If you suspect that your WordPress website has been infected or hacked in some way what you want is what to do, so let’s get down to business and see step by step what we do if we believe or are sure that our WordPress website has been infected or hacked.
Table of Contents
How do I know if my WordPress website has been hacked or infected?
First of all, check if your WordPress website has been hacked or infected in any way.
There are several possible symptoms that your WordPress website has been hacked, these are the most common ones:
- Your site redirects to another URL: There can be unwanted redirects when a hacker adds a script that redirects people to another site when they visit yours.
- You can’t log in: Before jumping to conclusions about the hack, make sure it’s not because you forgot your password. If you conclude that forgetting your password is not the problem, a hacker may have changed your password to prevent access or deleted your account/user.
- Sudden traffic drop: This can occur if a malware or trojan hijacks your WordPress site’s traffic and redirects it. Traffic drops also occur if you end up on Google’s block lists, something that can happen if your site is hacked.
- Your site was changed: A change from a home page to a static page with links to nasty sites, or a footer with links you didn’t add, are all good signs of hacking. Site changes can occur if a hacker gains access to your administrator, file system or – less frequently – database. Be sure to check with other administrators who have access to your site to confirm that they haven’t made the changes themselves.
- Wrong links are added to your site: Like changing your site, this can happen if a hacker has access to your admin, file system or database.
- Unknown file scripts: If you find this, it could mean that your website was compromised by a hacker who added malware or some other malicious software. This can happen if your website is susceptible to attacks (for example, if you have an outdated or insecure WordPress theme, plugin or WordPress installed).
- Suspicious user accounts in WordPress: Your site may have been compromised and a hacker has created a new admin account. If you have the registration option enabled on your site, be sure to check that it is not just a simple user. Normally, a hacker account will have an administrator profile.
- Inability to send or receive emails with WordPress: Usually caused by hacking the WordPress mail server.
- Increased unscheduled tasks: If a hacker gains full access they could increase scheduled tasks on your web server, including all sorts of malicious executions.
- You receive notifications from the security plugin: The security plugin could give you security reports and lets you know about suspicious activity. If some red flags occur, you may have been hacked.
- A slow or unresponsive website: A DDoS attack can cause your website to display all sorts of connection errors or simply have its loading speed suddenly become excessively slow.
- The hosting company has disabled your website: Sometimes, there are shared hosting companies that, in order to ensure the security of the rest of the websites, may disable your website completely, sometimes notifying you, and not always in advance.
- Google warns that your site may have been hacked: Google may display a warning sign when searching for your site. This may be an indication that the WordPress sitemap or part of the installation has been hacked, from any of the above methods.
How do you know what type of infection or hack is it?
You can do this by using scanning tools, which can locate malicious code. Also, check for any vulnerabilities in the WordPress core files, located in the wp-admin, wp-includes and other root folders.
Among the many online tools you can find I recommend Sucuri’s site checker, with a huge database of possible infections, hacks and malware.
Other online vulnerability, hacking and malware detection services you can use include the following:
- Mozilla Observatory – Analyzes your web security as a whole, offering details of vulnerabilities and opportunities.
- Inmuniweb – Comprehensive free online security vulnerability scanning service, including WordPress specific.
- WordPress Security Scanner – Vulnerability detection service specific to WordPress sites.
- Google Safe Browsing – Google’s tool to check your website for unsafe content.
Mozilla Observatory InmuniWeb WP Security Scanner Google Safe Browsing
In addition, you should always check the server log files (logs), requesting access to them if necessary to your hosting company, to analyze possible unrecognized access, file modifications, connections to unknown and suspicious URLs, etc.. This can be a fantastic source of detection of the origin and actions of the hacking or infection of your WordPress.
What to do if I am receiving a DDOS attack?
If the problem is that you are receiving a denial of service attack what you have to do is to try to prevent as much as possible the traffic from the attacking IPs.
To do this you have some tools that can help you.
