What to Do When Your WordPress Site Is Hacked?
It seems that you’ve scored a success and everything is just perfect. But suddenly you notice strange things happening with your WordPress website. There is a thought rolling through your head—“Hacked?” But you thoroughly try to get rid of it— “What? Me? No! Never!”
Still, one day this pesky thought turns out to be truth and at the same time the worst nightmare you’ve have ever had. No doubt, you’re hacked.
The first idea is to jump into panic, though you know that it’s a very and very bad thing. But when your mind is not blurred with superfluous emotions anymore, you start looking for a solution.
This article is first aid for those who faced this problem and those who want to prevent themselves from such kind of troubles.
Step 1: Trust But Verify
It’s of vital importance to make sure that you’ve been really hacked. Not always odd behavior of your site means that you have become a victim of hacking. Sometimes it can be just a result of some technical disorders.
Thus, before taking any actions find real signs of a hack.
Check whether there is spam in a website header and footer. Such spam usually contains information or advert for drugs, porn and other prohibited stuff. It may be not very visible, though.
The next thing is to do a site:yoursite.com search on Google. In case of a hack you will see pages and content which you won’t recognize as yours and they will look rather malicious.
If your WordPress site has been hacked, you will learn about this from your users. They will complain about being redirected to other spammy or malicious websites every time they visit your site.
Furthermore, a hosting provider can also inform you about a hack. If you’re hacked, a host will receive reports of spam email with a link to your website.
Step 2: Decide What to Do Next
Unfortunately, your worst expectations were justified and it’s time to find the way out. But before taking any active actions you need to make one important decision.
Think over whether you can cope with this trouble alone. If you know for sure that this technical bustle is not your soapbox, then you will need to find an expert. A professional will be able to clean your site properly what is very crucial. The point is that hackers hide their scripts in multiple locations as this lets them come back again and again.
Note that services of a highly qualified expert will cost you a pretty penny (several hundreds of dollars). Obviously, this can be a stumbling block, especially for small-business entrepreneurs.
So, if you are sure that you can cope with hacking without a pro or want to save money, then follow our step-by-step guide. It will help you clear off fruit of hackers’ work here and now.
Step 3: It’s Time to Take Actions
First of all, you can ask for help in your hosting company. If it’s a reliable host you can count on their support.
It’s necessary to underline that if your site has a shared hosting, there is a chance a host company will cure your site itself. The fact is that if several sites are hacked (i.e. not only yours), a company can take a responsibility for solving your problem.
Still, if all pre-cited information doesn’t concern your case, then take the first action — change passwords. Before you start cleaning your site there is a need to change all your backend passwords (FTP/SFTP/MySQL) and the passwords for everyone who has access to your site.
If You Have Backups…
If you have cared about your security before and created some backups, there is a chance you can delete the hacked files quickly. You can restore from the moment your site wasn’t hacked.
Nevertheless, this may be a painful process as all your daily blog content (if you have such, of course) and comments will be lost.
So, it’s up to you to decide whether this is a good solution of your problem. By the by, if you have backups but your site has been hacked for a long time, it’s better to take somewhat different actions.
If There is no Way You Can Restore Your Site…
In case you don’t have backups, your site has been hacked for a long time or you don’t want to lose your content, there is another plan of action to follow.
The first step presupposes scanning of your WordPress site in order to find tiny niches where hackers hide their backdoors.
Backdoors allow snoopers to avoid typical authentication and get a remote access to the server of your site. Keep in mind that before putting a backdoor into your site, hackers usually become your users and start looking for a weak spot in your WordPress website.
Note that in most cases it’s much more difficult to identify a backdoor than delete it. So, the first task is to delete backdoors and then continue the cleaning process.
How to Get Rid of Backdoors?
Backdoors are usually saved in themes, plugins, uploads directory, wp-config.php files and WP-includes folders. Mostly they look like common WP files but with a base64 code. This code adds spam, links, and additional pages, redirects sites to others, etc.
To detect backdoors you will need a malware scanner WordPress plugin. You can make use of Sucuri Security, TAC, Exploit Scanner, or any other.
This WordPress security plugin is free. An uptake of Sucuri Security will allow you to detect and remove malware on your site, carry regular monitoring of site security level, boost the protection level of your site, and so on. It will also provide you with a necessary complex of post-hack security actions.
Theme Authenticity Checker, i.e. TAC, checks files of every theme for any signs of malicious code. It works at high speed, so you can quickly find the place where a backdoor and other malware are hidden.
