How to recover a hacked WordPress site

Jan 14, 2015

How to recover a hacked WordPress site

Here at Local Fresh, we noticed an increase in intrusion detection activity and attempts to hack some our WordPress sites over the holiday season. While none of our sites fell victim to the hackers, it’s a good bet that less secure sites have left their owners wondering what to do when a WordPress site gets hacked.

The easiest solution is to restore your site from backup. However, if you had a backup, you wouldn’t be reading this article in the first place. I’m willing to bet that now you’re interested in setting up a backup scheme, but first we have to recover your site back to its original state. Since you don’t currently have a backup, the only thing to do is dive in, get your hands dirty, and remove the malware from your WordPress install yourself.

If you’re attempting to recover your own WordPress install, we’re going to assume that you have a moderate level of comfort using the WordPress admin for more than just writing posts. If you’re put off by the idea of managing plugins, changing user levels, or perhaps using FTP to access your web server, you’re probably better off contacting us here at Local Fresh for a consultation, removal of your malware, and a discussion of your options for migrating to our managed WordPress hosting platform, which provides free malware removal within 48 hours of detection.

Still here? Great! There are two main types of hacks that can happen to a WordPress site: a spam or backlink injection, or an addition of malicious code that turns your site into a robot to do the bidding (often sending spam email) of whomever hacked the site. The first of these attacks can negatively affect your site’s Google page rank, and the other can impact the deliverability of legitimate email you send out through your site’s mail server. In either case, you’re going to want to fix your site ASAP.

Recovering a hacked install of WordPress

The first type of WordPress hack, a spam or backlink injection, is usually caused by adding content into your WordPress database. It is somewhat less common than other types of hacks, but a bit more tricky to recover from. However, the more-common malicious code hack is a lot easier to deal with, and will be addressed here.

In either case, the first step to recover a hacked site is to make sure that you plug any security holes that you may have right now. Of course, this is assuming that you can even log in to the WordPress admin area. If your site has been hacked to the point that you’re unable to log in, or even view the login form, we recommend that you contact us for advanced malware removal.

Once you’re logged in, ensure you’re using the most recent release of WordPress and run the WordPress core update if you’re behind. Next, be sure to update all your plugins. Often, a hacker will exploit outdated code to gain unauthorized access to your site, so updating will help to ensure that any recovery efforts you make will not be immediately re-hacked.

Sometimes, we see Author, Editor, or Admin users added to the user list as a result of a compromised site. Review all the users who have access over the level of Subscriber, and make sure that all these users have a reason to be there. Any users you don’t recognize, who have a suspicious email address, or are legitimate but unused should be deleted.

When you delete users, you’ll be asked what to do with any posts they have created. Unused old users should have their content assigned to an existing user of your choice; suspicious-looking users should have their content deleted.

Removing hacked files from a WordPress site

When clients contact us to repair a hacked site, our go-to tool is the excellent Wordfence Security plugin. This tool serves two purposes, both of which we’ll look at in this article. First, Wordfence will work to remove any existing hacks from your website. Secondly, the plugin stays in place to thwart future attempts. This is a 3-pronged protection scheme, which we’ll discuss in a future article.

Our recommended WordFence configuration

Our recommended WordFence configuration

You should use the WordPress plugin manager to add the Wordfence plugin and set it up with our recommended scan configuration. When properly configured, a Wordfence scan will look at every file in your WordPress directory, including plugins, uploaded media, and your WordPress core files, and compare each them against their official copy located at wordpress.org. Any files changed from the original will be reported to you at the end of the scan. In addition, any files that contain code that looks like something a hacker would upload are also reported to you at the end of the scan. At this point, it’s up to you to determine what to do, but 99% of the time, it’s a good idea to repair any changed files, and to delete any malicious files. Plus, if your site is already broken, you can’t break it any more, right? 🙂

It’s a good policy to run the scan a second time to ensure that all the malware has been removed. We’ve had experiences repairing hacked sites that required two, three, or more scans to effectively remove all of the malware, plus a final scan to confirm that the site is clean. Oftentimes malware is self-preserving and can create files even as it’s being deleted. Every case is unique, but it’s a fair bet that a single scan won’t be enough. Most scans take 15-20 minutes, so expect to spend at least 1.5 hours on this process.

It’s worth noting here that if you know you have uploaded a lot of files outside of your WordPress directory, the Wordfence scan may take quite some time and, depending on what files you’ve uploaded, Wordfence may report some false positives that you may not want to delete. The scope of this repair article is really for users who are only using their web space for WordPress hosting. If you are using your web space to host other files, you’re likely a power-user and will recognize any false positives reported by Wordfence.

In summary, your best bet to fix a hacked WordPress site that does not have a non-hacked backup is to first plug any security holes in your installation that allowed the hack to happen in the first place, followed by a thorough scan of your WordPress install directory (and optimally, all files in your web root directory) to repair any core files that have been altered, and to remove any malicious files that have been added to your website.

Posted in

Archives