Block attacking IPs from hosting
In the absence of any other automatic tool, if you don’t have any, or simply if you can’t even access your website because it loads so slowly, you can block the traffic from the IPs from which you are receiving the attack.
If you have your website hosted in SiteGround you can do it from the security section, being able to add complete IPs (123.123.123.123.123) or ranges, using asterisks as wildcards (123.123.123.123.*).
If your website is on another hosting, which has cPanel, you can also use IP blocking there.
Confirmed, I’ve been hacked! What do I do?
If you have confirmed that your WordPress website is somehow compromised, hacked, infected, or whatever you want to call it, I advise you to follow these steps.
In my experience of many years, every time a hacked website is not completely clean and – usually – gets hacked again, it is because one of these steps has been omitted.
Above all, keep calm
This is essential for you not to skip any step and to perform all other procedures rigorously and accurately.
It is normal to be worried when you detect that your WordPress has been infected in some way, but the evil is already done, and whether you can apply the best possible solution depends initially and fundamentally on you not getting nervous, taking a deep breath, and getting down to work, as calmly as possible.
You have an important, but above all methodical, task ahead of you, and you will not be able to do it well if you are nervous, worried or in a hurry. Don’t put your urgency to solve the problem before the importance of the problem.
A hacker has taken his time to infect your WordPress website, and if you don’t do the same you will surely miss something and all the time and work spent will have been in vain.
Close the rest of the agenda, turn off the phone, avoid all kinds of distractions and assume that you are going to spend at least the rest of the day cleaning your WordPress website, nothing more, nothing less, you have nothing more important to do.
In security there is no room for rushing, but the method and confirmation of performing each necessary step with the dedication, attention and concentration required at all times.
Displays a web page under maintenance
Something that we often forget is that visitors do not know that our website is hacked, and this can sometimes pose a risk to users, so while we perform the cleaning and recovery of our infected WordPress website it never hurts to provide a page indicating that the site is under maintenance.
I’ve seen out there recovery guides for hacked websites that say that you install a plugin web maintenance but the reality is that you will not always have access to your WordPress, so the easiest is to create a file called index.html, upload it to the root folder of your server, and put a warning text.
Here is a simple example of what it could contain, and you can use it if you don’t have something better:
<!doctype html>
<title>Maintenance website</title>
<style>
body { text-align: center; padding: 150px; }
h1 { font-size: 50px; }
body { font: 20px Helvetica, sans-serif; color: #333; }
article { display: block; text-align: left; width: 650px; margin: 0 auto; }
a { color: #dc8100; text-decoration: none; }
a:hover { color: #333; text-decoration: none; }
</style>
<article>
<h1>¡Web under maintenance - We'll be back soon!</h1>
<div>
<p>We are sorry, if you need anything you can <a href="mailto:[email protected]">contact us through email</a>, the web will be back soon.</p>
<p>— Our team.</p>
</div>
</article>Code language: HTML, XML (xml)Back up the hacked WordPress site
This is a step that many people do not perform and it is very important to be able to analyze all the possible elements that may have caused the vulnerability, as well as for the exhaustive review of the infected files, etc.
Also, if necessary, from this backup you can recover, after a thorough review of them, of course, some configurations, images and content that you will need, if you do not have clean backups of your website.
Another measure you can do, in case your contents had not been compromised, is to export the posts, pages, products, etc. from the WordPress admin section, in the Tools → Export.
So make a backup copy of the infected WordPress website and keep it safe for later analysis.
If you have a backup copy, restore a clean backup copy
If you have backups of your WordPress website it is time to restore a copy of the one you are sure is not infected, to recover your website.
There are only 2 simple steps:
- Delete the ENTIRE infected installation, completely.
- Restore the clean backup.
If you don’t have a backup, install everything from scratch
In case you don’t have any backups that you are absolutely sure are totally clean from infections or hacks, then you have to install everything from scratch:
- Install the latest secure WordPress version using the official download, no shortcodes.
