{"id":20206,"date":"2019-06-12T12:30:04","date_gmt":"2019-06-12T12:30:04","guid":{"rendered":"https:\/\/www.heartinternet.uk\/blog\/?p=20206"},"modified":"2019-06-12T12:30:04","modified_gmt":"2019-06-12T12:30:04","slug":"how-to-fix-a-hacked-wordpress-website","status":"publish","type":"post","link":"https:\/\/www.heartinternet.uk\/blog\/how-to-fix-a-hacked-wordpress-website\/","title":{"rendered":"How to fix a hacked WordPress website"},"content":{"rendered":"

When it comes to WordPress, \u201chacked\u201d is never a word you want to hear. Unfortunately, it happens more often than you think. According to Sucuri’s latest Hacked Website report, WordPress infections rose from 74% in 2016 Q3 to 83% in 2017<\/a>.<\/p>\n

You\u2019re likely aware of the consequences: loss of search engine rankings, exposing site visitors to viruses, damaged reputation due to redirects to bad neighbourhood sites or worse, loss of the entire site data.<\/p>\n

So, suppose you find yourself in a worst-case scenario and your site or one of your client\u2019s WordPress sites gets hacked. What do you do?<\/p>\n

This infographic from Sucuri outlines the steps to follow to remove malware and fix a hacked WordPress site<\/a>.<\/p>\n

For a more in-depth version, read on as we walk you through the steps to follow to identify and clean a WordPress hack. We\u2019ll also share some valuable tips on how to secure WordPress to prevent further attacks.<\/p>\n

Note: If you don’t want to go through all these steps manually, you can use Website Security powered by Sucuri to scan and fix your hacked WordPress site<\/a>. The Deluxe and Ultimate packages also help prevent future hacks.<\/p>\n

Step 1: Identify the hack<\/h3>\n
1.1 Scan your website<\/h5>\n

The first thing you need to do is to scan your website to find the hack.<\/p>\n

There are lots of tools you can use to scan sites remotely and find malicious payloads and malware locations.<\/p>\n

Sucuri\u2019s free WordPress plugin<\/a> is a great solution that helps to scan your site and find malicious payloads, malware locations, security issues, and blocklist status with major authorities.<\/p>\n

If the site is found to be infected, you\u2019ll get a warning message with further details, including payloads and blocklist warnings.<\/p>\n

If the remote scanner can\u2019 find a payload, don\u2019t stop there. If you have the plugin installed, you can manually review the iFrames\/Links\/Scripts tab of the Malware scan to look for suspicious activity.<\/p>\n

If you\u2019re running multiple client sites on the same server, make sure to scan all of them using SiteCheck or whichever security tool you prefer.<\/p>\n

1.2 Review core file integrity<\/h5>\n

Next, you\u2019ll need to check and make sure that no core WordPress files have been modified in the wp-admin, wp-includes, and root folders.<\/p>\n

A quick way to do this is to use the diff<\/code> command in terminal. Another option is to manually check your files via SFTP. If you choose this option to check for malware, we\u2019d recommend using FTPS\/SFTP\/SSH rather than unencrypted FTP client.<\/p>\n

If you discover that no core files have been modified, then you can move on to the next step.<\/p>\n

1.3 Review new or recently modified files<\/h5>\n

Another way to find hacked files is to take a closer look at the new or recently modified files.<\/p>\n

Here\u2019s how you can manually check recently modified files:<\/p>\n

    \n
  1. Log into your server using an FTP client or SSH terminal.<\/li>\n
  2. If you\u2019re using SFTP, review the last modified date column for all files on the server.<\/li>\n
  3. If you\u2019re using SSH, you can get access to all the files that have been modified in the last 15 days by using this command:
    \n$ find .\/ -type f -mtime -15<\/code><\/li>\n<\/ol>\n

    Make a note of any files that have been recently modified as you\u2019ll need them later in the process.<\/p>\n

    If you\u2019re using terminal commands on Linux, here\u2019s how you can check for recently modified files:<\/p>\n

      \n
    1. Type in your terminal:
      \n$ find \/etc -type f -printf '%TY-%Tm-%Td %TT %p\\n' | sort -r .<\/code><\/li>\n
    2. To see directory files, type in your terminal:
      \n$ find \/etc -printf '%TY-%Tm-%Td %TT %p\\n' | sort -r .<\/code><\/li>\n
    3. Unfamiliar changes in the last 7-30 days may be suspicious so make sure to review them.<\/li>\n<\/ol>\n
      1.4 Check diagnostic pages<\/h5>\n

