Unknown to many, thousands of websites are being hacked on a daily basis. This is both mind boggling and alarming, especially for website owners who have little to no knowledge about data security and recovery.
WordPress, as the most popular CMS in the market today, is the most vulnerable to vicious hacker attacks.
Last year, it was reported that at least 15, 769 WordPress websites have been comprised, many of which have been backdoored, providing hackers a means to load malicious payloads, target visitors, and use these websites for further attacks. So if you’re running your website on WordPress, it’s important that you know what to do in case the worst should happen.
In this infographic, we will discuss a comprehensive guide that will you clean up your hacked WordPress website effectively and secure it against further attacks.
Fixing a hacked website may take some hours to finish. If you’re not tech-savvy, or just unsure if you can deal with code and servers by yourself, it’s better to leave this job to your WordPress support team.
Top Reasons of WordPress Hacking
Incorrect File Permissions
Improper file permissions could make your website vulnerable to hackers. For security purposes, your site permissions should generally be set to the following:
Outdated WordPress, Plugins, Theme Files
Keeping WordPress, plugins and theme versions up to date will lessen the chance of your site getting hacked.
To Update WordPress:
- Backup your site so that you can roll it back if any errors occur as a result of the update
- Login to your WordPress admin area
- Select Dashboard – Updates
- If a new version is available: select Update Now
To Update Your Plugins:
- Backup your site in case an error occurs as a result of the update
- Login to the admin area
- Select Dashboard – Updates
- Select the plugins you wish to update
- Select – Update Plugins
Insecure Hosting Environment
If your website is under a shared hosting environment, and your hosting provider does not employ strict security measures and regular file scanning, the more vulnerable your site is to hackers.
Insecure Admin or FTP/STFP Password
This simply refers to when the user is not using secure passwords for their admin and SFTP logins. If the hacker can easily crack your password, they can potentially modify all your theme files, add/remove plugins, and deface your website.
Signs of a Hacked WordPress Website
- Your Security plugin sends you a warning about your compromised website
- Unable to login to your WordPress admin panel
- Your WordPress website redirects to another – often undesirable website
- Your website displays malicious links, images, and content
- Google has blacklisted your website
- Analytics displaying unusual traffic spikes
- Recent modifications on your core files
- Your web host takes your site offline
- New files that should not exist on your WordPress installation or on your server
When many of these symptoms manifest in your WordPress website, it only confirms that your site was compromised.
IMPORTANT: BACKUP YOUR FILES!
Before you start cleaning your hacked website, you must ensure that your hosting provider has backups of your site’s code and database. If your hosting provider does not provide this type of facility, you can still achieve this by doing it manually or though a plugin.
IDENTIFY THE EXTENT OF THE HACK
Examining the extent of the hack is essentially important, as it will help you fix the hack at the right starting point.
To make it simpler we’ve divided this guide into two sections: If you can still access your website; and if you have totally no access to the WordPress Dashboard.
A. If You Can Still Log in With Your Account:
The following are steps that you should follow if your site got hacked but you can still access your WordPress dashboard.
1. Change Your Password
The fastest way to stop anyone from illegally accessing your website is to change your password immediately. This also applies to all other users with admin rights as well. If they’re unavailable for the moment, you can change their passwords inside the Users menu and send the new passwords to them afterwords.
2. Scan for Malware
Before you run a malware scan, you must first eliminate all inactive themes and plugins in your site for this is often where hackers hide backdoors that allow them to access your site without normal authentication.
After that, you can use a malware scanner plugin such as Sucuri to scan all you’re your WordPress core files for integrity.
3. Replace Hacked Files with Original Files
If the malware scan found a malicious code in any of the files in your website, delete these files and replace them with the original versions. The simplest way to do this is to re-install WordPress from inside the dashboard. The same also applies for your theme and plugin files.
4. Check User Permissions
If your site has multiple Administrative users with varying rights, then you should review your user permissions and see if there is anything apprehensive on what they can and can’t do on your website. You should also check if there is an administrator user that you don’t recognize.
5. Change Salts
Salts refer to secret keys that help you encrypt important information such as passwords inside cookies. If a hacker stole your password, and they are still logged into your website, they will remain logged in because their cookies are still valid.
Change your salts by generating a new security key and add it in your wp-config.php file afterwards.
6. Change Your Password Again
Once you have changed your Salts, you need to change your password again for the following areas:
7. Reinforce Your Security
Aside from recovering your website, another goal of fixing your website is to make sure that is will not be hacked again in the future, or at least make it harder for hackers to crack your website.
Here are a few tips to reinforce your security:
- Keep your WordPress, themes, and plugins updated
- Use reliable web hosting
- Use strong and unpredictable passwords
- Limit login attempts
- Install a security plugin
- Install a website firewall and monitoring system
- Run regular scans on your WordPress website
- Schedule regular backups
- Delete outdated WordPress installations on your server
- Have a WordPress support team to help secure and monitor your website 24/7
8. Rebuild Your Site
Now that you have cleaned up and secured your website, the next thing that you should do is to roll back everything that was lost during recovery. This includes your theme customizations, blog posts, videos, and other content that may have vanished because of the hack.
B: If You Can’t Access the WordPress Dashboard
1. Use phpMyAdmin to Reset the Password
If you can’t login to your website, the hacker might have changed the password of your admin account. Fortunately, you can reset the password inside your database via an admin tool phpMyAdmin.
You can also try going to the login screen and clicking the “Lost your password?” link. It will take you to the password-reset page where you can enter your username or email address to reset the password.
2. Find Corrupted Files
Even without access to your admin account, you can still recover your website by finding the corrupted files on your server and replacing them with the original versions. If you are unable to install a plugin to detect and clean corrupted files, then you will have to do it manually.
Here are things to look out for when searching for compromised files within the WordPress install:
Typically, a WordPress website has no HTML files stored in it’s database. If you find one, delete it as the hackers may have put it there.
Recently Modified Files
To find recently modified files, you can navigate to the directory and use the find command
Find .mtime -5 -1s
The above command lists [-1s] all the files, which have the modified [.mtime] in the last five days [-5]. However, there are some files which are updated regularly such as log files, so the date modified doesn’t necessarily mean that a file has been infected.
Find Text from Hacked Pages
If the hacker has added the text “hacked by” or “buy cheap”, you can search your codebase for that text. If the text has been added to the site’s code, you can easily identify the files that have been compromised.
Search for Commonly Used Hacking Code
You can search the following strings to find potentially infected files on your server:
Compare Site to the Hacked Version
If you have a backup of your website, you can compare it’s files to the files in your hacked website to identify which files have been affected.
3. Replace Corrupted Files
Once you have located the corrupted files, delete or replace them with the clean version. To do this, you will need to have FTP access that will allow you to access and modify your files on your server.
4. Run Malware Scans
Once you’re done replacing all the compromised files, run the malware scan once again to endure that no corrupted files or malicious code is left.
5. Reinforce and Rebuild
After you’ve cleaned up the mess, you can take the steps mentioned earlier to increase your website security and recover anything that has been lost during the process.
- Review permissions
- Change passwords
- Replace SALTs inside wp-config-php
- Rebuild website
Having your website hacked is one of the most horrible things you’ll experience in you’re online pursuit. It can cost you money, your customers, or even your business if not fixed immediately.
If the instructions above are too much for you to handle, make sure to get help of the professionals, especially if your website plays a major role in your business.