What to do if Your WordPress Site is Hacked

Websites are being hacked more often every day.

Not only do you owe it to yourself to take every precaution you can to keep the hackers out, you owe it to your customers, friends and everyone who visits your sites.

It’s your responsibility to the web as a whole, not just protection for yourself.

I’ve had malware dumped on my computer when visiting a compromised site. It took me an age to clean it up and, however good that site was, I wouldn’t dream of visiting it again unless I knew the owner, and completely trusted that it had been cleaned up.

Not only that, the search engines know when your site has been compromised and they immediately remove it from their indices, thereby stopping your search engine traffic dead in its tracks.

The first rule of protection

So the first rule in protecting yourself is to ensure you always have a clean version of your site fully backed up.

I carry the last two full site backups (for every site) on my computer, and every other backup ever done is on my external storage.

At a minimum I do a full site backup once a week, and a database backup after every article is published. If I make any changes to the sites, other than new or updated articles, I do an additional full site backup.

If you’re not familiar with the options for backing up WordPress, there are more details here.

To fail to backup is to ask for trouble.

How do I know my site has been compromised?

Many times it will be obvious, because your site will be defaced, you’ll get a warning from your Internet security application when you view it in your browser, or it will re-direct visitors to another site. But a lot of times it won’t be.

On this site I have iThemes Security Pro installed.

iThemes Security Pro scans this site every day for malware, SQL injections, XSS scripting and viruses. It also scans all outgoing links from this site to see if any of them lead to compromised sites.

But there’s another way to check your sites: visit your own sites each day.

If your site has been compromised your browser will alert you with a big red box and lots of exclamation marks.

And, of course, you can set up a Google Search Console account and check the Malware link each day.

So what do I do if my site has been compromised?

If you have a good backup routine the answer is simple:

Delete your entire site and database. Then re-install it from the most recent clean backup, and you’ll know which one that is as long as you’ve been checking your sites each day.

If you’re using BackupBuddy you just need to create a new database, upload the backup file and  importbuddy.php  to the server, navigate to it in your browser (yourdomain.com/importbuddy.php) and follow the on-screen instructions.

More details here.

That’s both the quickest method of cleaning up your site (you can be up and running again in an hour or so) and the most thorough.

This site contains over 2,000 files. Going through that lot to find the ones that have been compromised and cleaning them individually is just not practical.

Deleting everything and re-installing it is the quickest and surest way of cleaning everything up.

If you’ve not been doing regular backups the best way to restore your site is to ask your hosting provider to restore it from their most recent backup.

They should be doing regular backups as part of their service, and it would be worth finding out what their backup schedule is.

The difficulty with this option is that you can’t be sure whether the last backup they did was of the clean site – especially if you’re not checking your sites each day.

A third option is to install a clean copy of WordPress, link it to your database and then upload the latest version of the wp-content folder to restore your media, themes and plugins.

More details here.

If you don’t have that option then you’re left with trying to hunt down the corrupted files and cleaning them individually – and for that you will probably need a professional service such as Sucuri.

There are others, of course, and a Google search for something like ‘clean up a hacked website’ will bring you some results to check out.

Finally, once your site is clean again, you should ask Google to review it, because it will almost certainly have been flagged as compromised. You can do that through your Google Search Console account.

How do I prevent my site from being compromised again?

The first step is to change all your login details

Log in to your re-installed WordPress site and create a new user with administrator privileges, giving it a different user name and password from what you used before. You can use letters, numbers and symbols for your username, just as you can for your password.

Log out and check that the new login works OK, and then delete the user you previously logged in as.

Be sure to go to your profile and change the Nickname to something different from your Username. If you don’t, your username will be publicly visible on all your posts.

Change your cPanel and FTP passwords

Some hosting providers use the same password for cPanel access and FTP. While this is not the greatest it does at least mean you only need to change one password.

If you have separate logins for your hosting control panel and FTP accounts, be sure to change the passwords on both.

