When it comes to WordPress, “hacked” is never a word you want to hear. Unfortunately, it happens more often than you think. According to Sucuri’s latest Hacked Website report, WordPress infections rose from 74% in 2016 Q3 to 83% in 2017.
You’re likely aware of the consequences: loss of search engine rankings, exposing site visitors to viruses, damaged reputation due to redirects to bad neighbourhood sites or worse, loss of the entire site data.
So, suppose you find yourself in a worst-case scenario and your site or one of your client’s WordPress sites gets hacked. What do you do?
This infographic from Sucuri outlines the steps to follow to remove malware and fix a hacked WordPress site.
For a more in-depth version, read on as we walk you through the steps to follow to identify and clean a WordPress hack. We’ll also share some valuable tips on how to secure WordPress to prevent further attacks.
Step 1: Identify the hack
1.1 Scan your website
The first thing you need to do is to scan your website to find the hack.
There are lots of tools you can use to scan sites remotely and find malicious payloads and malware locations.
Sucuri’s free WordPress plugin is a great solution that helps to scan your site and find malicious payloads, malware locations, security issues, and blacklist status with major authorities.
If the site is found to be infected, you’ll get a warning message with further details, including payloads and blacklist warnings.
If the remote scanner can’ find a payload, don’t stop there. If you have the plugin installed, you can manually review the iFrames/Links/Scripts tab of the Malware scan to look for suspicious activity.
If you’re running multiple client sites on the same server, make sure to scan all of them using SiteCheck or whichever security tool you prefer.
1.2 Review core file integrity
Next, you’ll need to check and make sure that no core WordPress files have been modified in the wp-admin, wp-includes, and root folders.
A quick way to do this is to use the
diff command in terminal. Another option is to manually check your files via SFTP. If you choose this option to check for malware, we’d recommend using FTPS/SFTP/SSH rather than unencrypted FTP client.
If you discover that no core files have been modified, then you can move on to the next step.
1.3 Review new or recently modified files
Another way to find hacked files is to take a closer look at the new or recently modified files.
Here’s how you can manually check recently modified files:
- Log into your server using an FTP client or SSH terminal.
- If you’re using SFTP, review the last modified date column for all files on the server.
- If you’re using SSH, you can get access to all the files that have been modified in the last 15 days by using this command:
$ find ./ -type f -mtime -15
Make a note of any files that have been recently modified as you’ll need them later in the process.
If you’re using terminal commands on Linux, here’s how you can check for recently modified files:
- Type in your terminal:
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %pn' | sort -r .
- To see directory files, type in your terminal:
$ find /etc -printf '%TY-%Tm-%Td %TT %pn' | sort -r .
- Unfamiliar changes in the last 7-30 days may be suspicious so make sure to review them.
1.4 Check diagnostic pages
When a WordPress website gets hacked, it usually doesn’t take long for Google to blacklist it to prevent it from showing up in its search results and protect its users.
So the next step is to check and see if Google has issued any security warnings for your website.
Use Google’s Safe Browsing status tool to check the security status of your website.
All you need to do is to enter your site URL, click enter and Google will return further information about your site’s status, including information about malicious redirects, spam and downloads.
While this is a quick solution, a better one would be to sign up for Google Search Console. It’s free and you’ll get access to lots of useful reports and information about your site’s security and performance.
Step 2: Remove the hack
Now that you’ve managed to find the hacked files, it’s time to remove them and restore your WordPress website to a clean state.
2.1 Remove or clean hacked files
If the malware is in your WordPress core files or plugins, you can fix it manually. However, make sure you don’t overwrite your wp-config.php file or wp-content folder.
If you have access to a recent backup that’s not infected, that can be very helpful as you can simply replace the infected files with the ones from your backup.
If you don’t have a recent backup, you’ll need to replace the hacked files with fresh copies.
Now, to manually remove a malware infection from your WordPress site files, follow these steps:
- Log into your server via SFTP or SSH.
- Before you make any changes, create a backup of the website.
- Make a list with recently changed files.
- Double-check the date they were modified with the user who changed them.
- Restore suspicious files with copies from the official WordPress repository.
- Open any custom files (not in the official repository) with a text editor.
- Remove any suspicious code from those custom files.
- Test to make sure that your website is fully functional after you’ve made the changes.
2.2 Clean hacked database tables
To remove a malware infection from your site database, you’ll need to use your database admin panel to connect to the database. There are lots of tools you can use for this, including Search-Replace-DB and Adminer.
Follow these steps to manually remove a malware infection from your database tables:
- Log into your database admin panel.
- Before you make any changes, make sure to create a backup of the database.
- Search for suspicious content (i.e., spammy keywords, links).
- Open the table that contains suspicious content.
- Manually remove any suspicious content.
- Test to check that your website works properly after you’ve made the changes.
- Remove any database access tools you may have uploaded.
2.3 Secure all user accounts
Take a look at your WordPress users list and immediately remove any suspicious or unfamiliar users. As a precaution, we suggest having only one admin user and limiting the rights or privileges of other users such as editors, authors, contributors, users.
