How to Clean a Hacked WordPress Website

  • Jan 2017
  • Read Time: 10 Mins

WordPress is the most widely used content management system on the internet. The most recent figures suggest that it now powers over 27% of websites globally. While this is great news for the WordPress community and for companies like Big Dog, who develop and support WordPress websites for a living, it also means that WordPress is one of the biggest targets for hackers worldwide.

If you have had your site hacked and want to know how you can get your website back online, the following tutorial will show you how.

Signs that your WordPress site has been hacked

Before we dive into the steps you need to take to clean your website of an infection, it is important to identify whether your site has actually been hacked or infected with malware. Here are a few things to look out for:

  • Your site has been blacklisted by Google, Bing, etc
  • Unusual images or content appearing on your site
  • Pop-up windows suddenly appearing
  • Pages displaying a blank white screen (500 error)
  • Analytics data displaying unusual traffic/SEO content
  • Your host has suspended your site due to hacking or malware

If you suspect that your site has been hacked you can run a free scan using the following tools: 

Sucuri Website Scan

How did my site get hacked?

In order to be able to prevent your site from getting hacked in future, it is important to understand how a WordPress website is usually hacked. The following are considered to be the top reasons a site will be hacked or infected with a virus.

1. Incorrect File Permissions

Setting the correct file permissions on your WordPress website is vitally important for the security of your website. If you have not setup your file permissions correctly, you could be vulnerable to attackers modifying your code.

As a rule of thumb your site permissions should be set up as follows:

Item Permission
Directories 755
Files 644
wp-config.php 600

Check out this tutorial to learn more about setting WordPress file permissions correctly.

2. Out of date WordPress, plugin or theme files

A common mistake that website owners make after launching their site is not keeping their version of WordPress, Plugins and Theme versions up to date. It is considered best practice to have your WordPress version updated automatically and to frequently check your site for plugin and theme updates.

WordPress

When a new version of WordPress is released, it is often due to a security patch being added after a potential exploit has been identified.

Example of new version of WordPress available

To update your version of WordPress you can follow these steps:

  1. Backup your site so that you can roll it back if any errors occur as a result of the update
  2. Login to your WordPress admin area
  3. Select Dashboard > Updates
  4. If a new version is available: select Update Now

Check out this article for a more in-depth look at updating WordPress.

Plugins

Updating your plugins is equally as important as updating WordPress itself. An out of date plugin can have potential security holes within the codebase. When a new version of WordPress is released it is common for plugin developers to release an update for their plugin to fix any issues related to the update.

Example of available plugin updates

The steps required for updating your plugins are very similar to updating the version of WordPress:

  1. Backup your site in case of issues caused from the plugin update
  2. Login to the admin area
  3. Select Dashboard > Updates
  4. If updates are available: select the plugin(s) you wish to update
  5. Select Update Plugins

Note: It is recommended that you update each plugin individually so that you can test your site for errors before moving on to update the next plugin.

3. Insecure hosting environment

If your site is hosted within a hosting environment that does not employ strict security measures and frequent file scanning, it is possible that your site can become infected from another site within your shared hosting environment or that your file permissions will leave your site vulnerable to an exploit. While WordPress is extremely easy to setup and use, implementing the best security protocols within the server environment can quite difficult and not all hosting providers are focused solely on WordPress hosting.

While WordPress is extremely easy to setup and use, implementing the best security protocols within the server environment requires considerable knowledge and technical expertise in the field of WordPress hosting. For example, our hosting partners at WP Engine provide automated security scans, daily backups, firewall protection and automated file permissions so that we can provide total security to our clients’ website hosting environments.

4. Insecure admin or FTP/SFTP password

While it may seem obvious, there are still a lot of websites hacked due to users not having secure passwords for their admin and SFTP logins. If a hacker can guess your admin password they can potentially modify all of your theme files, add/remove plugins and make changes to your site content at will.

If a hacker can gain access to your codebase via FTP/SFTP they will be able to take your site offline completely, edit your website code, access your database and download all of your site files.

Check out last year’s list of worst passwords for an indication of what not to use!

Here are some handy tools for generating strong passwords:

How to clean your infected WordPress website

Now that you have confirmed that your site has been hacked or infected with a virus it’s time to remove the corrupted files and restore your site to its original state.

