdoors are found in the files named similar to WordPress core files but located in wrong directories. Backdoor commonly included in the following PHP functions
It is critical that all backdoors are closed to successfully clean a WordPress hack, otherwise your site will be reinfected quickly.
Removing hack is not the final step. You will have to fix the issues that caused WordPress to be hacked in the first place. You will have to take essential step in order to enhance the performance of your WordPress site.
Out of date software is one of the leading causes of infections. This include your CMS version, plugins, themes and any other extensions type. Potentially compromised credentials should also be reset to ensure you are not infected. To manually apply updates in WordPress follow the steps below:
- Log into your server via SFTP or SSH.
- Backup your website and database (especially customized content).
- Manually remove the wp-admin and wp-includes directories.
- Replace wp-admin and wp-includes using copies from the official WordPress repository.
- Manually remove and replace plugins and themes with copies from official sources.
- Log into WordPress as an admin and click Dashboard > Updates.
- Apply any missing updates.
- Open your website to verify it is operational.
It is critical that you change passwords for all access points. This includes WordPress user accounts, FTP/SFTP, SSH, cPanel and your database.
That’s all for today. Stay tune for the next tutorial. If you have not subscribed for our weekly newsletter then please do so by clicking the link below