Fixing a Hacked WordPress Site

Fixing a Hacked WordPress Site

The WordPress content management system (CMS) has become one of the preferred methods for creating websites, particularly for those who want to create a site without needing to learn coding. WordPress is loved by fans around the world for its versatility and flexible customization options. But that same popularity has also made WordPress installations increasingly attractive targets for hackers looking to cause mischief and mayhem.

If your site is hacked, your customer data is in danger, and content can be vandalized or even destroyed. And every second your site is down costs you time, customers, and credibility. Whether you’re a seasoned webmaster or a WordPress neophyte, tackling a hacked site—and taking steps to help prevent future attacks—is critical to protecting your site and your business.

How WordPress Sites Get Hacked

While the main WordPress application is relatively resistant to hacking efforts, it’s important that it be kept up to date. Having an out of date WordPress installation is the number one vulnerability to hacking attacks.

The same plug-ins, themes, and other add-ons that make WordPress so flexible and powerful also leave it open to attack. Themes and extensions are both vulnerable to a variety of attacks.

  • Backdoor Attacks: Hackers can take advantage of poorly-coded themes and plugins, or an out-of-date WordPress installation, to gain access to your site. Backdoors are a serious threat to your site, because a hacker with access to the administration area of your site can not only damage your site, but push malicious code to your visitors.
  • Redirect Attacks: In a redirect attack, the hacker forcibly re-routes traffic from your site to a malicious one. Malicious sites can be full of questionable content, steal personal info, or install malware or viruses on visitors’ systems. Redirects are related to backdoor attacks in that many hackers will use custom software to scan WordPress sites for vulnerabilities, gains access, and sets up the redirect.
  • Script Injections: This hack takes advantage of vulnerabilities in your site’s code that allow forms (e.g., the WordPress login form) to pull information directly from their associated database(s). Once installed, they often attempt to install software on a visitor’s own machine by spoofing, or pretending to be a legitimate application. One of the most common schemes is a pop-up that says the user’s machine is infected and must be “scanned.”

Repairing A Hacked WordPress Site

Regardless of how your site has been compromised, once you discover the hack, your most important goals are to repair your site, remove the damage, and to prevent it from happening again.

Fixing the Hack

The first thing you should do is take down your site for repairs. If you’re not familiar with the WordPress backend, be sure to consult your hosting provider for specific instructions on restoring your site on their systems.

In order to take your site offline but retain access to your content, you’ll need to access and change the passwords you (and WordPress) use to access your database files. These files store all your content (but not your media, themes, or plug-ins). You can generally access these passwords through your hosting control panel. Take careful note of the specific information (your user name, password, database name, host, and table prefix). All of this information is necessary to connect your database to your new WordPress installation.

Note: You’ll also need to update your wp-config.php file to reflect your password changes. If you’re not comfortable editing PHP files, contact your host, a WordPress developer, or WordPress itself for assistance.

Now it’s time to take down the site itself. This is most easily accomplished by renaming the directory where you’ve installed WordPress to something like “yoursite.old” (ask your host or IT staff for assistance if you’re not familiar with this process or comfortable doing so). Create a new folder with the same name as the folder you just renamed (e.g., “yoursite”).

Your site is now offline, and the old WordPress installation is isolated. This is a critical step, because if you leave the site up, another hacking attack could infiltrate your site through the same or even a different vulnerable point.

It’s also important to make sure the hack is limited to your site, and not the entire Web server. A repaired site on an infected server is a tempting target for future attacks. Be sure to speak with your hosting provider to get any and all information about potential hacks.

NOTE: This is most relevant if you have a shared hosting plan, since other sites likely share the same server and may be the source of the infection. Most Virtual Private Server (VPS) hosting accounts run in their own memory space, and dedicated hosting plans give you full control over your Web server, but it’s still wise to scan both your site and the server.