Now, before you start removing any suspicious users, make sure to backup your website and database. Then simply go to your WordPress users list and delete any users you deem suspicious.
At the same time, if you believe one or more of your legitimate user accounts have been hacked, we recommend resetting their passwords. You can easily do that with the Sucuri plugin.
2.4 Remove hidden backdoors
Hackers are smart. They almost always leave a way to get back into your website, just in case they get caught. This means you’ll need to find those backdoors and prevent them from coming back and hacking your WordPress site yet again.
Usually, backdoors are embedded in files that have similar names to WordPress core files. The difference is that they’re usually located in wrong directories. Hackers can also inject backdoors into files like wp-config.php or directories like /uploads, /plugins and /themes.
Look for the following PHP functions to find backdoors:
- preg_replace (with /e/)
Since it’s possible that these functions are used legitimately by plugins, make sure to backup the site and to test that its works properly after removing any of the functions.
Take your time with this step because if you don’t close all backdoors, your site can be reinfected very quickly.
As part of this, look into disabling xmlrpc.php as well. Read more about it on WPMU DEV.
2.5 Remove malware warnings
If your WordPress site was blacklisted by Google, you’ll need to request a review after you’ve managed to remove all malware and clean up your site.
Here’s how you can do that:
To remove the blacklist warning, you’ll need to let Google know that you have completely cleared the infection. For that, you’ll need to create a Google Search Console account, if you’re not using one already. Then follow the steps in this guide to request a review from Google.
You should also fill in review requests for other search engines and web spam authorities like Bing, Yandex and McAfee.
Step 3: Post-hack
Fixing a hacked WordPress website takes time. You don’t want to go through this process every couple of months, do you?
So the next step is to enhance the security of your website to make sure this never happens again.
3.1 Update and reset configuration settings
You know what’s one of the leading causes of infections? Out-of-date software.
So, if there’s one thing you need to take care of immediately, that’s to update everything from CMS version, plugins, themes, and any other extensions you’re using on your site.
To manually apply updates in WordPress, follow these steps:
- Log into your server via SFTP or SSH.
- Always backup your website and database before making an update.
- Manually remove the wp-admin and wp-includes directories.
- Replace wp-admin and wp-includes using copies from the official WordPress repository.
- Manually remove and replace plugins and themes with copies from official sources.
- Log into WordPress as an admin and click Dashboard > Updates.
- Apply any missing updates.
- Go to your website to make sure it works properly.
Also, make it a habit to change passwords for all access points, including for WordPress user accounts, FTP/SFTP, SSH, cPanel, and your database. Keep the number of admins to a minimum and limit users’ access to only the features they require to do the job they need.
As an extra security step, you can force active users to log off by resetting WordPress secret keys. This is important because if a hacker has a session cookie, they can retain access to a website even after a password is reset.
To generate new secret keys, follow these steps:
- Open the WordPress wp-config.php file.
- Add a value of 60+ unique characters for each key and salt.
- You can use a secret key generator.
- Save the wp-config.php file.
To make sure all your plugins are fully functional and malware-free, we’d suggest reinstalling them. At the same time, if you have plugins that you no longer use or are outdated or deactivated, we highly recommend you to remove them from your web server.
If you’re using Sucuri’s WordPress plugin, you can do that in a few simple steps:
- Log into WordPress as an admin and go to Sucuri Security > Post-Hack.
- Go to the Reset Plugins tab.
- Select the plugins you want to reset (it is recommended to select them all).
- Click Process selected items.
3.2 Enhance WordPress security
To prevent any further attacks in the future, you’ll need to take some steps to reduce the entry points for attackers.
Here’s how you can harden WordPress using the Sucuri plugin:
- Log into WordPress as an admin and go to Sucuri Security > Hardening.
- Review the options to understand what they do.
- Click the Harden button to apply recommendations.
3.3 Create backups
Backups are critical to recovering your site after an attack. So make it a habit to backup your WordPress site to ensure you always have a safe copy in case of a malware infection.
Here are some tips to keep in mind:
- Never store backups on your server. Instead, always store them in an off-site location.
- Go with a backup solution that automatically backs up your site at a frequency that suits your needs.
- Your backup strategy should include redundancy, meaning backups of your backups.
- Test the restore process to make sure your website works properly.
3.4 Scan your computer
You probably already know that a hacker only needs to infect one of your user’s computers to get access to your WordPress dashboard.
So ask your users to run a scan on their operating systems using a reputable antivirus program like Malwarebytes, Avast, Avira (free) or BitDefender, Kaspersky, F-Secure (paid).
3.5 Use a website firewall
Consider using a website firewall to protect your website. Why? Because it can:
- Help to prevent a future hack since it can detect and stop known hacking tactics.
- Patch holes in your website software even if you haven’t updated certain plugins or themes.
- Prevent anyone from accessing your wp-admin or wp-login page.
- Block all types of DDoS attacks
- Offer to cache to speed up your website. And, as you know, site speed is an important factor not only for visitors but also for search engines.
No matter how secure your site or your clients’ websites are, there is always a chance that they may get hacked. Fortunately, you now have the information you need to not only spot potential security flaws and clean up your WordPress website but also to prevent a future breach.