Switch from using FTP to SFTP

FileZilla handles SFTP as well as it does FTP, so if your current FTP client doesn’t do SFTP then switch to FileZilla.

Check your computer for malware

If you have keyloggers or other malware on your computer it could be passing your FTP (and every other) login details back to miscreants. Malwarebytes is a great solution for this.

Ensure all your software applications are up to date

Check that any forms you’re using on your site are running on the latest version of their software. Opt in forms and contact forms both offer ways in for hackers, and the form providers should (and generally do) release updates as soon as vulnerabilities are discovered.

Of course, it goes without saying that all software applications, meaning themes, plugins, WordPress core, shopping cart applications and anything else, are always fully updated.

Check and correct your file and folder permissions

The iThemes Security Pro plugin is a good and easy way to do that.

Further reading

I’ve written a detailed post on how to set up a disaster recovery plan (it’s on my WordPress Security Basics site).

Stay safe!

Cheers,

Martin Malden

Martin Malden
Owner – WealthyDragon

Website owner: Martin has been working online since 2006 and focuses on two areas: 1) affiliate marketing and 2) designing and building websites based on WordPress. He has his own WordPress agency, and serves clients in Hong Kong, Australia and the UK.

What do you think?

Comments on this entry are closed.

  • Lydia Sep 13, 2011 @ 17:31

    Martin,

    Great general “heads up” article, although I have been following your security tips series for my WP blogs. The best I’ve seen and easy to follow. Although I have some points to finish I feel a lot more protected from hackers. Thanks a bunch.

    • Martin Sep 13, 2011 @ 20:06

      Hi Lydia,

      Thanks – glad you’re feeling more protected 🙂

      Do remember, though, that no one can ever guarantee you won’t be hacked.

      All we can do is make it as hard as possible, but if someone is determined to get in they will, so be sure to get that backup routine going!

      Cheers,

      Martin.

  • juice Sep 22, 2011 @ 13:53

    thanks for the post, but I have to tell you, I have sitelock on my site too, and it has utterly failed to decode, alert or stop an ongoing hack to my site that continually adds users to my WP admin/dashboard and then publishes spam content from my site as blog posts. My site is down now and a mess. cant get rid of the backdoors or code. I have no faith in their services now.

    • Martin Sep 22, 2011 @ 14:44

      Hi Juice,

      I’m really sorry to hear that – I can very well understand how angry that makes you.

      I would say, though, that SiteLock doesn’t claim to protect your site – only to scan it and let you know when there’s some bad stuff on there.

      Getting rid of the backdoors and nonsense code is a painstaking task, for sure. But if you don’t have a clean backup to restore then there’s not much else you can do other than to find the malicious code and clean it.

      As a first step I’d definitely delete all the user accounts on your site and set up just one new one for yourself with Administrator privileges. Then change your FTP and cPanel passwords (if you’re with a cPanel host) and switch to using SFTP. Also check and clean your local machine in case they’ve installed readers on it to pick up your login details.

      Once you’ve stopped them creating new user accounts you’ll have a stable situation and you can then set about looking for the malicious code.

      One plugin that may help is WordPress Exploit Scanner. It’s designed to scan your site for suspicious code. It doesn’t actually clean the code – you will need to do that. But at least it may help you to find it.

      It may also help to install WP-Security-Scan, which is now maintained by Website Defender. You can register your site with Website Defender and they will also scan it and highlight malicious code. Again, they won’t clean it – you have to do that, but at least it will tell you where it is.

      Again – I’m really sorry to hear of the troubles you’ve had and I hope you’re able to get it sorted out soon.

      Cheers,

      Martin.

  • Anders Vinther May 31, 2012 @ 5:27

    This is a great list of things to do to secure your WordPress site…

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have now written up my experiences in a comprehensive checklist which can be downloaded for free on my site.

    My checklist has a few more items and detailed steps for how to get the job done.

    Hopefully it can help other people securing their WordPress sites…

    • Martin May 31, 2012 @ 7:03

      Thanks Anders,

      Cheers.