When it comes to WordPress, “hacked” is never a word you want to hear. Unfortunately, it happens more often than you think. According to Sucuri’s latest Hacked Website report, WordPress infections rose from 74% in 2016 Q3 to 83% in 2017.
You’re likely aware of the consequences: loss of search engine rankings, exposing site visitors to viruses, damaged reputation due to redirects to bad neighbourhood sites or worse, loss of the entire site data.
So, suppose you find yourself in a worst-case scenario and your site or one of your client’s WordPress sites gets hacked. What do you do?
This infographic from Sucuri outlines the steps to follow to remove malware and fix a hacked WordPress site.
For a more in-depth version, read on as we walk you through the steps to follow to identify and clean a WordPress hack. We’ll also share some valuable tips on how to secure WordPress to prevent further attacks.
The first thing you need to do is to scan your website to find the hack.
There are lots of tools you can use to scan sites remotely and find malicious payloads and malware locations.
Sucuri’s free WordPress plugin is a great solution that helps to scan your site and find malicious payloads, malware locations, security issues, and blacklist status with major authorities.
If the site is found to be infected, you’ll get a warning message with further details, including payloads and blacklist warnings.
If the remote scanner can’ find a payload, don’t stop there. If you have the plugin installed, you can manually review the iFrames/Links/Scripts tab of the Malware scan to look for suspicious activity.
If you’re running multiple client sites on the same server, make sure to scan all of them using SiteCheck or whichever security tool you prefer.
Next, you’ll need to check and make sure that no core WordPress files have been modified in the wp-admin, wp-includes, and root folders.
A quick way to do this is to use the
diff command in terminal. Another option is to manually check your files via SFTP. If you choose this option to check for malware, we’d recommend using FTPS/SFTP/SSH rather than unencrypted FTP client.
If you discover that no core files have been modified, then you can move on to the next step.
Another way to find hacked files is to take a closer look at the new or recently modified files.
Here’s how you can manually check recently modified files:
$ find ./ -type f -mtime -15
Make a note of any files that have been recently modified as you’ll need them later in the process.
If you’re using terminal commands on Linux, here’s how you can check for recently modified files:
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %pn' | sort -r .
$ find /etc -printf '%TY-%Tm-%Td %TT %pn' | sort -r .
When a WordPress website gets hacked, it usually doesn’t take long for Google to blacklist it to prevent it from showing up in its search results and protect its users.
So the next step is to check and see if Google has issued any security warnings for your website.
Use Google’s Safe Browsing status tool to check the security status of your website.
All you need to do is to enter your site URL, click enter and Google will return further information about your site’s status, including information about malicious redirects, spam and downloads.
While this is a quick solution, a better one would be to sign up for Google Search Console. It’s free and you’ll get access to lots of useful reports and information about your site’s security and performance.
Now that you’ve managed to find the hacked files, it’s time to remove them and restore your WordPress website to a clean state.
If the malware is in your WordPress core files or plugins, you can fix it manually. However, make sure you don’t overwrite your wp-config.php file or wp-content folder.
If you have access to a recent backup that’s not infected, that can be very helpful as you can simply replace the infected files with the ones from your backup.
If you don’t have a recent backup, you’ll need to replace the hacked files with fresh copies.
Now, to manually remove a malware infection from your WordPress site files, follow these steps:
To remove a malware infection from your site database, you’ll need to use your database admin panel to connect to the database. There are lots of tools you can use for this, including Search-Replace-DB and Adminer.
Follow these steps to manually remove a malware infection from your database tables:
Take a look at your WordPress users list and immediately remove any suspicious or unfamiliar users. As a precaution, we suggest having only one admin user and limiting the rights or privileges of other users such as editors, authors, contributors, users.
Now, before you start removing any suspicious users, make sure to backup your website and database. Then simply go to your WordPress users list and delete any users you deem suspicious.
At the same time, if you believe one or more of your legitimate user accounts have been hacked, we recommend resetting their passwords. You can easily do that with the Sucuri plugin.
Hackers are smart. They almost always leave a way to get back into your website, just in case they get caught. This means you’ll need to find those backdoors and prevent them from coming back and hacking your WordPress site yet again.
Usually, backdoors are embedded in files that have similar names to WordPress core files. The difference is that they’re usually located in wrong directories. Hackers can also inject backdoors into files like wp-config.php or directories like /uploads, /plugins and /themes.
Look for the following PHP functions to find backdoors:
Since it’s possible that these functions are used legitimately by plugins, make sure to backup the site and to test that its works properly after removing any of the functions.
Take your time with this step because if you don’t close all backdoors, your site can be reinfected very quickly.
As part of this, look into disabling xmlrpc.php as well. Read more about it on WPMU DEV.
If your WordPress site was blacklisted by Google, you’ll need to request a review after you’ve managed to remove all malware and clean up your site.
Here’s how you can do that:
To remove the blacklist warning, you’ll need to let Google know that you have completely cleared the infection. For that, you’ll need to create a Google Search Console account, if you’re not using one already. Then follow the steps in this guide to request a review from Google.
You should also fill in review requests for other search engines and web spam authorities like Bing, Yandex and McAfee.
Fixing a hacked WordPress website takes time. You don’t want to go through this process every couple of months, do you?
So the next step is to enhance the security of your website to make sure this never happens again.
You know what’s one of the leading causes of infections? Out-of-date software.
So, if there’s one thing you need to take care of immediately, that’s to update everything from CMS version, plugins, themes, and any other extensions you’re using on your site.
To manually apply updates in WordPress, follow these steps:
Also, make it a habit to change passwords for all access points, including for WordPress user accounts, FTP/SFTP, SSH, cPanel, and your database. Keep the number of admins to a minimum and limit users’ access to only the features they require to do the job they need.
As an extra security step, you can force active users to log off by resetting WordPress secret keys. This is important because if a hacker has a session cookie, they can retain access to a website even after a password is reset.
To generate new secret keys, follow these steps:
To make sure all your plugins are fully functional and malware-free, we’d suggest reinstalling them. At the same time, if you have plugins that you no longer use or are outdated or deactivated, we highly recommend you to remove them from your web server.
If you’re using Sucuri’s WordPress plugin, you can do that in a few simple steps:
To prevent any further attacks in the future, you’ll need to take some steps to reduce the entry points for attackers.
Here’s how you can harden WordPress using the Sucuri plugin:
Backups are critical to recovering your site after an attack. So make it a habit to backup your WordPress site to ensure you always have a safe copy in case of a malware infection.
Here are some tips to keep in mind:
You probably already know that a hacker only needs to infect one of your user’s computers to get access to your WordPress dashboard.
So ask your users to run a scan on their operating systems using a reputable antivirus program like Malwarebytes, Avast, Avira (free) or BitDefender, Kaspersky, F-Secure (paid).
Consider using a website firewall to protect your website. Why? Because it can:
No matter how secure your site or your clients’ websites are, there is always a chance that they may get hacked. Fortunately, you now have the information you need to not only spot potential security flaws and clean up your WordPress website but also to prevent a future breach.