It’s not easy to clean a hacked WordPress site. And now that Google implements a 30-day ban on site reviews to prevent repeating criminals from distribution of malware, it’s more important than ever to thoroughly clean up a hacked site.
I highly recommend using a site cleaning professional. Jim Walker, the Hack Repair guy, is the person I refer to most often together with Sucuri who has a wide range of knowledge on website security research, vulnerabilities, vectors and more.
To clean up the site yourself, here are steps I recommend:
Step 1: Backup of site files and backup of the entire site
If you can use a snapshot feature of the website host. This is the most comprehensive backup of your whole server. However, it may be quite large, so be prepared to take time for the download.
- Use a backup plugin for WordPress if you can login all right. If you can’t log in to the site, hackers could have compromised the database, so you can use one of the above-mentioned professionals.
- Use these steps to create a separate, additional database backup.
- Use Tools > Export to export a XML file of all your content if you can log in.
Some sites may be pretty big. The upload file itself may be more than 1 GB. The wp-content folder is your server’s most important directory because it contains all your uploads. If you can not run the backup plug-in and your web host has no snapshots feature, then you can make a zip archive from your wp-content folder
Using the Web Host File Manager and download the wp-content folder.
If you have multiple WordPress installs on the server, you will want to back up each installation.
Note: About.htaccess file: backup and download your.htaccess file. This is an invisible file and you only can see it in the File Manager of the web host when you start the file manager. Rename this file to remove the time at first so that you can see it on your computer, otherwise it will also be invisible on your computer. Then download. Then download it. If you have content, you might need to back-up the.htaccess file if you need to copy it back to your clean site. Some hosts use.htaccess to determine the PHP version that you use, so without that the website won’t work properly. Some people have redirected 301 SEOs to their.htaccess file. You might also have hacked the.htaccess file, so you’ll want to check it later on.
Step 2: Download and Examine the Backup Files
Once you back up the Site, double-click the zip file to open the backup to your computer. See:
- All WordPress Core files. You should see. You can download WordPress from WordPress.org and check the downloaded files and match them. You won’t really need these files, but you might want them later for your hack investigation.
- The file wp-config.php. This is important, as it contains your WordPress database’s name, user name and password that we will use in the restoration process.
- File.htaccess. That’s going to be invisible. If you backed up it, you can only view your backup folder using an FTP program (such as FileZilla) or an application for the code editing (such as Brackets), which allows you to view invisible files (check the Show Hidden Files option) within the application interface.
- The folder wp-content. In the wp-content folder at least three folders should be displayed: themes, uploads and plugins. See these folders. See these folders. See your theme, plugins and pictures uploaded? If so, then this is a good sign that you have a good website backup. This is usually the only directory that you need to restore your site (in addition to the database).
- The database. You should have a SQL file which is a database export. In this process, we will not delete the database, but it is good to have a backup.
Step 3: Delete All the files in the public html folder
After verifying your website’s proper and complete backup, delete all of the files in your open html folder (with the exception of the cgi-bin folder and any server related directories that are clearly free of hacked files) with the web host File Manager. I recommend the File Manager since deletion of files via FTP is much faster. If you’re comfortable with SSH, that’s quick too. Make sure you see invisible files to also delete any affected files.htaccess.
If you have other websites on the same account, you can presume that they are all compromised. Infection with the cross is common. You have to clean all the sites so that everyone can back up the sites, download the backups and do the next steps. I know it sounds serious, but it’s absolutely costly to try to scan for and find all the hacked files on a server. Make sure every backup is complete. And don’t just clean one website and then clean the other easily, as you need to clean one and then another one that is still infected can reinfect what you have just cleaned. Treat it like the plague of the bubonic.
Step 4: Reinstall WordPress
Use the one-click installation in your web hosting control panel to reinstall WordPress to public html if it was the original location of the WordPress install or to install WordPress in the subdirectory if the add-ons were installed.
Once you refer to your site’s backup, edit the file wp-config.php on the new WordPress install to use your site’s database credentials. This connects the new installation of WordPress to the old database. I don’t recommend that your old wp-config.php file is re-uploaded since the new one has new login encryption salts and is definitely free from hacked code.
Step 5: Reset your site login and all usernames and passwords reset
If you see users you don’t recognize, your database has been impaired, and you need to contact a professional to ensure there is no unwanted code in your database. I’ve got a Nuke From the Orbit blog post you can read if you want to kill and start fresh your old database. It’s a bit more work, but you really have a clean website.
