How to Clean a Hacked WordPress Website
Bríain likes dogs and building websites. He's the perfect fit.
WordPress is the most widely used content management system on the internet. The most recent figures suggest that it now powers over 27% of websites globally. While this is great news for the WordPress community and for companies like Big Dog, who develop and support WordPress websites for a living, it also means that WordPress is one of the biggest targets for hackers worldwide.
If you have had your site hacked and want to know how you can get your website back online, the following tutorial will show you how.
Signs that your WordPress site has been hacked
Before we dive into the steps you need to take to clean your website of an infection, it is important to identify whether your site has actually been hacked or infected with malware. Here are a few things to look out for:
- Your site has been blacklisted by Google, Bing, etc
- Unusual images or content appearing on your site
- Pop-up windows suddenly appearing
- Pages displaying a blank white screen (500 error)
- Analytics data displaying unusual traffic/SEO content
- Your host has suspended your site due to hacking or malware
If you suspect that your site has been hacked you can run a free scan using the following tools:
- Web Inspector - scan a web page for phishing, malware, virus, trojan, blacklist and lots more
- Sucuri malware and security scanner - scan for malware, virus infection and whether your site has been blacklisted
- Unmask Parasites security check - will tell you whether your site has been hacked (also provided by Sucuri)
- VirusTotal - a comprehensive virus, malware, trojan and blacklist scanner
How did my site get hacked?
In order to be able to prevent your site from getting hacked in future, it is important to understand how a WordPress website is usually hacked. The following are considered to be the top reasons a site will be hacked or infected with a virus.
1. Incorrect File Permissions
Setting the correct file permissions on your WordPress website is vitally important for the security of your website. If you have not setup your file permissions correctly, you could be vulnerable to attackers modifying your code.
As a rule of thumb your site permissions should be set up as follows:
Check out this tutorial to learn more about setting WordPress file permissions correctly.
2. Out of date WordPress, plugin or theme files
A common mistake that website owners make after launching their site is not keeping their version of WordPress, Plugins and Theme versions up to date. It is considered best practice to have your WordPress version updated automatically and to frequently check your site for plugin and theme updates.
When a new version of WordPress is released, it is often due to a security patch being added after a potential exploit has been identified.
To update your version of WordPress you can follow these steps:
- Backup your site so that you can roll it back if any errors occur as a result of the update
- Login to your WordPress admin area
- Select Dashboard > Updates
- If a new version is available: select Update Now
Check out this article for a more in-depth look at updating WordPress.
Updating your plugins is equally as important as updating WordPress itself. An out of date plugin can have potential security holes within the codebase. When a new version of WordPress is released it is common for plugin developers to release an update for their plugin to fix any issues related to the update.
The steps required for updating your plugins are very similar to updating the version of WordPress:
- Backup your site in case of issues caused from the plugin update
- Login to the admin area
- Select Dashboard > Updates
- If updates are available: select the plugin(s) you wish to update
- Select Update Plugins
Note: It is recommended that you update each plugin individually so that you can test your site for errors before moving on to update the next plugin.
3. Insecure hosting environment
If your site is hosted within a hosting environment that does not employ strict security measures and frequent file scanning, it is possible that your site can become infected from another site within your shared hosting environment or that your file permissions will leave your site vulnerable to an exploit. While WordPress is extremely easy to setup and use, implementing the best security protocols within the server environment can quite difficult and not all hosting providers are focused solely on WordPress hosting.
While WordPress is extremely easy to setup and use, implementing the best security protocols within the server environment requires considerable knowledge and technical expertise in the field of WordPress hosting. For example, our hosting partners at WP Engine provide automated security scans, daily backups, firewall protection and automated file permissions so that we can provide total security to our clients' website hosting environments.
4. Insecure admin or FTP/SFTP password
While it may seem obvious, there are still a lot of websites hacked due to users not having secure passwords for their admin and SFTP logins. If a hacker can guess your admin password they can potentially modify all of your theme files, add/remove plugins and make changes to your site content at will.
If a hacker can gain access to your codebase via FTP/SFTP they will be able to take your site offline completely, edit your website code, access your database and download all of your site files.
Check out last year's list of worst passwords for an indication of what not to use!