      When a WordPress website gets hacked, it usually doesn\u2019t take long for Google to blocklist it to prevent it from showing up in its search results and protect its users.<\/p>\n

      So the next step is to check and see if Google has issued any security warnings for your website.<\/p>\n

      Use Google\u2019s Safe Browsing status tool<\/a> to check the security status of your website.<\/p>\n

      All you need to do is to enter your site URL, click enter and Google will return further information about your site\u2019s status, including information about malicious redirects, spam and downloads.<\/p>\n

      While this is a quick solution, a better one would be to sign up for Google Search Console<\/a>. It\u2019s free and you\u2019ll get access to lots of useful reports and information about your site\u2019s security and performance.<\/p>\n

      Step 2: Remove the hack<\/h3>\n

      Now that you\u2019ve managed to find the hacked files, it\u2019s time to remove them and restore your WordPress website to a clean state.<\/p>\n

      Here\u2019s how:<\/p>\n

      2.1 Remove or clean hacked files<\/h5>\n

      If the malware is in your WordPress core files or plugins, you can fix it manually. However, make sure you don\u2019t overwrite your wp-config.php\u00a0file or\u00a0wp-content\u00a0folder.<\/p>\n

      If you have access to a recent backup that\u2019s not infected, that can be very helpful as you can simply replace the infected files with the ones from your backup.<\/p>\n

      If you don\u2019t have a recent backup, you\u2019ll need to replace the hacked files with fresh copies.<\/p>\n

      Now, to manually remove a malware infection from your WordPress site files, follow these steps:<\/p>\n

        \n
      1. Log into your server via SFTP or SSH.<\/li>\n
      2. Before you make any changes, create a backup of the website.<\/li>\n
      3. Make a list with recently changed files.<\/li>\n
      4. Double-check the date they were modified with the user who changed them.<\/li>\n
      5. Restore suspicious files with copies from the official WordPress repository.<\/li>\n
      6. Open any custom files (not in the official repository) with a text editor.<\/li>\n
      7. Remove any suspicious code from those custom files.<\/li>\n
      8. Test to make sure that your website is fully functional after you\u2019ve made the changes.<\/li>\n<\/ol>\n
        2.2 Clean hacked database tables<\/h5>\n

        To remove a malware infection from your site database, you\u2019ll need to use your database admin panel to connect to the database. There are lots of tools you can use for this, including Search-Replace-DB and Adminer.<\/p>\n

        Follow these steps to manually remove a malware infection from your database tables:<\/p>\n

          \n
        1. Log into your database admin panel.<\/li>\n
        2. Before you make any changes, make sure to create a backup of the database.<\/li>\n
        3. Search for suspicious content (i.e., spammy keywords, links).<\/li>\n
        4. Open the table that contains suspicious content.<\/li>\n
        5. Manually remove any suspicious content.<\/li>\n
        6. Test to check that your website works properly after you\u2019ve made the changes.<\/li>\n
        7. Remove any database access tools you may have uploaded.<\/li>\n<\/ol>\n
          2.3 Secure all user accounts<\/h5>\n

          Take a look at your WordPress users list and immediately remove any suspicious or unfamiliar users. As a precaution, we suggest having only one admin user and limiting the rights or privileges of other users such as editors, authors, contributors, users.<\/p>\n

          Now, before you start removing any suspicious users, make sure to backup your website and database. Then simply go to your WordPress users list and delete any users you deem suspicious.<\/p>\n

          At the same time, if you believe one or more of your legitimate user accounts have been hacked, we recommend resetting their passwords. You can easily do that with the Sucuri plugin.<\/p>\n

          2.4 Remove hidden backdoors<\/h5>\n

          Hackers are smart. They almost always leave a way to get back into your website, just in case they get caught. This means you\u2019ll need to find those backdoors and prevent them from coming back and hacking your WordPress site yet again.<\/p>\n

          Usually, backdoors are embedded in files that have similar names to WordPress core files. The difference is that they\u2019re usually located in wrong directories. Hackers can also inject backdoors into files like wp-config.php or directories like \/uploads, \/plugins and \/themes.<\/p>\n

          Look for the following PHP functions to find backdoors:<\/p>\n