Cleaning a hacked WordPress site is no easy task. And now that Google is enforcing a 30-day ban on site reviews to prevent repeat offenders from distributing malware, cleaning up a hacked site thoroughly is more important than ever.
I highly recommend using a professional to clean the site. Jim Walker, the Hack Repair Guy, is the person I most often refer people to along with Sucuri, which has a great knowledge base of research on website security, vulnerabilities, vectors, and more.
If you are going to attempt to clean the site yourself, here are steps I recommend: Step 1: Backup the Site Files and Database Backup the full site if you can using the web host’s site snapshot feature. This will be the most thorough backup of your entire server. However, it might be quite large, so be prepared for the download to take time.
Use a WordPress backup plugin if you can login okay. If you can’t log into the site, the hackers may have compromised the database in which case, you may want to use one of the professionals I mentioned above.
Make a separate, additional backup of the database using these steps.
If you can login, also use Tools > Export to export an XML file of all your content.
Some sites might be quite large. The uploads file itself could be over 1GB. The wp-content folder is the most important folder on your server as it contains all your uploads. If you can’t run a backup plugin and your web host doesn’t have a “snapshots” feature, then you can use the web host’s File Manager to make a zip archive of your wp-content folder and then download that zip file.
If you have multiple installs of WordPress on the server, you’ll want to back up each one.
Note about .htaccess file: Make a back up of your .htaccess file and download it. This is an invisible file, so you can only see it in the web host’s File Manager if you choose to show invisibles when you launch the File Manager. Rename this file to remove the period at the beginning, so you can see it on your computer, otherwise it will be invisible on your computer as well. Then download it. You may need a back up of the .htaccess file in case it contained content you’ll need to copy back over to your clean site. Some hosts use the .htaccess for determining the PHP version you are using, so the site will not work correctly without that. Some people put 301 SEO redirects in their .htaccess file. Also the .htaccess file could have been hacked, so you’ll want to examine it later.
Step 2: Download and Examine the Backup Files
Once the site is backed up, download the backup to your computer, double-click the zip file to open it. You should see: All the WordPress Core files. You can download WordPress from WordPress.org and check out the files in the download and match them to your own. You won’t really need these files, but you may want them for your investigation into the hack later.
The wp-config.php file. This is important as it contains the name, username, and password to your WordPress database which we will use in the restore process.
.htaccess file. This will be invisible. The only way to know if you backed this up is to view your backup folder using an FTP program (like FileZilla) or code editing application (like Brackets) that lets you view invisible files (check the Show Hidden Files option) within the application’s interface.
The wp-content folder. In the wp-content folder, you should see at least three folders: themes, uploads, and plugins. Look in these folders. Do you see your theme, plugins, and uploaded images? If so, then that’s a good sign you have a good backup of your site. This is typically the only mission-critical folder you need to restore your site (in addition to the database).
The database. You should have an SQL file that is an export of your database. We are not going to delete the database in this process, but it’s good to have a backup.
Step 3: Delete All the Files in the public_html folder
After you have verified you have a good and complete backup of your site, delete all the files in your public_html folder (except the cgi-bin folder and any server related folders that are clearly free of hacked files) using the web host’s File Manager. I recommend the File Manager because it’s a lot faster than deleting files via FTP. If you are comfortable with SSH, then that will be fast as well. Be sure to view invisible files to delete any compromised .htaccess files as well.
If you have other sites that you are hosting on the same account, you can assume they have all been compromised as well. Cross infection is common. You must clean ALL the sites, so back them all up, download the backups, and do the following steps for each one. I know this sounds severe, but, seriously, trying to scan for and find all the hacked files on a server is absolutely onerous. Just make sure each of your backups is complete. And don’t just clean one website and then clean the other leisurely as in the time it takes you to clean one, then other that is still infected can re-infect the one you just cleaned. Treat it like the bubonic plague.
Step 4: Reinstall WordPress
Using the one-click installer in your web hosting control panel, reinstall WordPress in the public_html directory if this was the original location of the WordPress install or in the subdirectory if WordPress was installed in an add-on domain.
Referencing the backup of your site, edit the wp-config.php file on the new install of WordPress to use the database credentials from the your former site. This will connect the new WordPress installation to the old database. I don’t recommend re-uploading your old wp-config.php file as the new one will have new login encryption salts and will definitely be free from any hacked code.
Step 5: Reset Passwords and Permalinks
Login to your site and reset all user names and passwords. If you see any users you don’t recognize, your database has been compromised, and you need to contact a professional to make sure no unwanted code has been left in your database. I do have a Nuke it From Orbit blog post you can read if you want to kill your old database and start fresh. It’s a bit more work but really does ensure you have a clean site.
