WordPress Security Guides
WordPress Security Guides

Your WordPress was hacked? The essential guide

diagnosing if your WordPress website got hacked and fix it

It sucks when you realize that your WordPress site was hacked.

If it can do you any good, know that it’s a predictable outcome, especially if you were careless about security.

WordPress’ large adoption (33% of all websites, and 60% of all CMSs) makes it a high potential target for hackers waiting for your first mistake to take over your website.

And the math is real… 80% of hacked websites uses WordPress (Hacked Website Report 2018).

Yeah, you didn’t sign up for that when you started using this platform… but WordPress is indeed the reason why you got hacked, but you too have a fair share of why you got hacked

Anyway, let’s blame WordPress and the bad guys for now to cheer you up…

Here is what you need to know to get back to track…

HACK SIGNS

Spotting an infection can be an obvious thing or a challenging task depending on your level. Fortunately, some signs might help ring your bells when something fishy is going on your site. The following is a list of symptoms that most hacked websites have in common:

Slow website / response time

Speed is one of the red flags you get on successful hacks aftermath. So hackers will use your website server to perform DDoS attacks. This has an impact on your server’s resources and bandwidth. The slowness is very hard to spot on shared hosting plans. Knowing that most shared hosting servers are overcrowded, you naturally assume that the server is saturated and therefore, you are unlikely to investigate the cause of any delay on using WordPress’ features or any drastic drop of speed. Some hosting services may notify you if they find an abnormal use of the CPU or the bandwidth.

Errors and messy style

Hacks are codes injected within your WordPress installation. Each visit to your website helps the malicious code execute itself and perform its duty. Like any program, it is likely to conflict with the regular functions of your WordPress website resulting of:

  • Blankbroken and incomplete pages.
  • PHP warning messages.
  • Commands not executing as they should. Creating, editing and deleting posts, for example, might give you an unsuspected outcome.

Anything unusual compared to your regular use is to be suspected.

Strange codes and files

As you probably know by now, hacking, spamming and all the nasty things that could happen to your WordPress website live through codes. Sometimes, you’ll find the code on core files like the wp-config.php. Other times you’ll find distinctive files full of scrambled codes. Hackers try to hide that by creating files in places that you will unlikely check, and even if you do, they use names and file extensions close to what you can find on a regular WordPress website. It could be a .php files into your wp-content/uploads folder for example. Codes are always obfuscated using the eval() function. So, whatever code fragments starting with “eval(base64_decode” with a long unreadable content is 99.99% a malicious code. The number of those codes and files will vary depending on the type and the extent of the infection.

Questionable content will show up

At this stage, the hack is fully functional and becomes explicit. It will add unwanted contents to your WordPress front end. It could be posts, pages or anything reachable through URL. These types of contents are commonly enabled through hacks:

  • Controversial medicines and pills (Viagra and similar).
  • Porn and sexual content, implicit and explicit.
  • Risky money transactions’ websites, it could be a store, a gambling website, a dating website, or anything similar.
  • Chinese merchandise.
  • Torrentsillegal downloads websites.

The content is either posted as regular pages/posts on your database or injected dynamically from a 3rd party server. Be very careful, because the additional content usually shows up when you are not logged in. That’s why in most cases, victims of hacks spend a long time before seeing any explicit signs, and only understand the situation when someone visiting the website sees the abnormal content and bother to report it. On that subject, I cleaned up a WordPress blog which had 100k pages from a Chinese online store. And I’m not exaggerating. It was a hundred of thousands products worth of pages (yes, +100k page) with a fully operational checkout system.

Search results unrelated to your content

Things start to get nasty at this stage. Search engines started indexing the injected/unwanted content. Usually, search engines will index anything from your website after building trust. Hackers take advantage of this automatic behavior to get their content to show on search results. That alone will profoundly harm your business reputation. Even if the infection if fully cleared, search results will still show the unwanted content. A manual process needs to take place to ask search engines to remove unwanted and compromised web pages permanently. This bad links removal process is done per individual link basis. If you have a handful of pages indexed that would be relatively easy, but when you have hundreds or thousands of pages, it will take time and a lot of money to get rid of those. I have seen businesses drop a domain name because of that.

Web browsers will start warning users

At this point, it will directly start to hurt your business and reputation. Standard web browsers like Google Chrome will show a full red or white page with a clear warning that your website is a threat to the visitors’ security. ### WARNING PICTURE ### The warning screen is not straight forward about how to regain access to the website. Not only your reputation is harmed, but you also lose most of your traffic. When you see this kind of warnings, the malicious script is now a contamination agent that might pass the infection to other computers and possibly infect other sites within the same server.

Google says you are a threat

Google indexes millions of websites. When their algorithm observes any suspect behaviors, it sends warning messages through their Google Search Console, but most importantly, they show two additional lines on your search results saying:

  • This website may harm your computer.
  • This site may be hacked.

SEARCH RESULTS ###

Unfortunately, most people learn that their web property was hacked that way.

