How to fix a hacked WordPress site

How to fix a hacked website

If your WordPress site has been hacked, don’t panic! Just like everything else IT related, solving this is simply a matter of following the right steps. The following guide will help you to fix your hacked WordPress website.

About WordPress Hacks

It’s important to keep in mind that most WordPress hacks are not targeted: it’s highly unlikely that you’ve been specifically targeted and attacked. The more likely scenario is that some large botnet (often thousands of computers under one person or hacking group’s control) has an automated tool that scans for vulnerabilities in WordPress sites and attempts to exploit them in an automated manner.

Why do they do this? A few possible reasons:

  • For further replication (spreading) by using your website to also infect other websites.
  • To send massive quantities of spam from your website’s server
  • To set up a phishing site, such as an imitation of a bank’s website to try to lure people into giving these hackers their bank login credentials.
  • To obtain a list of email addresses to add to their spam databases (from your WordPress users — particularly with subscription or eCommerce sites)

While it’s possible they’re hunting for credit card data, it’s highly unlikely since nearly all (if not all) eCommerce solutions using WordPress tend to use credit card processors that do not store the credit card details in your WordPress database. Hackers know this and tend to avoid bothering attempting to automatically gather this type of data.

If you’re not comfortable completing this 6 step repair process, that’s totally understandable. We’ve got a “we’ll fix it for you” service that ranges from $79 – $149 CAD depending on the extent of the hack. We’ll even tailor the price based on how much of the repairs you’ve completed yourself, so feel free to get started and have us take over part way — just make sure that you tell us everything that you have done already. Get in touch with us to find out more!

1. Disable Site to Protect its Reputation

If you’re not able to attend to this issue immediately, it is imperative that you disable your site in Plesk now. As indicated above, many hacks actively attempt to spread copies of themselves or attack others, and you will want to shut this down right away until you’re able to get to the repairs.

It can sometimes be difficult to tell if the hack is actively attacking others. In the event that it is, and you don’t stop that behaviour immediately, you can damage your website’s reputation for weeks or even months. Search engines (like Google) and antivirus software like TrendMicro and McAfee will then block your website, causing a massive drop in visitors and potentially a drop in search engine rankings as well. This is very bad, and is exactly why you should not allow your site to continue operating until the hack is cleaned.

2. Take a Backup

Always start by backing up your website using your favourite method. Why do you want to backup if it’s going to include the hacked files? Since you’ll be manually (and automatically using tools like WordFence) adjusting and removing files, it’s important to have a backup of everything just in case you need to restore a file or two.

Make sure that when you create the backup, you label it clearly as ‘hacked’ so you don’t restore it in the future, thinking it’s an OK restore point. OR simply delete the backup when you’re confident the site is working well.

3. Repair Website Admin Access

The first step is to see if you can access the front end of the site, and the WordPress admin with your usual credentials. If not, find out what’s preventing access. The following are a couple potential scenarios that might prevent you from access your website admin. If you *can* access your admin, you can skip this step.

Got a White Screen of Death?

This is the name for what happens when you attempt to access your website or website admin and get purely a white screen with nothing on it, rather than your homepage or admin login page. The white screen of death occurs when there’s actually an underlying error occurring, but it’s only being logged, not shown on screen. This is actually good behaviour, despite how it might seem right now, as many plugins and themes will log warnings and notices that you don’t want visible to your users. However, when it’s a critical error, you don’t get anything on screen: hence the white screen!

Check out our article on repairing the white screen of death to learn how to fix this, then come on back here to continue cleaning up the hack.

A hack we saw recently, tampered with the core WordPress file index.php by adding an “include” line to include another file. Unfortunately (or fortunately) the file it was trying to include was missing, causing an error. The error log indicated something along the lines of “unable to find file”. Therefore removing the ‘include’ line from index.php fixed the issue and brought the website back online. That said, it did not clear up the entire hack, so make sure you don’t fix this one thing and say “I’m done!” — there’s likely much more to it.