Once you’re ready to clean up your site:

  1. Let customers, employees, and anyone else with access to the site know about the hacking, and keep them posted with your progress during repairs. Putting up a plain text, placeholder homepage explaining your site is down for repairs will minimize confusion and let your visitors know you’re on top of the situation.
  2. Using FTP or a logging application, retrieve your site and server logs for info on how the hackers accessed your WordPress installation (if you don’t have access to your entire server’s logs, contact your hosting provider for more info).
  3. Back up your current installation on a separate drive or backup location. You may want to examine your files later to learn more about how the hack happened.
  4. Scan and clean your backed-up database and other content with malware and virus scanning software.
  5. Uninstall all your themes and plug-ins. These are the weak points in most WordPress installations, and you want to start with a clean slate.
  6. Install a fresh copy of WordPress in the new directory you created. You may need to uninstall the old version if you used your hosting provider’s one-click install application (Fantastico, Softaculous, etc.) before installing to the new directory.
  7. Review your existing database (which contains all your content) using PHPMyAdmin or another database management tool, keeping an eye out for suspicious code, e.g., super-long strings of hex code or “preg_replace(“/.*/e”. Your database is less likely to harbor malware or infections than your themes and plug-ins, but it pays to be thorough.
  8. Make sure your .htaccess file is intact, and make sure no other copies are present in your backup file.
  9. Connect your new WordPress installation with your existing database (this is how you will retrieve your content). Your hosting provider can walk you through this process, depending on whether or not your database was salvageable and where it is located on your Web server. You may need to upload it from your backup (once it’s passed muster and is known to be clean of infection).
  10. Set up a new administrator account, set it to inherit all permissions from the current administrator account, and then delete the current account.
  11. Adjust access permissions on your files and folders to the highest level that still permits normal site use by visitors.
  12. Log into WordPress with the default theme. If your content appears, and the hack is absent, congratulations—you’re ready to customize your site once more.
  13. Download and reinstall your theme and plug-in files directly from the Admin Dashboard in WordPress. It is extremely important that you use only fresh copies, as the old ones may have had their code altered by hackers.
  14. Restore any media files by uploading your backup file of the old wordpress/uploads folder (again, making sure it contains no suspicious code or content. Hackers love to put rogue files in this directory, so if you don’t have a lot of images or other media, you may be better off re-uploading them from offline sources and scrapping the /uploads directory altogether.)
  15. Disable any and all PHP files from executing in your /uploads folder, which is generally the only folder in most WordPress site installs that needs to be write-enabled from the browser. You can do this from your hosting control panel, and doing so will help prevent future shenanigans if hackers do place malicious code in that directory.
  16. Thoroughly document the incident, including all information you gathered from the logs, in order to create a reference for (and to help prevent) future incidents.
  17. Test your site. If your content, theme, and plug-ins are all working normally, you’re ready to go!

If you’re not comfortable tackling all or any of the restoration process yourself, many hosting providers have on-demand assistance plans. You can also hire a professional WordPress management and restoration service to get you back on your virtual feet.

Protecting Your Site from Future Hacks

WordPress is very flexible and powerful, but it can also be a very complex environment to maintain, let alone repair. By taking a few basic precautions, you can help protect your WordPress site from hacker attacks.

  • Back up your data. Backing up your site can save the day when things go wrong, and bringing a hacked site back to life is infinitely easier if you don’t have to re-create lost content. Your hosting provider may offer backup services as a part of their hosting packages or as an add-on service. In addition, you’ll probably want to keep your own backups offline for extra peace of mind.
  • Take advantage of managed hosting. Not every webmaster has the time to become a WordPress guru, or needs to do so. Invest in a host that specializes in WordPress management, or add a third-party WordPress management service. It might seem pricey at first, but it’s most likely a bargain compared to the costs of having your site down, your content destroyed, or your customers’ sensitive information compromised.
  • Monitor your website and server. Even non-WordPress specialists generally offer monitoring tools and services in their hosting control panels. Using these tools helps you monitor site and server traffic. Many hosts also offer premium support plans and monitor traffic, track file and page changes, and keep your software and security updated.
  • Keep unnecessary files and user accounts to a minimum. Hackers are masters of manipulating forgotten files or accounts for their nefarious purposes. Whether it’s testing environments, extra databases, or test accounts for users, keep things neat and delete files when they’re no longer needed.
  • Tighten up your security. Set your server access to secure FTP (SFTP) or Secure Shell (SSH). Use a password generator to create strong passwords, and change them regularly. Limit administrator accounts and keep a tight reign on access permissions for all users.

