How to fix a hacked WordPress site

If your WordPress site has been hacked, don’t panic! Just like everything else IT related, solving this is simply a matter of following the right steps. The following guide will help you to fix your hacked WordPress website.

If you’re not comfortable completing these repairs, that’s totally understandable. We’ve got a “we’ll fix it for you” service that ranges from $79 – $149 CAD depending on the extent of the hack. We’ll even tailor the price based on how much of the repairs you’ve completed yourself, so feel free to get started and have us take over part way — just make sure that you tell us everything that you have done already. Get in touch with us to find out more!

About WordPress Hacks

It’s important to keep in mind that most WordPress hacks are not targeted: it’s highly unlikely that you’ve been specifically targeted and attacked. The more likely scenario is that some large botnet (often thousands of computers under one person or hacking group’s control) has an automated tool that scans for vulnerabilities in WordPress sites and attempts to exploit them in an automated manner.

Why do they do this? A few possible reasons:

  • For further replication by using your website to also infect other websites.
  • To send massive quantities of spam from your website’s server
  • To set up a phishing site, such as an imitation of your bank’s website to try to lure people into giving these hackers their bank login credentials.
  • To obtain a list of email addresses to add to their spam databases (from your WordPress users — particularly with subscription or eCommerce sites)

While it’s possible they’re hunting for credit card data, it’s highly unlikely since nearly all (if not all) eCommerce solutions using WordPress tend to use credit card processors that do not store the credit card details in your WordPress database. Hackers know this and tend to avoid bothering attempting to automatically gather this type of data.

Disable Site?

If you’re not able to attend to this issue immediately, it is imperative that you disable your site in Plesk now. As indicated above, if your site is spamming or running a phishing site, you want to shut this down right away until you’re able to get to the repairs.

Backup

Always start by backing up your website using your favourite method. Why do you want to backup if it’s going to include the hacked files? Since you’ll be manually (and automatically using tools like WordFence) adjusting and removing files, it’s important to have a backup of everything just in case you need to restore a file or two.

Make sure that when you create the backup, you label it clearly as ‘hacked’ so you don’t restore it in the future, thinking it’s an OK restore point. OR simply delete the backup when you’re confident the site is working well.

Access or Not?

The first step is to see if you can access the front end of the site and the WordPress admin with your usual credentials. If not, find out what’s preventing access.

White Screen of Death?

The white screen of death occurs when there’s actually an error occurring, but it’s only being logged, not shown on screen. This is actually good behaviour, despite how it might seem right now, as many plugins and themes will log warnings and notices that you don’t want visible to your users. However, when it’s a critical error, you don’t get anything on screen: hence the white screen!

So how do you find out what the error is? Check the error log! Often the error log will show you exactly what file is causing the problem, so you can open the file and see what’s wrong.

For example, a hack we saw recently, adjusted index.php and added an “include” line to include another file, however that file was missing. The error log indicated something along the lines of “unable to find file”. Therefore removing the ‘include’ line from index.php fixed the issue and brought the website back online. That said, it did not clear up the entire hack, so make sure you don’t fix this one thing and say “I’m done!” — there’s likely much more to it.

Once you fix that problem, try visiting the site and/or logging in to the admin again and see if there’s still an issue. Often it will take repeating this process a few times, adjusting different files each time based on the error provided in the logs, before you’re able to regain full access.

Password Not Working?

If your admin password isn’t working, the hacker (or more likely the automated hacking tool) changed the admin password. The next step is thusly to reset your admin password! Here’s a guide to help make that happen.

In the WordPress Admin

  1. Install WordFence and run a scan. WordFence might not always be the best at preventing an attack, but it can be decent at helping to clean one up.
  2. Change all WordPress ‘administrator’ user passwords to secure values. This means at least 20 characters and randomly generated is preferred. If you’re asking “how will I ever remember those?” then you probably aren’t using a password manager like LastPass, and you absolutely should be.
  3. Update all plugins and themes. If you have commercial plugins and themes that do not update using the built in WordPress updater (that’s no good) be sure to update them manually, then set a recurring task for yourself to update them every month and ask the developer for auto-update functionality! If you don’t want the extra work of manually updating, then change the theme or plugin to one that automatically updates.

Visual Inspection

Look through the pages in the WordPress admin to see if you spot anything amiss. Look for themes and plugins that might have been uploaded unexpectedly. Look for things that you don’t remember existing previously; they may give you a clue as to where the vulnerability lies or what was changed by the hack.

If, for example, you see odd behaviour from a particular plugin, be aggressive and delete the plugin entirely, then reinstall a fresh copy from Plugins > Add New. This ensures that if the plugin files were also infected, they will be replaced by clean files.

Visual File Scan / Replacement

Download a fresh copy of WordPress to your computer and extract it, if your system didn’t do this automatically. Access the Plesk File Manager or connect via FTP to get a live file listing of your website. Compare the live file listing with what you see from the freshly downloaded WordPress fileset on your computer.

If you spot anything different, download it to your computer* (in the event it’s not actually malicious, you’ll have saved a copy) and delete it from the server. Repeat this until you’re confident that the WordPress install doesn’t have any non-essential extraneous files.

Another great tactic with the raw files is to simply delete every wp-* file and folder except wp-config.php and wp-content (these are the only ones that are normally modified) and upload the fresh copies of all that you deleted from your downloaded WordPress fileset. This ensures that if any core WordPress files were infected, they won’t be any longer.

You can do this with all plugins (in wp-content/plugins) and themes (in wp-content/themes) as well, as long as you or your developer haven’t modified any core theme files. If your developer has done their job right, any customizations they’ve implemented are in child themes and therefore will not be affected by a core theme update.

As mentioned above, make sure you download a copy of your theme files before replacing them. This way, if you do end up removing customized files that you need, you can restore them easily.

Warning for those using child themes: those customized files in the child theme could also be infected, so you will need to analyze their code line-by-line or have your developer do so to ensure they are clean. As an non-conclusive ‘quick’ version of this… most hacks tend to inject code at the top or bottom of files, so 99% of the time, it’ll be safe to simply check at the beginning and end of each file in the child theme.

*In all cases of hacked websites that we’ve seen, you do not need to be worried about the hack files infecting your computer. These infected files nearly always need to be run on a web server to be effective at doing anything. That said, be sure not to double click / run them just in case!

Additional Maintenance

Now that you’ve cleaned up the hack

  1. Change the security keys in wp-config.php to force all logged in sessions to terminate
  2. Reset your FTP password in Plesk, just in case.
  3. Change your database password. Start by changing it in your control panel. Here’s how to do so in Plesk. Then once you’ve got your new database password, you need to inform WordPress of the change by updating it in wp-config.php.
  4. Delete any plugins that allow easy direct-file access from WordPress, like the “wp-file-uploader” plugin which we’ve seen used in many hacks in 2016.
  5. Follow the steps here to harden your WordPress installation, which if you stay on top of everything described in that article, they will prevent your site from being hacked again.
  6. Ask your WordPress web host (hopefully us!) to do an antivirus scan for any additional infected files you might have missed. It should be a pretty quick process for them to do a scan and return the results for you.

All Cleaned Up?

Be sure to make a backup!

Check common website blacklists to ensure you didn’t wind up caught in one of them. If you did, follow their instructions to get yourself removed. See the “Be Mindful of Website Blacklists” section on the WordPress Hacked FAQ here for more details.

Resources

Jordan is a computer, security, and network systems expert and a lover of all things web and tech. Jordan consults with project management for software companies. Jordan is a founder and managing partner at Websavers Inc.

Leave a Comment