Go to Settings and click Save Changes. This will restore your.htaccess file to rework your website URLs. When you removed files on your server, make sure you have shown invisible files, so you did not leave hacked files behind.htaccess. .htaccess is an invisible file which controls a lot of things on the server and can be hacked to redirect people from your site maliciously to other sites.
Make sure all FTP and account passwords are restored.
Step 6: Remove Plugins
Remove all your plugins from your WordPress repository or from the premium plugin developer to the latest downloads. Do not have old plugins installed. Do not install plugins that are not maintained anymore.
Step 7: Reinstall themes
From a fresh download Reinstall your theme. When you have personalized your topic files, reference your backup files and replicate the changes in the fresh copy of the topic. Don’t upload your old theme because you can’t know which files are hacked.
Step 8: Uploading Your Backup Images is the tricky part.
Step 9: Scan Your Computer
Scan for viruses, trojans and malware your own computer.
Step 10: Install and run security plugins and activate
iControlWP’s Shield WordPress Security plugin. Check all your settings. For a few months, I would like to run the Audit feature to keep track of all activities on the site.
Run the firewall and the anti-malware security and scan the site thoroughly. To make sure you didn’t miss anything, scan the Sucuri’s Sitecheck website. You do not need to run two firewall plugins, so disable Anti-Malware after you have checked the clean site. Shield will inform you if any core files have changed in the future.
Quick and Dirty Hack Repair
Sucuri has a great step-by-step hack removal guide that provides information about how to use the Sucuri plugin to facilitate the above process. Sucuri’s plugin has some great functionality, including:
- a core file scan
- quick access to error logs
- tool to reset all user passwords
- ability to automatically reinstall all free plugins
- ability to reset encryption salts
If you want to streamline the above hack recovery process, what you can do is:
- Use the Sucuri plugin to scan core files and replace / delete those modified or not.
- Use the Post Hack and Site Audit tab in Sucuri to replace all free plugins, reset user passwords, reset encryption salts.
- Premium plugins re-upload.
- Check every folder in the wp-content folder with a fine-tooth comb (except the plug-in folders you replace in Step 2 above).
- Carefully evaluate every theme file.
- Remove unused topics and plugins.
- Comb carefully through your uploads folder.
- Manually, check your.htaccess file and other files that you did not replace left in the public html folder.
The purpose of my slash and burn approach is to leave hacked files behind if many people do not choose methodically and consciously what to upload back to the server. However, you can clean up a hack using this simplified approach if you are quite detailed in-depth and familiar with your WordPress files and what they are like (for example, you know how to customise themes and what theme code should look like).
Finding the cause for the hack
If you’re not a professional, the cause of a WordPress hack can be difficult, but surely it won’t be outside your reach if you have an eagle’s eye. Check out this post on common WordPress hacks from Smashing Magazine. Once you identify the type of hack you’ve encountered, you can determine more easily why it happened. In many cases the WHY is less important than cleaning it up, but it can be important if your own computer is responsible for this.
Also, if you reinstall the same vulnerable plugin or theme and don’t know why your site has been hacked, the site is re-hacked pretty quickly. So it is more important to make you aware that after all your efforts to clean things you don’t repeat the same mistakes.
To go deeper into the hack’s cause, do the following:
- Check your hacked file backup. They have strange names and can be distinguished from the other files on your WordPress installation or have recent dates. When opening those files in a code editor like Dreamweaver, TextWrangler, BBEdit, Coda, etc., you can quickly notice that something is unusual by the color coding of the code or by the large quantity of code.
- Search Google for specific phrases, files or file names. Sometimes it may only be the name of a Div class that you find on my client’s hacked website in the hacked code.
- Review the cPanel Hosting raw access logs to see which files were accessed by the hackers (see POST statements in the log files). This will be an indication of what was and when exactly compromised. You can
- check the IP address from which the hacker accessed these files.
- Many hacks are due to old plugins and topics, so look at your hacking plugins and see if the website has perhaps been compromised because of older Gravity Forms, Revolution Slider, timthumb.php script in a topic or plugin, etc. Many websites have common, known vulnerabilities. For hackers, it’s all low hanging fruit.
- Search for hidden admin users and other potential hacked content in the database. Sucuri has great tips on scanning for hidden malicious code for your database. If you’re trying to modify your database, first save it like 3x!
Monitoring your website
Following your clean-up, monitor your site Stay at the top of Google Search Console Notices and any error logs you find on your server. You can look up your server Raw Access Logs to track users who access files from the website, especially POST requests. If this is not enabled, you can activate Access Logs archiving in your cPanel.
You can use the Audit Trail feature of the Shield WordPress Security plugins to monitor file changes or access the site.