In case TAC identifies some suspecious code in your themes you will see a details button next to the theme. There will be also a reference to the theme file that is infected and a malicious code.
TAC doesn’t remove malwares iself. You can either do it yourself and remove the code manually, or you can replace the infected file with the new original one.
This free WordPress plugin is considered to be more powerful than TAC. The point is that it scans all files and data your WordPress website has got. It informs about anything suspicious that was identified on your site.
Exploit Scanner also scans the list of all active plugins and detects unusual filenames. Note that this scanner like TAC doesn’t remove anything. So, it’s up to you to decide what is necessary to be cleaned up.
Using one or several of the pre-cited plugins, delete all the detected malwares and backdoors.
After you have deleted all traces of a hack, do not relax. There still a set of actions and precautions you mustn’t forget about.
Firstly, it’s necessary to check whether only you and your team members have admin access to your WordPress site.
The next step involves creation of new set of secret keys which encrypts your passwords. Add these keys in wp-config.php files. And it is obligatory to change all your passwords one more time.
Step 4: Life After a Hack
So, you’ve successfully coped with a hack. Or you just think so? In order to be sure your fight was effective, it’s important to check everything again. No, there is no need to follow the whole procedure mentioned above one more time. No way.
All you need to do is visit your WordPress site as a log out user. The fact is that hackers often make it impossible for log in users to identify hacks.
We also recommend you to change browsers’ username (for Google). Sometimes it happens that hackers are aimed at search engines.
How to Get Off Google Safe Browsing list?
Another situation you can face after cleaning a hacked WordPress site is a malware warning from Google Chrome. To escape from such kind of messages you have to remove your site from the Google Safe Browsing list.
So, sign in to Google Webmaster Tools and add there your site, in case you didn’t do that before. After this you will have to go through a verification process (all instructions are provided by Google).
Then go to the Webmaster Tools home page and choose your site. Select Site status à Malware. Finally, click Request a review option.
How to Save Your Users From Malware Warnings?
Your WordPress site is cured and no more infected but your users are still receiving warnings from different security and anti-virus software. This can be easily improved.
Make a list of all anti-virus systems which mark your site as hacked. Then go to their official websites and look for instructions where you will find how to remove your site from the list of those which threaten users’ security. This process has also got a name of “whitelisting”.
Step 5: Prevention is Better Than Cure
Hosting and Backups
After you successfully coped with a hacked WordPress site, it’s always better to prevent the other possible attempts of such attacks. There is a set of actions you can take to be always safe and secured.
The first thing is about a hosting company you have. It’s important that a service you make use of is a reliable one. So, make sure your WordPress hosting is a company you can count on.
Note that there are different types of WordPress hosting — free, shared, VPS, dedicated and managed. The best what you can do here is to choose a managed hosting (e.g. SiteGround or Pagely). Though, it isn’t as cheap as shared, for example, but it can guarantee you security and solve a number of problems.
Having a managed WordPress hosting, you will get all technical aspects coordinated by the host. This management involves speed, security, WordPress updates, scalability and so on. On the whole, a hosting of a managed type strives for only pleasant users’ experience.
By the by, you will also get a premium support. Thus, even in case of a minor difficulty whole artillery of top-notch experts will come to save you from any possible troubles.
The next precautions include WordPress backups. It is especially crucial when you have a hosting company of a less reliable level. Backups will prevent crucial consequences of being hacked or locked out.
In addition to such backup plugins as BackupBuddy, BackUpWordPress, Duplicator or others, it’s also better to have a hefty web application firewall.
Be cautious while giving access to your website. You will boost your security if you limit access by IP and limit login attempts. It’s also better to use 2-step authentication which involves not only a password but also one more verification code from your side. Note that all passwords should be strong.
We also recommend you disable PHP Execution in certain WP Directories. Even if users upload files in your upload folder, they won’t be able to execute them. By the way, it’s also better not to allow users modify your themes and plugins.
This part is very easy. All you need to do is to update your WordPress site and its plugins regularly. This simple procedure can prevent you from hackers’ attacks, too.
There is no doubt that a hack of WordPress site is rather sad. But it’s not as tragic as it may seem to be. There is a solution of this problem, and what is more it involves several ways out.
But keep in mind that before taking any actions, it’s necessary to prove that your site was hacked indeed. In case the truth is harsh, consider your skills and decide whether you are ready to clean the site alone. Even if there is a tad of doubt it’s better to hire an expert.
And don’t forget that after your WordPress site is cured, it’s always important to take precautions. This will make your site more secured and your life easier.