Designed by Newt Labs | View Full Infographic

Infographic Transcript

Unknown to many, thousands of websites are being hacked on a daily basis. This is both mind boggling and alarming, especially for website owners who have little to no knowledge about data security and recovery.

WordPress, as the most popular CMS in the market today, is the most vulnerable to vicious hacker attacks.

Last year, it was reported that at least 15, 769 WordPress websites have been comprised, many of which have been backdoored, providing hackers a means to load malicious payloads, target visitors, and use these websites for further attacks. So if you’re running your website on WordPress, it’s important that you know what to do in case the worst should happen.

In this infographic, we will discuss a comprehensive guide that will you clean up your hacked WordPress website effectively and secure it against further attacks.

Fixing a hacked website may take some hours to finish. If you’re not tech-savvy, or just unsure if you can deal with code and servers by yourself, it’s better to leave this job to your WordPress support team.

Top Reasons of WordPress Hacking

Incorrect File Permissions

Improper file permissions could make your website vulnerable to hackers. For security purposes, your site permissions should generally be set to the following:

WordPress Incorrect File Permissions

Outdated WordPress, Plugins, Theme Files

Keeping WordPress, plugins and theme versions up to date will lessen the chance of your site getting hacked.

To Update WordPress:

  1. Backup your site so that you can roll it back if any errors occur as a result of the update
  2. Login to your WordPress admin area
  3. Select Dashboard – Updates
  4. If a new version is available: select Update Now

To Update Your Plugins:

  1. Backup your site in case an error occurs as a result of the update
  2. Login to the admin area
  3. Select Dashboard – Updates
  4. Select the plugins you wish to update
  5. Select – Update Plugins

Insecure Hosting Environment

If your website is under a shared hosting environment, and your hosting provider does not employ strict security measures and regular file scanning, the more vulnerable your site is to hackers.

Insecure Admin or FTP/STFP Password

This simply refers to when the user is not using secure passwords for their admin and SFTP logins. If the hacker can easily crack your password, they can potentially modify all your theme files, add/remove plugins, and deface your website.

Signs of a Hacked WordPress Website

  • Your Security plugin sends you a warning about your compromised website
  • Unable to login to your WordPress admin panel
  • Your WordPress website redirects to another – often undesirable website
  • Your website displays malicious links, images, and content
  • Google has blacklisted your website
  • Analytics displaying unusual traffic spikes
  • Recent modifications on your core files
  • Your web host takes your site offline
  • New files that should not exist on your WordPress installation or on your server

When many of these symptoms manifest in your WordPress website, it only confirms that your site was compromised.

IMPORTANT: BACKUP YOUR FILES!

Before you start cleaning your hacked website, you must ensure that your hosting provider has backups of your site’s code and database. If your hosting provider does not provide this type of facility, you can still achieve this by doing it manually or though a plugin.

IDENTIFY THE EXTENT OF THE HACK

Examining the extent of the hack is essentially important, as it will help you fix the hack at the right starting point.

To make it simpler we’ve divided this guide into two sections: If you can still access your website; and if you have totally no access to the WordPress Dashboard.

A. If You Can Still Log in With Your Account:

The following are steps that you should follow if your site got hacked but you can still access your WordPress dashboard.

1. Change Your Password

The fastest way to stop anyone from illegally accessing your website is to change your password immediately. This also applies to all other users with admin rights as well. If they’re unavailable for the moment, you can change their passwords inside the Users menu and send the new passwords to them afterwords.

2. Scan for Malware

Before you run a malware scan, you must first eliminate all inactive themes and plugins in your site for this is often where hackers hide backdoors that allow them to access your site without normal authentication.

After that, you can use a malware scanner plugin such as Sucuri to scan all you’re your WordPress core files for integrity.

3. Replace Hacked Files with Original Files

If the malware scan found a malicious code in any of the files in your website, delete these files and replace them with the original versions. The simplest way to do this is to re-install WordPress from inside the dashboard. The same also applies for your theme and plugin files.

