Hacked is becoming the worst problem with advances in technology and it is a sad reality about running websites. Our WordPress website also having hacked a few times throughout the time period, exactly we know the feel of hacking and how stressful it can be. It has not to mention the impact on your business. We have helped hundreds of users including several well-known businesses recover their hacked WordPress sites, Over the past few years. In this article, we are going to share the knowledge on how to fix your hacked WordPress site step by step.
Few Things to Know Before We Start
No matter which platform you're using such as, WordPress, Joomla, Drupal, etc. anyone can be hacked.
The effects of hacked your WordPress site are,
- Lose your search engine rankings
- Expose your readers to viruses
- Redirect to open porn or to other pornography websites
- Damage to reputation
- Worst lose your entire site data
If you’re a business company, the security of the website should be one of your most priorities and that's why it's mandatory that you should have a good WordPress hosting company.
The last and most important one is Sucuri and it is a good robust web application firewall and we use their services also on our websites.
If you haven't been hacked yet all the information above is great. It's probably too late to add some of the precautions that we above mentioned if you're reading this article yet. So you always try to be as calm as you can before you do anything.
Let’s look at the guide on how to fix your hacked WordPress site step by step.
Step 0 – Have a Professional Do it for You
If you're not familiar with codes and servers, it's always better of having a professional to do it because security is a serious matter. The reason for that is hackers hide their scripts in different locations which are allowing them to come back again and again.
Even if we will educate how to find and remove them sufficiently through this article, you have an attitude of hiring a specialist to clean their website.
The price per hour of security experts charge is between $100 to $250 but it is not an affordable price for a small-scale business or solo entrepreneur. However, our friends over at Sucuri offer malware and hack cleanup provide to $199 for TrendyPort readers, and the package also includes its firewall and monitoring service throughout a year.
This is not a promotion of Sucuri, it’s really an honest recommendation. The team at Sacuri is personally well known and trusted because we are working together with our websites. We really appreciate and thankful for what they do for us because we use Sucuri and on a daily basis they block several thousand attacks on our website.
So you can use them, if you're not tech-savvy, if you value your time or if you just want to relax the mind.
For all the DIY folks, please follow the below instruction for cleanup your hacked WordPress site.
Step 1. Identify the Hack
You're under big pressure while dealing with a website hack. Please try to be calm and write down everything that you can about the hack.
Please go through the below checklist;
- Can you login to your WordPress admin panel?
- Is your WordPress site redirecting to another website?
- Does your WordPress site redirect to another website?
- Is Google marketing your website as insecure?
Make a simple note while you're in conversation with your hosting company or even as you go through the steps below to fix your website because it will help you.
Not only that, but you must change your passwords before you start the cleanup and also when you're done cleaning the hack.
Step 2. Check with Your Hosting Company
You better start by contacting your web host and follow their instructions because they have experienced and helpful staff who deal with these kinds of situations on a daily basis and they have proper knowledge about hosting the environment. Therefore, they can guide you better.
Sometimes the hack may have affected not only your site, but it may also be affected if you're on shared hosting also. It may also be able to give you additional information about the hack such as how it originated, where the back door is hiding etc. According to our experience, HostGator and Siteground both are very helpful when something happens like this.
The host might clean up the hack for you and you may even get lucky.
Step 3. Restore from Backup
The best way to restore the site is by using backups for your WordPress site. It may help to restore from an earlier point when the site wasn't hacked. If you can practice this, you're golden.
However, if you have a blog with daily content, then the risk losing of blog posts, new comments, etc. is higher. Therefore you better weigh the pros and cons.
The worst case of the situation is, your website had been hacked for a long time or you don't have a backup. If you don't want to lose the content, you can manually remove the hack.
Step 4. Malware Scanning and Removal
More often than not, hackers are using your inactive WordPress themes and plugins to hide their backdoors. So you better delete those inactive items in WordPress.