- Install the latest secure version of the theme using the official download and license if necessary.
- Install the latest secure versions of all the plugins you need.
- If you have a clean copy of the images and files in the /uploads/ folder upload it, but only if you are absolutely sure.
- If you have a clean export of entries, pages, products, etc. import it (Tools → Import), but only if you are sure they have nothing injected.
Analyze your computer and all administrators’ computers
It can also happen that the source of the vulnerability comes from a computer infected by malware or backdoors, so it never hurts to scan with a good antivirus and malware software the computers of all those who have administrator access to the web or hosting panel, because any change you make may not help if their computers will expose the passwords, old or new.
Here are a couple of free antivirus in case you don’t use any yet:
Change all access passwords to EVERYTHING
This is perhaps the most important step and one that almost no one takes seriously enough.
You must change the access passwords to absolutely everything related to your WordPress website, and an exhaustive, but perhaps not complete list would be the following:
- SQL user access passwords to ALL databases, even those – apparently – not infected. It is even safer to delete the current SQL users and create all new ones, with new passwords (this is what I usually do).
- FTP and SFTP access passwords and users. Delete ALL current accesses and create new ones, only those exclusively necessary.
- WordPress access passwords for ALL users. It is not enough to send an email to change them, force the change or change them all en masse.
- Email passwords for ALL users.
- Access passwords to services that interact with your website, such as CDN, WordPress.com accounts, GMail, plugin and theme licenses, newsletter services, etc.
Rescan your website for vulnerabilities
Now that you have uploaded (supposedly) clean copies of everything you should go back to using the detection tools we have seen before, to check that the site is no longer infected and there is no compromised content.
Make a backup copy of the newly installed and cleaned website.
If you don’t find malware again, or any hacks or backdoors it’s time to make a totally clean WordPress website backup, and label it clearly in case you have to reuse it to recover the site in the future.
How to remove malware and clean up your WordPress website hacking
No matter how you recover your website or if you were unable to do so, you should always remove the hack, malware, backdoor or whatever has compromised your WordPress site.
The following steps will help you clean up your site if you have not been able to recover clean copies of your content, and will always help you to better understand your installation and learn how to better protect your site from future infections or hacks.
The following process works just as well for your compromised installation as it did for the backup of the infected site we made in the first step of this guide.
In this process of cleaning and disinfecting the WordPress website we will not use plugins, because we must start from the idea that security plugins can also be compromised in a hacked installation, and could show false positives, as well as hiding vulnerabilities, so discard any tutorial you find that recommends you to do this process using WordPress security plugins.
Checking and cleaning infected or hacked WordPress files
The first step would be to search the WordPress installation files, plugins, themes and other folders for any files that may have become infected or contain malware or backdoors.
There are several ways to check…
Compare your WordPress installation vs. a clean installation
Compare your installation with a freshly downloaded WordPress, to see if your installation contains files that are not from the standard installation or if they have changed.
If you detect files that are not in the official installation open them to analyze if they are files that you uploaded for a specific purpose and, if in doubt, download a copy and delete them.
You must do this with all the folders, and their subfolders, of the WordPress installation (wp-admin, wp-includes, wp-content, etc.).
The fastest and most recommended way is to use a file manager (FTP, hosting file manager, local file manager, etc.) and, sorting the files by the date of last modification and last inclusion, search for different files, with different weights, different content, etc.
Before starting this task it is advisable, as I recommended before, to analyze the logs of the server, as well as to start looking for files that security scanners have detected as malware or infected.
Searches for specific suspicious files or file types
If you already know what filenames or file extensions to look for, if you have SSH access to your installation you can do a search for the file or file type you are looking for.
Here are some examples of possible searches:
//Find and show all html files
find . -type f -name '*.html'
//Find and show all php files
find . -type f -name '*.php'
//Find and show all js files
find . -type f -name '*.js'
//Find and show an specific file
find . -type f -name 'not-abadfile-forsure.php'Code language: JavaScript (javascript)A different search would be to locate files that have been modified or uploaded recently. For example, with the following command we will have a list of files that have been modified in the last 7 days:
find .mtime -7 –ls | less
From this list we would continue searching, analyzing, and even opening files to check their integrity and locate the malicious code.
