In my 15 years as a webmaster, I‘ve dealt with my fair share of hacked websites. And let me tell you – it‘s never fun finding your site defaced or used for malicious purposes.
The good news is, with the right approach, you can clean up the hack, secure your site, and get back to business surprisingly quickly in many cases. In this comprehensive guide, I‘ll share the steps I‘ve used to successfully fix hacked WordPress sites over the years.
Contents
- Understand Why Site Security Matters
- Identifying Different Types of Hacks
- Step 1: Restore From a Clean Backup (If You Have One)
- Step 2: Scan for Malware and Remove Affected Files
- Step 3: Audit Users and Revoke Suspicious Access
- Step 4: Generate New Security Keys and Salts
- Step 5: Update Plugins, Themes and WordPress Core
- Hardening Your Security Going Forward
- When To Call In The Professionals
- Conclusion
Understand Why Site Security Matters
With over 30 million WordPress websites online, it‘s by far the most used CMS in the world. Unfortunately, this popularity also makes it a prime target for hackers:
-
Web application firewall provider Sucuri blocks over 850,000 malicious attacks on WordPress sites every day.
-
Leading security plugin Wordfence reports that over 40% of WordPress websites have experienced a security attack at some point.
Failing to fix hacks and secure your site can lead to continuing attacks, blacklisting by search engines, and even complete site failure or deletion in worst cases.
So it‘s absolutely critical that you take site security seriously and know how to properly deal with any hacks or infections that occur.
Identifying Different Types of Hacks
The first step is to identify precisely what kind of hack you‘re dealing with. Over the years, I‘ve seen just about every trick in the book. Here are some of the most common ones:
Redirect Hacks
These nefarious hacks redirect your site to some other domain, often associated with malicious activity or inappropriate content. The redirection is achieved by:
- Altering your
.htaccess
file - Changing key settings in
wp-config.php
- Injecting malicious scripts in core WordPress files
Visitors get frustrated by the redirect, and it also tanks your site‘s reputation with search engines.
Injected Spam and Malware
Hackers will often inject spam links, irrelevant keywords, or outright malware into your site content. For example:
<p>Thanks for reading my blog. By the way, you should really check out
<a href="http://sketchymalwaresite.com">this great offer</a> and buy yourself an iPad!</p>
They sneak these into legitimate posts and pages to try and spread them to real site visitors. Google picks up on this quickly and may flag or blacklist your whole site.
Backdoors
One of the worst hacks is when attackers install a backdoor like a web shell script. This allows remote access to key functions like:
- File manager
- Database manager
- Command execution
- Operating system access
It‘s like handing the keys to your site over to the hackers! This is why cleanup can be so involved.
Defaced Site
Sometimes hackers just want to vandalize your site and leave graffiti, offensive images, and messages on your home page or internal pages. It‘s more a nuisance attack than one focused on distribution or monetization.
SEO Hacks
Finally, hackers may manipulate content on your site solely to game search engines for better rankings. Stuffing in keywords, generating thin pages optimized for specific terms, etc.
Take some time to analyze your site and identify which symptoms you‘re dealing with. The more details you can gather, the better.
Using Scanner Plugins to Detect Issues
Tools like Wordfence and Sucuri provide scoped scans to detect malware and vulnerabilities:
Run comprehensive scans to identify any core file changes, malware in the DB, suspicious code in plugin/themes, etc. The plugins will generate detailed reports pointing out problems.
This information will prove invaluable as you work to clean up files and database content later. Make sure you use scanners designed for WordPress sites.
Step 1: Restore From a Clean Backup (If You Have One)
Restoring a clean backup is without question the easiest way to undo a hack. If you use a service like BlogVault or BackupBuddy, you should have regular backups available to restore from a date before the infection occurred.
Your hosting provider may also keep daily or weekly backups that you can use. For example, SiteGround offers complimentary restores for account holders.
Things to weigh when considering a backup restore:
- Any new legitimate content or changes made after the backup date will be lost.
- Database malware will be eliminated.
- Files will revert to their clean pre-infected state.
If your site doesn‘t update frequently, a restore may be the perfect solution. But if you publish content regularly, you risk losing a lot.
Step 2: Scan for Malware and Remove Affected Files
If restoring a full backup isn‘t practical for your site, you‘ll need to manually find and remove infected files. This process can be tedious but it works if you‘re thorough.
-
Use security scanners like Sucuri or Wordfence to comprehensively scan your install. Identify any specific files or paths reported.
-
Delete any hacked plugin and theme files. You can then reinstall clean versions from the original sources like WordPress.org.
-
For affected core WordPress files, you‘ll need to replace them by downloading a brand new copy of WordPress and replacing the individual hacked files with clean ones.
-
Aggressively look for strange or unknown files that may be backdoors. The
wp-content
andwp-includes
folders are common places to check. Delete anything that looks unfamiliar. -
If on a VPS or dedicated server, check root directories for malware. The hackers may have moved beyond your site‘s folders to embed themselves at the system level. Anything suspicious should be removed.