Go to Settings > Permalinks and click Save Changes. This will restore your .htaccess file, so your site URLs will work again. Be sure when you deleted files on your server that you showed invisible files, so you didn’t leave any hacked .htaccess files behind. .htaccess is an invisible file that controls a lot of things on the server and can be hacked to maliciously redirect people from your site to other sites.
Be sure to rest all FTP and hosting account passwords as well.
Step 6: Reinstall Plugins
Reinstall all your plugins from the WordPress repository or fresh downloads from the premium plugin developer. Do not install old plugins. Do not install plugins that are no longer maintained.
Step 7: Reinstall Themes
Reinstall your theme from a fresh download. If you customized your theme files, reference your back up files and replicate the changes on the fresh copy of the theme. Do not upload your old theme, as you may not recognize which files have been hacked.
Step 8: Upload Your Images from the Backup Now is the tricky part
Step 9: Scan Your Computer Scan your own computer for viruses, trojans, and malware
Step 10: Install and Run Security Plugins
Install and activate the Shield WordPress Security plugin by iControlWP. Check through all its settings. I’d recommend running the Audit feature for a few months to keep track of all activity on the site.
Run the Anti-Malware Security and Brute-Force Firewall and scan the site thoroughly. Scan the site with Sucuri’s Sitecheck to make sure you didn’t miss anything. You don’t need two firewall plugins running, so de-activate the Anti-Malware plugin after you’ve verified the clean site. Shield will notify you in the future if any core files have changed.
Quick and Dirty Hack Repair
Sucuri has a great step-by-step guide for hack removal that includes details on how to use the Sucuri plugin to facilitate the process above. Sucuri’s plugin has some great Post Hack features, including: a core file scan quick access to error logs tool to reset all user passwords ability to automatically reinstall all free plugins ability to reset encryption salts If you want to simplify the hack recovery process above, what you could do is:
- Use the Sucuri plugin to scan core files and replace/delete ones that have been modified or don’t belong.
- Use the Sucuri plugin Post Hack tab and Site Audit tab to replace all free plugins, reset user passwords, reset encryption salts.
- Re-upload premium plugins.
- Review the contents of every folder in the wp-content folder with a fine-tooth comb (except the individual plugin folders which you would have replaced in step 2 above).
- Evaluate each and every theme file carefully.
- Delete unused themes and plugins.
- Comb through your uploads folder carefully.
- Manually examine your .htaccess file and any other files left in the public_html folder that you didn’t replace.
My slash and burn approach is that most people inadvertently leave hacked files behind if you don’t choose to upload them to the server methodically and consciously. However, if you are quite in-depth and familiar with and look like your WordPress files (e.g. how to personalize themes and how to create them), you can clean up the hack using this simplified approach.
Finding the cause of the hack
If you’re not a professional, the reason for WordPress hacking can be tricky, but it is certainly not out of reach when you have a hacky eye. Check out this post on common WordPress hacks by Smashing Magazine. Once you have identified the type of hack that you have encountered, you can narrow the reason for it. The WHY is often not as important as cleaning up, but it can be important if your own computer has caused it.
Also, if you reinstall the same vulnerable plugin or theme which is why your site was hacked, the site is re-hacked very quickly. Therefore, to know the cause is more about making you aware that after all the efforts to clean up things you did not repeat the same mistakes.
If you want to get a deeper look at the hack’s cause, do this: check your backup for hacked files. They have unusual names and can be distinguished from other files in your WordPress install or have recent modified dates. If the files are opened in a code editor, such as Dreamweaver, TextWrangler, BBEdit, Coda, etc., you will soon notice that something is odd by the code color coding or by a lot of code. See below screenshots.
Search Google for specific phrases, files or file names. Sometimes it may be only the name of a div class you find in the hacked code as on the hacked site of my client.
Review the cPanel hosting
Raw Access Logs to see what files the hackers had accessed (look for POST log statements). That will be an indication of what was and when exactly compromised. You can check the IP address that accesses these files to see where the hacker came from.
Most hacks are caused by old plugins and themes, so look for plug-ins that you use on the hacked site and see if the site has perhaps been compromised by an old version of Gravity Forms, Revolution Slider, theme or plug-in timthumb.php script, etc. Many websites have common, known vulnerabilities. For hackers, it’s all low fruit.
Look for hidden admin users and other potential hacked content in the database. Sucuri has great tips on scanning for hidden malicious code in your database. If you try to change your database, first save it like 3x!
Hacked Htaccess file
Hacked content Hacked theme file Preventing WordPress Hacks-Hacked index file sample Monitoring your site Monitoring on Google Search Console notifications and any error logs you will find on the server after cleaning it up. To track users that access the site files, in particular POST requests, you can look at your Raw Access Logs on the server. If this is not enabled, you can turn access logs archive on in your cPanel.
You can use the Audit Trail feature Shield WordPress Security plugins to track file changes or access to the site.