1. Install anti-virus

Before you start working on removing malicious code from your site, it is important that your computer is protected against any potential virus or malware contained in your site code before you download it. If you have not already got some form of anti-virus running on your computer, there are a lot of free versions out there for you to choose from.

Here two examples:

2. Backup your site

If your hosting provider provides you with the ability to create site backups of your site code and database, then this is the best place to do this before getting started. There are many hosting providers who do not provide this facility as standard, but this can also be achieved with the help of a plugin or by doing it manually.

Backup option 1: Using a Plugin

There are lots of website backup plugins available in the official WordPress plugin directory to choose from. Here are some popular choices:

  • Updraft – A free plugin that allows you to backup your site to a multitude of 3rd party storage providers (eg: Amazon S3, Dropbox, Google Drive, etc)
  • Snapshot –  A premium service provided as part of the WPMU Dev suite of plugins
  • BackupBuddy – Another popular premium plugin

It is important that you also backup your WordPress database along with your site codebase.

Backup option 2: Doing it manually

In the event that you are unable to access your website admin area, or you prefer to do things yourself you can create a backup of your site by downloading the source code using SFTP and creating a backup of your database via phpMyAdmin.

Check out these detailed instructions on how to create a backup of your website manually.

3. Cleaning your site

Now that all of the necessary steps have been taken to prepare for your website to be cleaned, there are two methods that can be used for cleaning.

Cleaning option 1: Using a Plugin

Using a plugin to detect and clean infected files within your WordPress website is by far the easiest method of virus removal. Here are some great plugins for cleaning up your site:

  • WordFence – This security plugin will detect which files have been modified and allow you remove or restore them as needed. There are free and premium versions available
  • VaultPress – This plugin provides both backup and security for WordPress sites. It will also help you to remove your infected files if your site is compromised
  • iThemes Security – Much like the previous plugin, this is both a backup and security solution that will allow you to clean your infected files (premium version only)

Cleaning option 2: Doing it manually

If you are unable to install a plugin then you will have to identify and clean out the infected files manually. The following are things to look out for when searching for compromised files within a WordPress install:

HTML Files

A WordPress website will typically have no HTML files within the codebase. If you run a search on your site files and find HTML files, they may have been put there by a 3rd party. Removing these files and running a scan on your site again using the security scanning tools listed above will help to identify if these files are related to the hack.

Recently Modified Files

Another indication of a compromised file is a more recently modified date than other files within the codebase. There are some files which are updated regularly, such as log files and files within a cache folder so the date modified might not always indicate that a file has been infected, but analysing newly updated files can be a good way to find the source of infection.

Search for text from hacked pages

If you see content on your website that was added by a hacker such as “hacked by” or “buy cheap..” you can search your codebase for that text. If the content has been added to the site code rather than the database, then you can identify the files that have potentially been hacked.

Search for commonly used hacking code

There are a number of methods that hackers will use to execute their code after compromising a WordPress site. By searching your code for the following strings you can identify potentially infected files:

  • iframe
  • exe
  • base64
  • base64_decode
  • eval
  • isadmin
  • inurl
  • gzip_uncompress

Compare site backup to the hacked version

If you have a backup of your website you can compare the contents of files from the backup to the files within your hacked website to identify which files have been altered. This can be a very time-consuming process and should only be considered when all else fails.

How to test files for infection

If you identify any files that are potentially infected you can upload them to the VirusTotal website for free and they will automatically scan them and return the results.

  • VirusTotal – Test potentially infected files for free

WordPress support and hosting from the experts

As you can see it takes a lot of experience, work and technical skill to clean a hacked WordPress site. At Big Dog, we specialise in WordPress hosting and support. If your site has been hacked or if you just don’t want to have to worry about your WordPress site’s security, then please contact us to discuss our WordPress Business Support plan.

We will migrate your site, clean any virus infection and provide you with super-fast hosting and bullet-proof security so that you can get back to growing your business.

 

Tristan Fagan

As our Director of Development, Tristan’s primary role is to oversee the completion of every new project embarked upon at Big Dog. With his extensive experience and knowledge in the fields of Web Development and Internet-based Software, Tristan provides the team here at Big Dog with the tools and expertise to ensure the success of every new project, whether big or small. When away from his desk, Tristan can generally be found training for a marathon or hiking deep in the Dublin mountains with his beloved bulldog, Turbo.

Dublin, Ireland https://www.bigdog.ie