Fixing a Hacked WordPress Website
Dealing with a hacked site is stressful, your first and foremost action is to remain calm. Keeping calm will allow you to tackle the problem with a clear head. Take your time and do NOT rush anything, even if it means you could potentially have to go through each file one by one, keeping calm is key.
The most important things you should look at are as follows:
- Are you able to log into your wordpress admin panel?
- Can you access the actual website frontend. (If not then your first place to check is your .htaccess file. Many wordpress sites hacks affect this file first. Make sure there’s no harmful code in it. Better yet, Go to the official wordpress site and copy the “Basic WP” code block and paste it into your own htaccess file. Then upload that file to your server and check if your site loads. Alternatively you can delete this the .htaccess file and then go into your wordpress admin panel (if you have access) SETTINGS > PERMALINKS > UPDATE and this will generate a new .htaccess file within your installation.
- Is your website redirecting to any websites it shouldn’t?
- Check all pages from a browser that isn’t your default. Browsers tend to cache files and pages which include redirects. If you find a page that’s redirecting, make a note of its URL for later when you start your cleanup process.
- Are all your internal links pointing to their correct pages, and any external links going where they should be.
- Always note the URL in the bottom left when hovering over a link before clicking it. If it’s a “Bitly” link, then copy the link and paste it into a Bitly URL checker.
- Check your website on Google listings and see if Google is marking your website as “insecure”.
- Change ALL passwords, WordPress, FTP and your Admin Panel if you’re on some sort of hosting where you have cPanel. If you have other users on your WordPress site (IE. Site admins and Authors) lock their access down.
Speak to your hosting company
Any good hosting company will be very helpful with a hacked website and can offer a lot of advice for you, as well as take steps in recovery. Depending on your hosting package type, backups may have been taken so it could be as simple as a click of a button to revert your website to a stable “pre-hacked” state. Even if your host can’t offer you a backup to implement, all is not lost. The host company can give you information about how the hack originated and what steps to take to seal up the initial breach. Hosts like Hostgator are usually very helpful in our experience when it comes to a hacked site.
If you have any backups yourself for your wordpress site prior to the hack, then you’re right as rain and the hack will only set you back a tiny bit of time. The downside to backups you may have are any content that was added after the time of the initial backup. You risk losing posts, comments etc that were added to your site after the backup date.
This is the most tedious of all processes and being calm is what’s needed the most. So long as you remain focused with a clear head, you will get through everything. Start by deleting non-essentials like old themes and plugins that aren’t being used or needed. This will reduce the number of files you need to sift through to locate all the infections.
There are many good scanning and cleaning plugins on the market, but these usually come with a price tag. Most offer a free version which has certain limitations, so you need to weigh up the value of your site, as well as your own personal time against the cost of what you’re willing to spend.
Our recommendations are as follows:
- WordFence (they offer a free version which uses a 30 day delayed threat database) Premium members get real time access to the threats database.
- Defender (By WPMUDEV) (This is a fully fledged premium plugin but WPMUDEV offer a 30 day free Trial which gives you access to all their plugins and security software. No credit card or payment information needed on registration, so this may be your best bet.
Install a clean copy of wordpress on your server, making sure to backup your uploads folder to your local machine, as well as a copy of your wp-config.php file as this will have your database access details in it. (we will change these details later).
Once you’ve backed up your uploads folder, go ahead and replace all wordpress files and folders with the fresh copy you downloaded. (this will now create a control for our scanning plugins.)
Once your scanning plugins are installed, go ahead and make sure that you install the latest version of whatever theme you are using. (this will reduce the number of files needed to scan, and any files that aren’t apart of the default theme directory, the scanning plugin will pick up on.)
Once you have done all of the above, you will be given recommendations on how to resolve the issues. (Our experience of WPMU Defender was very good, and you’re able to do a lot more within the backend and don’t need to have an advanced understanding of wordpress core files. Defender will offer you the option to change your secret keys, nonce and salts. (These are private keys which validate a user’s cookie to access your site.) So if your passwords were compromised, changing these keys in the wp-config.php file will log out all users previously using those keys, and only you can access your site via the new password you created in Step 1. If you want to Generate Your Own Keys you can then replace these in your wp-config.php found in your root directory of your WordPress installation.
Change Access to Database
If you have FTP access, and access to your Database then you can change your password for your database too, and then change this password in your wp-config.php file. Basically, if it has a password, it needs changing. And we don’t mean changing a password from Admin1234 to aDmiN_1234. If you want your site to be secure, then make sure your passwords are too. We suggest using a password manager that generates a very long and highly secure password for every website you visit and have access too. We recommend something like LastPass for this.
You need to weigh up the pros and cons of expenditure vs. the value of your own personal time and the value of your entire website. There are many professionals who will offer to clean and fix your website for anywhere between £50-£100 per hour, and can usually do it in anything from 1-5 hours; depending on the severity of the hack. If you’re not comfortable doing any of the above yourself, then the most cost-effective solution would be to have a professional do it for you.
Go through everything again to make sure you didn’t miss any steps:
- Check htaccess file for anything out of the ordinary
- Check wp-includes and wp-uploads folders for non-core wordpress files.(At no point should your uploads folder EVER have a .php file in it.)
- Download latest version of wordpress and replace your installation. (make note of your database access within your wp-config.php., and BACKUP YOUR UPLOADS FOLDER.) This is optional but highly recommended.
- Make sure you have generated new security keys for your wp-config.php file if you don’t install fresh copy of wordpress.
- Remove any users in wordpress you don’t recognize.
- Check your website listings as well as all pages and any links they go to.
- Delete EVERY non-essential plugin as well as unused themes.
- Update all plugins and your theme prior to scanning.
- Install a security plugin and run a scan.
- Change ALL passwords, including ALL user’s passwords and database access password.
- Delete all pages and posts you don’t recognize or seem to be “blank”, these are usually hidden scripts. (Sometimes the hack will generate pages which are hidden in the Admin backend, so you can’t see them.) We suggest using Sucuri (Paid version) for this as it can scan and detect most if not all threats within your database.)
At the end of the day, prevention is better than cure. This is merely a guide on how to recover your hacked website. Please read our Article on Best Practices to Prevent a Hacked WordPress Site.
Hackers use tricks of their own to minimize detection, like only showing a hacked website to users who aren’t logged in. Even when you think you’ve cleaned your site and may have got everything, open your website in a different browser or incognito and go through the whole site again from the front-end. If your site is truly clean, then you won’t see anything wrong in both a logged in state or logged out state.