Your hosting company disables your website

Hosting companies may spot infections and take off your site without your consent. Companies like Godaddy, Bluehost, 1&1 run random and frequent scans on shared hostings plans. Because of the linked structure of those kinds of hosting environments, they can’t afford large scale infections and therefore disable automatically anything suspicious about your website’s files or behavior.

FIXING HACKED WORDPRESS WEBSITES

Regaining access, cleaning up, and fixing hacked WordPress doesn’t have a particular protocol.

It is more of a case by case recovery process depending on the observed signs, the type of the hack, the stage reached and its spread.

In most cases, it can’t be done by a regular user. It doesn’t hurt to try, though.

Consider hiring experienced individuals or services for efficiency.

Experience helps a lot to interpret signs, know where to look for compromised files, fix them without breaking the website, and lock the threat source to prevent future hacks.

A typical process should involve the following:

Open your website in a private window without logging in

Most hacks will only show for non-logged in used.

It’s a smart way to operate under the radar and delay the site’s owner reaction. It’s all about buying time to either get the data the hacker is looking for or make the infection spread and be more difficult to deal with.

Checking explicit hacks live helps to find what type of hacking you are dealing with, and eventually, helps you locate where the compromised files are and how to fix and protect your WordPress website from that specific hack.

A full scan, both automatic and manual

Scanning tools help identify what type of infection and locate files with malicious codes.

Wordfence and Sucuri are equality good for that purpose. I have a personal preference for Wordfence as they have a fair per year paid plan.

Don’t fully rely on tools only.

Hacking is getting more and more sophisticated. Sometimes the scanning tools won’t reveal any clue or detect any hack sign. A manual check is then necessary to try and find the compromised files and where the malicious codes was injected.

If you are comfortable with Linux and use a VPS to host your WordPress website, the following bash script will save you a huge amount of time by scanning all files for malicious codes in a snap.

#!/bin/bash
find . -name "*.php" -exec grep "base64" '{}' ; -print &> b64-detections.txt
find . -name "*.php" -exec grep "eval" '{}' ; -print &> eval-detections.txt

If you are using Windows, you can upload a full copy of your website through FTP on your computer, and use a file editor like Sublime Text to perform the search.

At this stage, you have a full list of your compromised files that need cleaning.

Looking for the source of the infection to lock it up at once

It is useless to clean up a website without fixing the breach that caused the hack initially. And that is another task that involves experience and full knowledge of WordPress.

There isn’t a specific way to find the infecting agent.

It can be:

  • A file that gives access to your website if requested in a certain way (that’s how vulnerable plugins and themes work)
  • A fragment of code that infects files and eventually recreated a new set of compromised files on each website visit
  • A subtle backdoor used to reenter your website and reapply the hacking

If you still have any infecting agent, you will be hacked again and again until you get rid of it.

Identifying, cleaning and eventually deleting the corrupted files

This is where qualified professionals become handy.

The malware compromises several types of files. Some can be fully deleted; others will need to be carefully cleaned up.

Deleting a core file, a theme’s file or a plugin’s file might break the website.

PRO TIP: When a theme or plugin asset is compromised, the safest way to clean it up is to fully delete the folder and replace it with a fresher copy.

Removing unknown users and resetting passwords

Hackers usually leave an admin user as an option to regain control of the website once cleaned.

Looking for fake accounts and unwanted admins is a must-do in all cleanups.

Same goes for resetting all users passwords.

Once a hacker have access to the database, it’s fairly easy to change passwords of some users in order to use as a fallback entry point.

Plugins like MASS Users Password Reset comes handy to reset users passwords in bulk.

POST RECOVERY

Make WordPress hack proof

So, you fully recovered from the hack and sealed the breach. It’s time now to secure your WordPress files and environment fully.

Generally speaking, this is what needs to be done to help your WordPress resist future hacks:

  • Fully update WordPress. Core files, themes, and plugins.
  • Get rid of any non-maintained theme or plugin.
  • Get rid of any unofficial theme or plugin or downloaded paid plugins for free also referred to as nulled.
  • Use a monitoring tool like Wordfence to keep an eye on your website.

But it’s just superficial. You need a more in-depth security to make your WordPress almost hackproof.

Check out my full guide to fully secure your site on the lights of the latest practices and information available to date.

Go to Securing WordPress the right way

Fix your reputation

As we seen on the hack signs above, hacks will eventually tarnish your reputation towards browsers, search engines, and your visitors.

Removing spammy links from search engines is the worst part, especially when it involves cleaning hundreds or thousands of undesirable URLs.

It’s a long and laborious process.

For that to happen, you need to:

The process needs to be done manually and has a limit of 500 entries per day.

Rebuilding trust from your visitors is another story.

Try to be as honest as possible and reassure your audience that all protective measures are enabled, and your website is unlikely to fall to hacks any soon. A couple of freebies and discount do help considerably.

Need professional help to handle your WordPress website security? Check out my WP security services!

Hope that this guide helps you on your hack fixing crusade.

Related:

Talk to me