Most smart hackers always upload backdoor as the first thing because it may allow them to regain access even after you find and remove the exploited plugin. The reason for that is backdoor is referred to as a method of bypassing normal authentication and gaining the ability to remotely access the server while remaining undetected.
After you finish that, now go forward and scan your website for the hackers and you should install the following free plugins on your website: Sucuri WordPress Auditing
After you set this setup, the Sucuri scanner will show you the integrity status of your entire core WordPress files as it shows you where the hack is hiding. The most common places of hiding are themes, plugin directories, upload directory, wp-config.php, wp-includes directory, and .htaccess file.
Next, run the Theme Authenticity Checker, and it will display your results like this:
If your themes have any suspicious or malicious code while the theme authenticity checker finds, it will appear a details button next to the theme with the reference to the theme file that is infected.
There are two options for fixing the hack here which you can follow are, manually remove the code or you can replace that file with the original file.
As an example; If they changed your core WordPress files, then you better re-upload brand new WordPress files through a fresh download of all WordPress files for that matter to override any affected files.
The same procedure follows for your theme files. First, you download a fresh copy and override the corrupted files with the new ones. The most important thing is to do this only if you didn't make changes to your WordPress theme codes otherwise you may lose those.
This is a common step for any affected plugins. Therefore you can repeat this step as well.
In some cases, hackers have added some additional files that are similar to plugin file names, and are easy to ignore such as, hell0.php, Adm1n.php, etc. Therefore you want to make sure that your theme and plugin folder matches the original ones.
For more details please follow this: how to find a backdoor in WordPress and remove it.
Please keep repeating this step until the hack is gone.
Step 5. Check User Permissions
Look carefully in the user section of WordPress to make sure only both you and your trusted team members have administrator access to the site because it should be the most secure platform. As well as if you could find a suspicious user there, and then quickly delete them.
Step 6. Change your Secret Keys
The security keys are most important and it is restricted to outsiders. Since WordPress 3.1, it generates a set of security keys that encrypted your passwords. But if a user stole and uses your password furthermore, they will remain logged in the site and doing everything that they will prefer. So for disabling the cookies, you have to create a new set of secret keys and you better to generate a new security key and add it in your wp-config.php.file.
Step 7. Change your Passwords AGAIN
Again change your password as you did in step 1. You should update your WordPress password,cPanel/FTP/MySQL password, and basically anywhere else that you used this password.
The password should be strong. Further details read our article on the best way to manage passwords.
But if the password is used a lot of users on your site, then you want to force a password reset for all of them.
Moving Forward – Hardening your WordPress site
Daily site backup is the most important role because there is no better security than having a good backup solution in place.
Aside from that, there are some more things you have to do for better protection of your site which is not in order and you should do as many as you can,
- Setup a Website Firewall and Monitoring System - Sucuri is the most applicable and useful one because most of the time it may block the attacks before it reaches your server.
- Switch to Managed WordPress Hosting - WPEngine or Pagely is the most recommend and the best thing to keep your sites secure than go extra lengths by managed WordPress hosting.
- Disable Theme and Plugin Editors – It’s a best practice to maintain a barrier for hackers. Here’s how to disable file edit in WordPress.
- Limit Login Attempts in WordPress – This is an important practice and you should go through how to limit login attempts in WordPress.
- Password Protect your Admin Directory – Add an additional layer of password to your WordPress admin area because it may help you to maintain security. See how to add Htpasswd to WordPress admin.
- Disable PHP Execution in certain directories – Adds an additional layer of security. Here’s how to disable PHP execution via .htaccess.
And whatever you do is always keep your WordPress core, plugins, and themes up to date!
Please make sure that you are keeping your site secure because Google recently announced that they added a new change in the algorithm that impacts hacked sites with spam results.
We hope this guideline is helped you to fix your hacked WordPress site. If you want to know further details and support, we strongly recommend hiring professional help such as Sucuri or ask your hosting company for a solution.