Has your WordPress-hosted website been hacked despite all your security measures? Sadly, this is the hard reality of the digital age that despite all the technology and WordPress security features, no website is completely safe from being WordPress hacked by professional hackers.
But, did you know as a website owner, you can take steps that can fix or clean your hacked WordPress site or determine if your site has indeed been hacked? Let us see, how!
Signs of Hacked WordPress Site
There are several signs, both visible and subtle, which you can use to confirm if your WordPress has been hacked and compromised. Some of the common signs of a hacked WordPress site include:
- A sudden drop or spike in the website traffic, as indicated by Google Analytics reports.
- Injection of data or bad links to your website (example, your website footer), commonly done through the creation of a backdoor on the WordPress website.
- Defacing of the website homepage, which is the most visible sign. However, homepage defacing may be avoided if the hackers want to remain undetected for a longer duration.
- Inability to log in to your WordPress account as the admin, which suggests that your WordPress admin account may have been deleted by the hacker.
- Creation of spam user accounts in the WordPress account, including those with admin user rights.
- Addition of unknown files and scripts on your web server folder (commonly in the wp-content folder).
- Slow or unresponsive website caused due to an overload of HTTP requests sent to your web server.
- Inability to send or receive emails using WordPress, generally caused due to the hacking of the WordPress mail server.
- Addition of unscheduled tasks to your web server by the hacker.
- The traffic to your website being redirected to another URL address.
- Browser warning about security risks when the user tries to access a compromised or hacked website, due to the detection of suspicious code or scripts running on the site.
What Steps to be Followed to Fix a Hacked WordPress Site?
Listed below are the steps you need to follow to fix your compromised website:
1. Identify the Type of Hack
This can be done by using scanning tools, which can locate malicious codes. Additionally, check for any core vulnerabilities in the WordPress core files, located in the wp-admin, wp-includes, and other root folders.
You can also check Google’s Transparency Report to use their diagnostic tools, which can indicate the current security status of your website.
2. Remove the Hack
Once you have identified the location of the malware files, you can compare them with a recent backup version of the data to see what has changed. Removing the hack typically comprises of:
- Cleaning the Hacked WordPress Files: You can perform a manual fix on any core infected files such as the wp-config.php file or the wp-content folder. Other infected custom files can be cleaned either using a backup file or a freshly downloaded copy.
- Cleaning the Hacked Database Tables: This is required to remove any infected malware files from your database tables. You can also use database search to locate any of the typical malicious PHP functions such as eval, base64_decode, or preg_replace.
- Removing Backdoors: Another method that hackers use to gain illegal entry into your website is by backdoor PHP functions that are injected into files such as wp-config.php along with directories such as /themes, /plugins/, or /uploads. Common PHP functions such as base64, eval, exec, and preg_replace are used for backdoors and legitimate use by most WordPress plugins. Hence, along with avoiding any site breaking, backdoors must be properly cleaned to avoid any reinfection of the website.
Fixing and restore your website can be achieved by any of the following methods, which are discussed in detail in the following sections:
- Manual Clean-ups
- Use of WordPress Security Solutions
- Website Backup Restore
A hacked WordPress website can be manually cleaned using either of the following options:
- Manual removal of all infected files with new WordPress files (available through download) or replacement all the WordPress files (including the infected ones) with the downloaded files.
- Manual replacement of the infected files with the downloaded copy.
A primary indicator of a hacked website is the presence of malicious code inserted into the eval (base64_decode) code function, which is located in the wp-config.php file. Most hackers add and hide their malicious code within this function, which becomes difficult to ascertain from the normal code.
Alternatively, hackers can hide the malicious code in other vulnerable PHP functions such as file, preg_replace. Overall, manual clean-ups are challenging to implement as it involves identifying the malicious hacker code, which can be inserted in different code combinations and patterns.
WordPress Security Solutions
If you do not have the technical know-how to implement a manual clean-up, it is best to apply a practical WordPress security solution. Additionally, most professional hackers hide their malicious scripts in different folder location of WordPress, which enable repeated hacking and are difficult to scan and remove.
WordPress security solutions such as MalCare and SecuPress implement the best of security practices such as blocking of PHP execution in untrusted folders and changing the security keys. Most of the available security solutions fix the hacked website by performing the following steps, namely:
- Scanning to determine the location of the malware and the infected files. Popular WordPress plugins such as Sucuri WordPress Auditing indicates the security status of your core WordPress files, along with showing the location of hacked files.
- Cleaning to fix and clean the located malware. While WordPress security solutions such as MalCare offers auto-cleaning facilities, Theme Authenticity Checker (or TAC) check for any malicious code in the installed themes and offers two modes of implementing the fix, namely either manual removal of the infected code or replacement of the infected file with the original clean file.
Restoring Your WordPress Website from A Backup
This is among the fastest methods of restoring your hacked WordPress site back to running mode. This method can be implemented only if you have taken regular backups of your site and if the backup themselves have not been hacked. However, if your website has daily content changes and user comments, restoring your website using the backup method can make you lose valuable data.
Another limitation of backup restore method is that it does not work in the removal of any new infected files or folders added by the hackers to enable them to compromise a website repeatedly.
Fixing the Vulnerability of Your WordPress Website
Along with repairing and restoring your hacked website, it is equally vital to fix the security flaws of the site that caused the hacking in the first place. Most hackers can exploit the security-related loopholes even after the compromised website has been cleaned and restored. Listed below are the points to remember to remove the security loopholes in your WordPress site:
- Use the latest updates on all software on your WordPress site, as most vulnerabilities arise due to outdated versions of software tools.
- Update all the installed WordPress plugins and themes. As the majority of the WordPress hacks occur due to vulnerabilities in third-party plugins and themes, it is important to report it to the plugin development team, who can develop and release a security patch. If you are not using certain plugins, remove them from your site.
- Additional steps include checking the user permissions for the WordPress admin rights, disabling of user cookies on the WordPress admin to prevent future hacks, and updating your WordPress account password.
- Hardening of the WordPress site using a variety of software tools to reduce the points of entry for hackers. Apply suggestions made by WordPress on how to harden your website. Alternatively, you can use WordPress security solutions, like MalCare that offers auto-site hardening features.
- Install a WordPress firewall plugin to provide protection for your website and lower the possibility of a future hack.
With the increasing number of websites being hacked or compromised, website owners must learn to stay calm and complete the entire process of website cleaning and restoration to prevent another security lapse in the future. If you have any questions on a hacked WordPress site, comment below.
Disclaimer: This is a guest post by MalCare. The opinions and ideas expressed herein are author’s own, and in no way reflect Cloudways position.
Passionate about technology, entrepreneurship, and marketing, Mansoor Ahmed Khan is in computing since he knows how to type on a keyboard. His daily life is rocked by his family, projects, and his screen. Probably in this order, he likes to be convinced at least.
Be the first to check out WordPress 5.0
Use our Staging feature before upgrading your website to WordPress 5.0.