Chances are, you’ve got enough on your plate just managing your site and running your business—you don’t need to add dealing with hackers to your list. When your site is compromised, every second you’re out of commission can cost you plenty. But by taking the time to keep your WordPress files, themes and plug-ins updated, and taking advantage of the wealth of management services at your disposal, you can keep hackers at arm’s length and your attention where it belongs—on your site.

You’ve Been Hacked

When recovering a website that’s been hacked it’s a good idea to check several resources to make sure you’ve not only fully recovered your site, but also found all suspicious code and files, and put in place safeguards to prevent a recurrence. We’ve provided our recommendations and suggestions on recovering your hacked website, but there are many other great resources out there you should also check out. Below you’ll find two of the best general guides for recovering a hacked WordPress site that we could find.

WordPress Codex: FAQ My Site Was Hacked

Identify a Hacked Site

A majority of websites owners with hacked sites don’t realize their sites have been hacked. That seems crazy until you think about the fact that the most common hacks are simple redirects, backlink insertion, spamming, and other relatively low profile activity. Simply visiting the home page might not immediately cause the hack to manifest itself since many hacked sites haven’t been hijacked to the point that the hacks are painfully obvious. So how do you know if your site has been hacked? There are tools you can use to help confirm that your site is clean, or give you the heads-up if you have a problem to address.

Use a Plugin

Once you’ve cleaned up a hacked site it’s a good idea to find a plugin that will scan all WordPress files for compromises you may not have caught. One such plugin is called Wordfence. There are others on the market, and you should do some research before running this type of plugin since you’re giving it pretty advanced access to your website backend. The following guide to using Wordfence also includes a lot of great information about manual site cleaning methods you should go through before giving a site cleanup plugin a spin.

WordFence Documentation: How to Clean a Hacked WordPress Site Using Wordfence

Close the Backdoor

Smart hackers, and we hate to admit that there is such a thing, will often leave a backdoor script that will let them back into a WordPress site after you’ve cleaned up allowing them to wreak havoc all over again.

Finding the backdoor script and removing it is a critical step to completing the hack recovery process. But, how do you find the backdoor script? The script will often be disguised and named to look like it belongs, and may be buried in a completely random directory.

Take It One Step At a Time

If your website is hacked there are many different things that may have gone wrong, each calling for a different response. Recovering a hacked website is not a “one-size-fits-all” proposition. That’s why it often makes sense to work through a site recovery process from the most likely and easily corrected scenarios to the more unlikely and challenging scenarios. The following guides will walk you through this type of process beginning with some general housecleaning.

SoloStream: Introduction & Housecleaning

If general housecleaning doesn’t take care of the issue the next step is to focus on your database.

SoloStream: Database Modification & WP Admin

With housecleaning complete, and your database intact, it’s time to find, install, and activate plugins that will help prevent a recurrence of your security nightmare.

SoloStream: Plugins to Make Your Life Easier

Secure Your WordPress Site

Once you’ve recovered a hacked website you will need no convincing of the importance of protecting your site from future compromises.

If your website is vital to your business, then it is critical to carefully and skillfully protect it from hacking and other attacks.

If you don’t have the time to harden your WordPress security, you may want to consider a website protection service such as Surcuri Security — which monitors for hacks and viruses, and can fix hacked WordPress installs, as well.

If you can’t afford 3rd party protection, there are many steps you can take to make your WordPress site more secure, and we’ve pulled together the best recommendations and tools on the web.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.