Once you fix that problem, try visiting the site and/or logging in to the admin again. If you’re still not able to access the homepage or login page, after fixing the error found in the logs, you’ve probably simply encountered another different error. Often it will take repeating this process a few times, adjusting different files each time based on the error provided in the logs, before you’re able to regain full access.

Password Not Working?

If your admin password isn’t working, the hacker (or more likely the automated hacking tool) changed the admin password. The next step is thusly to reset your admin password! Here’s how to reset your WordPress admin password to regain access.

4. WordPress Admin Measures

  1. WordFence Malware Scans: Install WordFence and run a scan. WordFence might not always be the best at preventing an attack, but it can be decent at helping to clean one up.
  2. Administrator Passwords: Change all WordPress ‘administrator’ user passwords to secure values. This means at least 20 characters and randomly generated is preferred. If you’re asking “how will I ever remember those?” then you probably aren’t using a password manager like LastPass, and you absolutely should be. Do not gloss over this; weak passwords are probably the number one reason sites are hacked.
  3. Update all plugins and themes: If you have commercial plugins and themes that do not update using the built in WordPress updater (that’s no good) be sure to update them manually, then set a recurring task for yourself to update them every month and ask the developer for auto-update functionality! If you don’t want the extra work of manually updating, then change the theme or plugin to one that automatically updates.
  4. Visual Inspection: Look through the pages in the WordPress admin to see if you spot anything amiss. Look for themes and plugins that might have been uploaded unexpectedly. Look for things that you don’t remember existing previously; they may give you a clue as to where the vulnerability lies or what was changed by the hack. If, for example, you see odd behaviour from a particular plugin, be aggressive and delete the plugin entirely, then reinstall a fresh copy from Plugins > Add New. This ensures that if the plugin files were also infected, they will be replaced by clean files.

5. Reset Core Files

First, download a fresh copy of WordPress to your computer and extract it, if your system didn’t do this automatically. Then  Login to Plesk and navigate to “Files” OR connect via FTP to get a live file listing of your website. (The Plesk file manager is easier unless you’re already familiar with using FTP).

Option A: Visual Inspection / Spot the Difference

Compare the live file listing either via FTP or in the Plesk file manager with what you see from the freshly downloaded WordPress file set on your computer. (These files will look like wp-config.php, wp-settings.php, etc).

Note that you don’t need to open the files; we’re just checking to see if there’s any extra files that the hack might have put in place that don’t need to be there.

If you spot anything different, download it to your computer* (in the event it’s not actually malicious, you’ll have a copy saved that you can restore) and delete it from the server. Repeat this until you’re confident that the WordPress install doesn’t have any non-essential extraneous files.

Option B: File Replacement (Quicker)

An extremely effective tactic is to simply delete every file and folder that starts with “wp-” except wp-config.php and wp-content. Be sure not to delete those two as they contain a good chunk of what makes your site look and work as it does. Once you’ve removed the wp-* files, upload the fresh copies from your downloaded WordPress fileset. Make sure you upload all of them and that you do not overwrite wp-content nor wp-config.php!

Doing this ensures that if any core WordPress files were infected, they sure won’t be any longer.

It’s then recommended to repeat this process with each plugin folder found in wp-content/plugins/ and each theme folder found  in wp-content/themes (note: you likely won’t find one for *every* theme) as well, just make sure you take a backup first, in case you need to restore them. If your developer has done their job right, any customizations they’ve implemented are in child themes and therefore will not be affected by a core theme update or a plugin update.

Once you’ve done this with WordPress core files and each plugin and theme folder, things get a bit trickier. We can’t simply replace the rest of the files with fresh copies as there are no fresh copies: what’s left is the unique content and design elements that make up your site!