Search for specific texts
If we know exactly what text or URL to look for, either because they are URLs to which our web redirects or because it is an unwanted text that is displayed somewhere, we can perform a search for that particular text string to detect in which file of our installation it is injected.
Again we would use the command interface to perform the search, for example:
grep –Ril www.wedonotsteal-bitcoins.com
Code language: CSS (css)This command will display a list of files containing the URL www.wedonotsteal-bitcoins.com so you can quickly locate them and clean up the code.
Apart from that obvious text string in the URL, here is a list of codes and texts that are commonly used in hacked WordPress sites. You can use the grep tool to search for the following:
base64_decodeis_adminevalgzuncompresspassthruexecshell_execassertstr_rot13systemphpinfochmodmkdirfopenfclosereadfile
A quick way to achieve this using grep is through the following grep command, which searches files recursively (follows any symbolic link), looks for strings that match the specified regular expression, and returns the matching text as well as the line number where the match occurred.
grep -RPn "(base64_decode|is_admin|eval|gzuncompress|passthru|exec|shell_exec|assert|str_rot13|system|phpinfo|chmod|mkdir|fopen|fclose|readfile) *\("
Code language: HTML, XML (xml)Mind you, some of this code may also be used in legitimate code, so analyze the code properly and understand how it is being used before flagging something as an infection or a hack.
Checking and cleaning infected or hacked WordPress databases
To check and clean the database of your WordPress site use the MySQL database management tool of your hosting, which will usually be phpMyAdmin.
- Look for suspicious content (spam keywords, unwanted text, links, etc.).
- Open the table containing suspicious content.
- Manually remove any suspicious content.
- Perform a test to check that your site is still working after the changes.
Beginners can use the payload information provided by the malware scanners we saw earlier. Intermediate users can also manually search for the most common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.
Checking and cleaning of rear doors
Another method hackers use to hack into your website is through PHP backdoor functions that are injected into files such as wp-config.php and .htaccess, as well as directories such as /themes/, /plugins/, or /uploads/.
The most common PHP functions, such as base64, eval, exec, and preg_replace, are used for backdoors and for legitimate use of most WordPress plugins.
Therefore, in addition to avoiding any site breakage, you need to properly clean the backdoors to avoid any reinfection of the website.
How to remove unsafe site warnings
Finally, don’t forget to cancel any warning that the WordPress site is not secure, so when you have finished cleaning and recovering the hacked WordPress site, do the following:
- If your hosting blocked the site contact them to get it re-enabled and available.
- If the Chrome browser showed warnings that visiting the website was not secure, access the Google Search Console to request a review of the website(Security).
What to do after cleaning and recovering the hacked WordPress website
When you finish cleaning and you have recovered the infected or hacked WordPress website your main mission is to avoid as much as possible that this happens again.
To do this my recommendation is as follows:
- Always use and enforce the HTTPS secure connection using an SSL certificate.
- Activate, at least, the HSTS and CSP security headers.
- Put in place a good WordPress backup strategy, to avoid unpleasant surprises in the future.
- Install a good WordPress security plugin.
- Perform or hire a good WordPress maintenance, always keeping everything updated.
- Impose the periodic change of passwords and that these are strong.
- Install an activity log plugin, if the security plugin does not include this functionality, to control and analyze the traffic and use of the website.
- Write-protect your configuration files.
- Analyze if your hosting company does enough to protect your site and, if not, switch to a trusted hosting company.
- Frequently scan the entire installation for possible vulnerabilities, using the tools we have seen at the beginning, or even hiring an automated periodic scanning service.
I hope I have helped you to clean and recover your WordPress website if it has been hacked or infected, if you have any questions you can leave them below in the comments section.
