How to fix a hacked WordPres website

How to fix a hacked WordPres websiteWe can all agree that getting your website hacked is not something you wish for.

A hacked website can have a detrimental effect on many aspects of your business:

  • You can lose your new and existing customers’ trust;
  • You can lose your search engine rankings;
  • You can lose valuable data;

And, unfortunately, now you have to find a way to fix the damages caused by the hack.

But we’ve got your back!

Today, we will share all the necessary steps and actions you need to take in order to fix a hacked WordPress site.

But before that, keep one thing in mind – unless your site is hosted on a managed WordPress platform, its security is your responsibility. In order to better protect yourself, check our guide on how to secure your WordPress website.

First things first – determine the nature of the hack

First things first - determine the nature of the hack

Before we get down to fixing the hack, it’s important to know its type. The more you know about the problem, the faster you will be able to pinpoint its root cause.

Please go through the checklist below:

  • Is my website forwarding my visitors to another one?
  • Does my website look differently?
  • Are there any links to illicit content-displaying websites?
  • Does my browser warn me that my website is not secure?
  • Can I log into my WordPress admin panel?

These questions will help you determine the type of hack and will point you in the right direction so you can get everything back to normal.

They can also help you determine the severity of the situation – if you are locked out of the admin panel, it may be more difficult for you to fix everything.

Contact your hosting provider

Contact your hosting provider

Most people have zero experience dealing with a hacked website. And that’s normal. After all, it’s not something that happens every day.

But if does happen to you, having to deal with it all on your own can be a bit scary.

Except you are not alone.

And do you know who has tons of experience dealing with this exact problem?

That’s right, your hosting provider does.

Fortunately or not, regular web hosting providers have to deal with hacked WordPress websites almost every day, which is why their technicians have a lot of experience.

So, get in touch with your host as soon as possible and provide them with as many details as you can.

Depending on the hosting provider and the level of support they are offering, they will either give you precise advice on how to proceed or will do all the work on your behalf.

If you have a backup, use it

If you have a backup, use it

The fastest and easiest way to recover from a hack is to simply restore an older, pre-hack version of your website.

However, this approach requires that you have one very important thing – a recent backup.

Today, a lot of hosting providers are offering daily backups. However, very few hosts can GUARANTEE that they will have a backup available whenever you ask them.

If you don’t trust us, check out your hosting provider’s ToS.

As we have stated before, it’s vital to keep your own backups, even if it’s just for redundancy purposes.

Another thing to keep in mind – if you revert to an older version, you will lose all the updates that you have made after the last backup. While this could be acceptable for a personal blog, for a news site or a busy online store, this might mean losing the most recent stories or information about the latest orders.

Did it take you some time to detect the hack? Well, in this case, the available backups may now also be corrupt.

So, unfortunately, restoring a backup isn’t always the best option.

Seek out and remove the hack’s root cause

Seek out and remove the hack's root cause

Even if you use a backup to restore your website, the root cause of the hack will most likely remain unaddressed. So, it’s imperative to set out and find it in order to protect your site from further harm.

In some cases, the hosting provider will help you solve the problem. This will immensely speed up the whole process.

That said, you may have to do it on your own. And here are some tools that can help you:

Each one of these tools will scan your website files and will inform you if any suspicious code has been found.

However, none of them will automatically remove the code – that is left to you.

Why?

Because many exploits use legitimately looking PHP functions, such as the eval() function.

Automatic removal of such ‘false positives’ can hamper the functionality of the site without actually removing the malicious code itself.

A good way to deal with code that is reported as suspicious or malicious would be to simply replace the file that contains it with the original one, be that a plugin file, a theme file or even a WordPress core file.

You could also consult with your hosting provider in order to find out if a given code snippet is malicious or not. They will most likely be able to identify the most common hacking attacks at first sight.

A few things to keep in mind:

Remote scanners like the popular Sucuri Scanner will only look for files that are linked to other sites. If you have a file that is not linked anywhere, remote scanners will simply ignore it.

Another thing – don’t install a file integrity monitoring tool right AFTER your site has been hacked.

These tools compare files for differences and are only useful if you have them installed beforehand.

Again, why?

Well, because when they scan your files for the first time, they assume that they are in an optimal state, i.e. that there are no problems with them. After that, each subsequent scan will compare the current file state to the previous, ‘optimal’ one for differences.

And if you scan your files right after a hack attack, but before you have cleaned your website, the scanner will consider the hacked files to be in ‘optimal’ condition, which is hardly the case.

Check for new “admin” users

Check for new "admin" users

This is quite quick.

All you have to do is log into your WordPress admin panel, go to the Users section and see if there are any other users with admin privileges besides yourself.

If you notice a new admin user about whom you know absolutely nothing – delete them.

It’s time for a new password

It's time for a new password

We hate setting new passwords as much as the next man, but in this case, it’s quite necessary.

And when we say ‘new passwords’, we mean ‘passwords’ – the plural form of the word. This means your MySQL password, your FTP password, your email password(s), the password to your hosting account itself, etc.

You will have to update pretty much every password that was in any way associated with that hosting account.

You will have to ask the other signers-in (if there are any) to update their passwords as well.

This is where password managers can come in handy.

They often allow you to generate random passwords. Plus, you can configure your password manager to automatically remember them.

Conduct a blacklist check

Conduct a blacklist check

If your site has been hacked for some time, it may have been blacklisted by the popular web browsers.

If so, this will affect all your visitors – they will be warned that your site is unsafe every time they try to access it.

So, once you have cleaned your website, check out the following webmaster portals:

and add your website there, if it isn’t there already.

Once you have logged into your account, apply for the removal of the blacklist entry. The removal process can take up to 24 hours, so be patient.

Scan your local machine

Scan your local machine

Even though the hack itself has probably happened due to a software exploit on your website, it’s always better to be safe than sorry.

There are plenty of virus and malware scanners for every OS out there.

Grab one and let it check your computer for any infections.

If you are using multiple computers to access your website, you should scan them as well.

The same applies if there are other users with admin privileges – they should also scan their machines.

 



Leave a Reply

Your email address will not be published. Required fields are marked *