-
You can run database queries to systematically identify and remove malicious links and other spammy content injections. Or do a complete DB reset/reinstall if that capability exists.
Running through these steps methodically will eventually eliminate all infections if done thoroughly. Be patient and keep scanning and cleaning until your site is declared malware-free by your chosen tools.
Professional Cleanup Services
For persistent or highly complex infections, professional site recovery services may be your best bet. Companies like Sucuri, CodeGuard, and SiteLock specialize in WordPress site restoration.
They have experienced analysts and an arsenal of proprietary tools to clean even the most stubborn malware. Pricing is generally in the $200 to $500 range depending on the severity.
While not cheap, they can save you countless hours of struggle and provide peace of mind. Your site‘s reputation is at stake so professional help is advisable for some cases.
Step 3: Audit Users and Revoke Suspicious Access
Once a hacker gains access to your site, one of the first things they‘ll do is create an administrator level account so they can maintain access.
You need to remove any unauthorized users:
-
In your WordPress dashboard, go to Users > All Users and carefully inspect this list for any suspicious or unknown accounts.
-
Look for subtle changes to usernames or email addresses of existing users as well. Hackers hope you‘ll overlook minor changes.
-
Delete any users you know shouldn‘t have admin or editor access.
-
Change all passwords including your main WordPress admin password, cPanel/FTP password, database password, etc. Make them long and extremely complex. Consider using a password manager.
If there are a lot of user accounts on your site that are suspect, force a password reset on all users which revokes access across the board. You can do this with plugins like WP Force Password Reset.
Also implement measures to limit login attempts to prevent future brute force attacks. Plugins like All In One WP Security & Firewall offer this capability.
Step 4: Generate New Security Keys and Salts
An important way hackers maintain access is by stealing your security keys and salts stored in wp-config.php
. These allow them to bypass normal authentication.
You can block this mechanism by resetting all keys and salts in wp-config.php
. Follow WordPress‘ official guide on generating new keys and update the file accordingly.
For ongoing protection, use a plugin like iThemes Security that automatically rotates keys and salts on a scheduled basis, keeping hackers in the dark.
Step 5: Update Plugins, Themes and WordPress Core
Outdated software contains vulnerabilities that hackers exploit. Once you‘ve cleaned up the hack, you need to:
-
Update WordPress to the very latest version.
-
Update all plugins to current versions. Avoid abandoned plugins.
-
Install an updated premium theme known for good security. The free themes in WP‘s repository tend to be less secure.
The WordPress Updates section makes this quick and painless. Just click "update" on anything available to patch potential holes.
Hardening Your Security Going Forward
Cleaning up the current hack is important, but preventing the next one is even more crucial. Here are concrete steps you need to take:
Firewall
A cloud firewall monitors traffic to your site and blocks malicious requests. Wordfence, Sucuri, and Cloudflare all provide firewall solutions for WordPress.
The firewall rules proactively halt common hack attempts like SQL injections, malware uploads, DDOS attacks, and more. This takes pressure off your site itself.
Limit Login Attempts
Plugins like All In One WP Security & Firewall let you specify a maximum number of failed login attempts before further attempts are blocked at the IP level.
This significantly reduces the risk of brute force attacks that try to guess weak passwords. Limit to 3-5 failed attempts.
Disable File Editors
Many hackers access site files directly via built-in theme and plugin editors like Theme Editor, Plugin Editor, etc. Disable these file editors completely to close that hack vector.
Password Protect wp-admin
Add an extra password specifically for the WordPress login and admin pages. Plugins like HttpAuth make this simple.
Having to enter 2 passwords frustrates hackers and adds extra security if they do get your main password.
Disable PHP Execution
Ask your host whether you can disable PHP execution in key folders like /wp-admin
and /wp-includes
via .htaccess
. This limits damage if hackers do gain access.
Backup Regularly
Even with the most hardcore security in place, attacks can happen. So have frequent, automated backups via a dedicated plugin or offsite service. This lets you quickly restore if disaster strikes.
When To Call In The Professionals
Following this guide carefully should allow you to clean up and secure most hacked sites. However, if you still can‘t fully restore things, enlisting professional help is advisable.
Companies like Sucuri, SiteLock, and CodeGuard employ full-time malware analysts. For several hundred dollars, they‘ll do the heavy lifting to debug and clean infections that are beyond the average site owner.
The cost may be worth it for the peace of mind of knowing your site is malware free and protected against repeat attacks. Just be sure to implement the proper security advised in this guide.
Conclusion
Recovering from a hacked site doesn‘t need to be a catastrophic experience if you keep a level head and follow the right process. Start by identifying how you‘ve been compromised, then eliminate infections, close vulnerabilities and implement firewalls and other security best practices.
While it‘s tempting to ignore hacks, prompt action gives you the highest probability of restoring your site and avoiding repeat attacks. Let me know if you have any other tips for cleaning up hacked WordPress installs! I have plenty more I can share from real-world experience. Stay vigilant friends.