Here are some handy tools for generating strong passwords:
- Nexcess Secure Password Generator - automatically generates a strong password for you to copy and use
- Strong Password Generator - provides lots of options on what characters to include in the password
- Force Strong Passwords Plugin - this WordPress plugin will ensure users create a secure password
How to clean your infected WordPress website
Now that you have confirmed that your site has been hacked or infected with a virus it's time to remove the corrupted files and restore your site to its original state.
1. Install anti-virus
Before you start working on removing malicious code from your site, it is important that your computer is protected against any potential virus or malware contained in your site code before you download it. If you have not already got some form of anti-virus running on your computer, there are a lot of free versions out there for you to choose from.
Here two examples:
2. Backup your site
If your hosting provider provides you with the ability to create site backups of your site code and database, then this is the best place to do this before getting started. There are many hosting providers who do not provide this facility as standard, but this can also be achieved with the help of a plugin or by doing it manually.
Backup option 1: Using a Plugin
There are lots of website backup plugins available in the official WordPress plugin directory to choose from. Here are some popular choices:
- Updraft - A free plugin that allows you to backup your site to a multitude of 3rd party storage providers (eg: Amazon S3, Dropbox, Google Drive, etc)
- Snapshot - A premium service provided as part of the WPMU Dev suite of plugins
- BackupBuddy - Another popular premium plugin
It is important that you also backup your WordPress database along with your site codebase.
Backup option 2: Doing it manually
In the event that you are unable to access your website admin area, or you prefer to do things yourself you can create a backup of your site by downloading the source code using SFTP and creating a backup of your database via phpMyAdmin.
Check out these detailed instructions on how to create a backup of your website manually.
3. Cleaning your site
Now that all of the necessary steps have been taken to prepare for your website to be cleaned, there are two methods that can be used for cleaning.
Cleaning option 1: Using a Plugin
Using a plugin to detect and clean infected files within your WordPress website is by far the easiest method of virus removal. Here are some great plugins for cleaning up your site:
- WordFence - This security plugin will detect which files have been modified and allow you remove or restore them as needed. There are free and premium versions available
- VaultPress - This plugin provides both backup and security for WordPress sites. It will also help you to remove your infected files if your site is compromised
- iThemes Security - Much like the previous plugin, this is both a backup and security solution that will allow you to clean your infected files (premium version only)
Cleaning option 2: Doing it manually
If you are unable to install a plugin then you will have to identify and clean out the infected files manually. The following are things to look out for when searching for compromised files within a WordPress install:
A WordPress website will typically have no HTML files within the codebase. If you run a search on your site files and find HTML files, they may have been put there by a 3rd party. Removing these files and running a scan on your site again using the security scanning tools listed above will help to identify if these files are related to the hack.
Recently Modified Files
Another indication of a compromised file is a more recently modified date than other files within the codebase. There are some files which are updated regularly, such as log files and files within a cache folder so the date modified might not always indicate that a file has been infected, but analysing newly updated files can be a good way to find the source of infection.
Search for text from hacked pages
If you see content on your website that was added by a hacker such as "hacked by" or "buy cheap.." you can search your codebase for that text. If the content has been added to the site code rather than the database, then you can identify the files that have potentially been hacked.
Search for commonly used hacking code
There are a number of methods that hackers will use to execute their code after compromising a WordPress site. By searching your code for the following strings you can identify potentially infected files:
Compare site backup to the hacked version
If you have a backup of your website you can compare the contents of files from the backup to the files within your hacked website to identify which files have been altered. This can be a very time-consuming process and should only be considered when all else fails.
How to test files for infection
If you identify any files that are potentially infected you can upload them to the VirusTotal website for free and they will automatically scan them and return the results.
- VirusTotal - Test potentially infected files for free
WordPress support and hosting from the experts
As you can see it takes a lot of experience, work and technical skill to clean a hacked WordPress site. At Big Dog, we specialise in WordPress hosting and support. If your site has been hacked or if you just don't want to have to worry about your WordPress site's security, then please contact us to discuss our WordPress Business Support plan.
We will migrate your site, clean any virus infection and provide you with super-fast hosting and bullet-proof security so that you can get back to growing your business.