Recovering a hacked Website
First thing is, don’t panic, you can fix this
If you’re not comfortable dealing with code and servers, then we recommend using a professional to do this for you. This is mostly because hackers can hide scripts deep within your website’s file structure, effectively leaving backdoors that allow the hackers to get back in and hack your website all over again.
We will tell you how to find and remove these backdoors and malicious code further down the page, but you may prefer the peace of mind of knowing that an expert has thoroughly cleaned the website of possible backdoors, in which case you can contact us.
1. Restore Site from a Known Good Backup
If your site has been hacked, we recommend restoring to a previously known good backup of the site and then follow the steps below (excluding step 5 as your site won’t be hacked after the restore). If your site is hosted with Protect WordPress we can go back up to 3 months, so ask your hosting provider if they can supply you backups.
If you don’t have any backups available then follow the steps below to get your site back up and running.
Note: if you are not restoring to a known good version of your site this isn’t an ideal situation and if a thorough job isn’t performed you could leave behind backdoors whereby the hackers will be able to re-hack your site.
2. Change WordPress Password
Log into WordPress and change your administrator password to something long and complex. Have a good look through the user list too and make sure there are none that are suspect, if there are, delete these users.
If you can’t login to your backend, you’ll need to go into your database and edit the users table (usually called wp_users) via PHPMyAdmin. Edit the administrators record, and update the password to something complex, also make sure to select ‘md5’ in the function drop down for this entry.
Update all your plugins, the WordPress core and your theme. At this stage look through your plugins and delete any that are not in use – malicious code could be hiding here. You’ll also want to delete any themes that aren’t in use, again malicious code could be here too.
5. Fix the Hack
This step involves finding all the malicious files and removing them, you’ll need a good understanding of the file structure of WordPress to identify out of place things. Also an FTP program like FileZilla will be required for this step.
Firstly, make a backup of the site, you can do this with cPanel (fast), or copying all the files to your computer using FTP. You’ll also need to export your database if you use this method.
With your FTP program have a look at the root directory of your website (usually public_html or wwwroot). There will be 3 folders “wp-admin”, “wp-content” and “wp-includes”, these are the standard WordPress directories, anything else in here could be malicious so go into any other folders and check what is in there, if they look suspicious, delete them.
Now download the latest version of WordPress, completely remove the directories “wp-admin” and “wp-include” and any files in the root folder (except wp-config.php and .htaccess, make sure to review these files as they too may have malicious code in them), then from the zip file copy these back to your server.
Other directories that are common for hackers to leave malicious code in are:
- “/” (root directory)
If you are having trouble finding malicious files or code, have a look at your web logs. If you see many (hundreds, or thousands) entries from the same IP address, then this is suspicious – look at the files they’ve been accessing. What you are looking for, are files that end in “.php” and have code in them like:
The problem here is that some legitimate plugins or themes may use these functions, however if there are blocks of ‘random’ characters in these files, be very suspicious and compare with known good copies of the plugin or theme.
6. Update all Passwords
Update all of your passwords, including: cPanel, MySQL, all WordPress administrators (again), FTP and SSH.
Make sure the new passwords are all different from one another and are all long and complex. You could use a password generator to help you with this, such as: LastPass or a password manager such as KeePass.
Install and configure a plugin that will harden your WordPress site, such as Sucuri. This will make it more difficult for your site to be hacked in the future.
Set an update schedule to make sure you regularly log into your WordPress site and keep it updated with the latest WordPress core, themes and plugins. Sites that use our services at Protect WordPress, automatically get any updates that are released and applied to their site within 24 hours, so you are always protected and you don’t need to worry about this step.
Take a backup of your site so that if the site gets re-infected you have at least a point to start at next time. If after the steps above are performed and your site gets hacked again there may well be a backdoor hidden in your site still, which is allowing the hacker to bypass your security. If this is happening you’ll need to go back to step 5 and try to identify where they are getting in and remove this.