Manual File Checks

The best you can do from here is manually look through the rest of the wp-content folders to see if you spot anything that shouldn’t be there. Here’s some tips:

  1. wp-content/uploads should contain only folders, images and documents. You should not find any .php files or .js files or any other types of code files in there, except perhaps raw HTML.
  2. If you or your developer made use of a child theme under wp-content/themes/<child_theme_name> when creating your site, you’ll need to (or your developer will need to) inspect each of the files within the child theme folder to see if there’s any malicious code inserted into them.

As an non-conclusive, but quick version of this… most hacks tend to inject code at the top or bottom of files, so 99% of the time, it’ll be safe to simply check at the beginning and end of each file in the child theme.

*In all cases of hacked websites that we’ve seen, you do not need to be worried about the hack files infecting your computer. These infected files nearly always need to be run on a web server to be effective at doing anything. That said, be sure not to double click / run them just in case!

Have a VPS with shell access?

The following is a search for a few common strings that can be found in hacked files to help narrow things down a bit. Be careful with these as some of them *could* occur in legit code.

grep -r "($s20=strtoupper|return base64_decode)" *

Another approach is to look for files modified on the date of the hack. You’ll need to have already identified hacked files and noted their last modified date for this to work. Replace DateOfAccackYYYY-MM-DD in that exact format with the correct Year-Month-Day values:

find wp-content -type f -name "*.php" -newermt DateOfAttackYYYY-MM-DD ! -newermt DateAfterAttackYYYY-MM-DD

6. Final Maintenance

Now that you’ve cleaned up the hack

  1. Change the security keys in wp-config.php to force all logged in sessions to terminate
  2. Reset your FTP password in Plesk, just in case.
  3. Change your database password. Start by changing it in your control panel. Here’s how to do so in Plesk. Then once you’ve got your new database password, you need to inform WordPress of the change by updating it in wp-config.php.
  4. Delete any plugins that allow easy direct-file access from WordPress, like the “wp-file-uploader” plugin which we’ve seen used in many hacks.
  5. Follow the steps here to harden your WordPress installation, which if you stay on top of everything described in that article, they will prevent your site from being hacked again.
  6. Ask your WordPress web host to do a malware scan for any additional infected files you might have missed. If you’re hosted with Websavers, you can review our weekly malware scans in Plesk! Simply log in to Plesk, under the default Websites & Domains tab, look for Imunify360 in the upper right corner and click on it to review all detected malware.
  7. Be sure to make a backup of your now freshly cleaned site!
  8. Check common website blacklists to ensure you didn’t wind up caught in one of them. If you did, follow their instructions to get yourself removed. See the “Be Mindful of Website Blacklists” section on the WordPress Hacked FAQ here for more details.

Resources

Posted in , ,

Jordan Schelew

Jordan has been working with computers, security, and network systems since the 90s and is a managing partner at Websavers Inc. As a founder of the company, he's been in the web tech space for over 15 years.
WS-Logo-only-image-large

About Websavers

Websavers provides web services like Canadian WordPress Hosting and VPS Hosting to customers all over the globe, from hometown Halifax, CA to Auckland, NZ.

If this article helped you, our web services surely will as well! We might just be the perfect fit for you.

4 Comments

  1. raley on June 20, 2019 at 6:50 am

    Thanks for sharing useful information!! I am really impressed to see that you have provided such an interesting information about WordPress.
    I was struggling with the same issue since last 3 days and finally solved it. Anyways can you suggest me some better option to get cheap linux hosting other than redserverhost.com?
    Thank you once again!!

  2. Themepi on September 8, 2017 at 1:44 pm

    Nice step by step instruction. But it is really complex for new users. Some coding skill also required to understand the malicious code.

    • Jordan Schelew on September 8, 2017 at 3:09 pm

      Thanks! Yes this is true. I’ve provided as many rules of thumb as I can which should help to make it straightforward to identify most hacks without extensive coding knowledge. That said, if the hack is more invasive than most, it’ll always be necessary / recommended to pay a professional to do the job. These instructions *will* however work quite well for a good majority of hacks!

Leave a Comment