4. Check User Permissions

If your site has multiple Administrative users with varying rights, then you should review your user permissions and see if there is anything apprehensive on what they can and can’t do on your website. You should also check if there is an administrator user that you don’t recognize.

5. Change Salts

Salts refer to secret keys that help you encrypt important information such as passwords inside cookies. If a hacker stole your password, and they are still logged into your website, they will remain logged in because their cookies are still valid.

Change your salts by generating a new security key and add it in your wp-config.php file afterwards.

6. Change Your Password Again

Once you have changed your Salts, you need to change your password again for the following areas:

Changing WordPress Password

7. Reinforce Your Security

Aside from recovering your website, another goal of fixing your website is to make sure that is will not be hacked again in the future, or at least make it harder for hackers to crack your website.

Here are a few tips to reinforce your security:

  • Keep your WordPress, themes, and plugins updated
  • Use reliable web hosting
  • Use strong and unpredictable passwords
  • Limit login attempts
  • Install a security plugin
  • Install a website firewall and monitoring system
  • Run regular scans on your WordPress website
  • Schedule regular backups
  • Delete outdated WordPress installations on your server
  • Have a WordPress support team to help secure and monitor your website 24/7

8. Rebuild Your Site

Now that you have cleaned up and secured your website, the next thing that you should do is to roll back everything that was lost during recovery. This includes your theme customizations, blog posts, videos, and other content that may have vanished because of the hack.


B: If You Can’t Access the WordPress Dashboard

1. Use phpMyAdmin to Reset the Password

If you can’t login to your website, the hacker might have changed the password of your admin account. Fortunately, you can reset the password inside your database via an admin tool phpMyAdmin.

You can also try going to the login screen and clicking the “Lost your password?” link. It will take you to the password-reset page where you can enter your username or email address to reset the password.

2. Find Corrupted Files

Even without access to your admin account, you can still recover your website by finding the corrupted files on your server and replacing them with the original versions. If you are unable to install a plugin to detect and clean corrupted files, then you will have to do it manually.

Here are things to look out for when searching for compromised files within the WordPress install:

HTML Files

Typically, a WordPress website has no HTML files stored in it’s database. If you find one, delete it as the hackers may have put it there.

Recently Modified Files

To find recently modified files, you can navigate to the directory and use the find command Find .mtime -5 -1s

The above command lists [-1s] all the files, which have the modified [.mtime] in the last five days [-5]. However, there are some files which are updated regularly such as log files, so the date modified doesn’t necessarily mean that a file has been infected.

Find Text from Hacked Pages

If the hacker has added the text “hacked by” or “buy cheap”, you can search your codebase for that text. If the text has been added to the site’s code, you can easily identify the files that have been compromised.

Search for Commonly Used Hacking Code

You can search the following strings to find potentially infected files on your server:

  • iframe
  • eval
  • exe
  • isadmin
  • base64
  • inure
  • base64_decode
  • gzip_uncompres

Compare Site to the Hacked Version

If you have a backup of your website, you can compare it’s files to the files in your hacked website to identify which files have been affected.

3. Replace Corrupted Files

Once you have located the corrupted files, delete or replace them with the clean version. To do this, you will need to have FTP access that will allow you to access and modify your files on your server.

4. Run Malware Scans

Once you’re done replacing all the compromised files, run the malware scan once again to endure that no corrupted files or malicious code is left.

5. Reinforce and Rebuild

After you’ve cleaned up the mess, you can take the steps mentioned earlier to increase your website security and recover anything that has been lost during the process.

  • Review permissions
  • Change passwords
  • Replace SALTs inside wp-config-php
  • Rebuild website

Having your website hacked is one of the most horrible things you’ll experience in you’re online pursuit. It can cost you money, your customers, or even your business if not fixed immediately.

If the instructions above are too much for you to handle, make sure to get help of the professionals, especially if your website plays a major role in your business.

Leave a Reply

Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>