Due to the lack of proper security measures, you may experience a hacked WordPress website. WordPress sites can be an easy target since its source code is readily available and almost 25% websites of the global metrics run on WordPress. In the Q1 of 2016, 78% of all the hacked sites were WordPress based. Now, the Core development team has been constantly working in order to ensure that there are no security threats in place. Security errors exist in a large number of plugins, defectively-coded themes, and probably problems on the server side.
Signs that a WordPress Site is Hacked
To quote a stat, out of every four hacked websites, three of them run on WordPress. So, before we stress on how to clean a hacked WordPress site, let us focus on signs of a hacked WordPress site.
- Files on the server or in WordPress installation do not exist.
- Files appear with recently modified dates. All the files may appear with a modification date of 2016-10-02 and one file is showing its modification date of 2017-05-26. You should have high doubt on that recently modified file.
- The presence of strange requests in access logs. This can indicate that the file used to modify other files of your website.
Important Steps to Clean Hacked WP Website
You can even ask help from expert developers or do it on your own. Let us share some vital information on how to clean a hacked WP website:
- Scan Your Website
It is recommended to scan your website to get unsafe malware locations and payloads. Follow these steps for scanning a hacked WP site.
Using any Website anti-malware security software, login into WordPress as an admin and click on ‘Security’ and then ‘Malware Scan’. Click on ‘Scan the website’. You will see a warning if the website is infected.
If the remote scanner cannot find a payload, go for other tests in this part. It is also possible to check the Links/ iFrames/ scripts tab of the malware scan to check suspicious components. If numerous websites are there on the same server, it is suggested to scan them all. Cross-site contamination is considered as one of the important reasons of repeated infections. Each website owner should separate their web and the hosting accounts.
- Verify the Integrity of the Core File
You should not modify most of the core WordPress files. Some plugins are there to verify the WP core file integrity like Integrity Checker which include the admin and also root folder inspection.
Read on to know the steps to verify the integrity of core file using plugin.
- Log into WP as admin and enter into ‘Security; and then ‘Dashboard’.
- Recheck the core integrity portion to get the present status. A hacked WP site could involve any added, modified or removed files.
- If nothing is modified, the core files are not hacked.
- Test Currently Modified Files
It is also possible to check hacked files by verifying if they are modified through audit logs. Perform these steps to verify if the files are modified recently.
Log in to WordPress as ‘Admin’ and go to ‘Security’ and then ‘Dashboard’. Check the audit logs part for changes made recently. It may be highly doubtful if there are unusual modifications in the last 7 to 30 days.
- Check User Login
You may check the list of current user logins to verify if passwords are stolen or new susceptible users are made. You can use plugins like ‘When Last Login’ to check current logins. It is suggested to log in WP as an admin and click on ‘Security’ and then ‘Last logins’. Verify the list of users and the time of login. Sudden login dates or times point that a user account is hacked.
Once you get information about malware locations, and compromised users, you can clean them from WP and restore your website to its clean state. It is advised to compare current position of the site with old and clean backup to detect hacked files. If you find a backup, you can use it to compare two versions and detect what is modified.
How to Clean Hacked Website Files?
If a security issue has crept into the core files or plugins, it can be easily fixed by using some plugins. It is possible to fix the problem manually. Wp-config.php file and wp-content folder should not be overwritten.
Some steps should be followed to repair core files. You may log in to WordPress as admin and then go to Security > Dashboard.
- Check the warnings under core integrity part. Choose removed and modified files and select restore source action.
- Check the box to understand that the action can be reverted. Click on proceed.
- Choose added files and select the delete file action. Perform last two steps once again.
Fresh copies or a current backup can be used to replace custom files. Perform the steps to remove a malware infection manually from website files.
- Log in to the server through SFTP or SSH.
- Make a backup of the website before making any changes. Detect recently changed the site.
- Verify the date of changes with the user. It is recommended to repair doubtful files from the WordPress repository. You may open any custom file through a text editor.
- Eliminate doubtful files from the custom files. Verify the site is functioning after changes took place.
Cleaning Tables of Hacked Databases
Database admin panel can be used to remove a malware infection from website database and also connect to the database. These steps are crucial for removing a malware infection from your database tables.
At first login to the database admin. It is suggested to take a backup before making any changes. You may search for suspicious content and remove them manually. Verify if the site is functioning after making changes. It is recommended to eliminate any tools that are uploaded to access the database.
Secure User Accounts
If any uncommon WordPress user is there, it is recommended to eliminate them so that hackers cannot use them. It is important to have only one admin user and provide other user’s role with the smallest amount of privileges.
- You need to perform these steps to manually to eliminate doubtful users.
- Take a backup of database and site before continuing. Log in to WP as an admin and click on users. You need to look for doubtful new accounts of users.
- Hover over the suspicious users and click on delete.
- If you think any of your user accounts are changed, the password can be reset.
By using plugins, user passwords can be reset. You need to log in WordPress as admin and go to ‘Security’ and then ‘Post Hack’.
- Click on reset user’s password tab. Check the box beside user account that you think is changed.
- Check the box to verify that you understand that this option cannot be reverted. Now click on reset user password.
- The user will get an email with a strong and temporary password.
- For robust hacks, always consult a professional so that you do not get your website messed up.
- If Google has marked your website as ‘Insecure’, chances are that your website is hacked. Keep a look-out for this.
- Employ good and reliable web hosting service for your website.
- Always remove any doubtful plugins or do away with inactive ones.
- Update your Passwords regularly and limit the number of login attempts.
- Use Security hardeners like Sucuri.
- Use Web Application Firewalls to protect the site from hack attempts. Security plugins like MalCare offer Firewall that blocks bad traffic as well as protects the login page against brute force attacks.
Security loopholes are largely the root cause of a hacked WordPress website. To stay secure, pay attention to several signs which indicate a probable hack. In case of a break-in, it is recommended to perform the above-mentioned actions to clean your hacked WP site.
If you have feedback or any suggestion, kindly let us know through a comment below.