How To Clean a Hacked WordPress Website

A hacked WordPress website can mean a loss in traffic, brand value, and especially in revenue. WordPress websites are hackers’ and other attacks’ “favourite” target because it is the most widely used CMS (Content Management System) in the world. Scripts or bots are used to attack the default admin login page hundreds or even thousands times per day. Even if WordPress sites are the most common target, any website can be hacked, no matter the CMS platform they’re built on.  

In this article, we are going to help you recognize common hacks, how to clean WordPress malware, and how to protect your website from future attacks. 

Do You Really Have a Hacked Website?

To be certain that you have really been hacked and it is not just your website misbehaving, an update just amiss or other issue is happening, we created a list with the most frequent real hack situations:

• Spam appears in your site header or footer. Usually, it contains adverts for illegal services, pornography, drugs, guns, etc. Pay close attention to your page content, because often, this malware appears as dark text on a dark background, not visible to human eyes. Instead, search engines can see and read it.  
• Conduct a Google search to see if your website contains pages or content that looks malicious and you do not recognize. To do that, type site:websitename.com (replace websitename.com with your site address).
• Your users report that they are redirected to spam or malicious websites. We recommend you to pay special attention to these reports, because hackers can easily detect the site administrator and not show you the spam content that your users and search engine crawlers are seeing. 
• Your hosting company provider sends you a message pointing out that your website is doing something malicious. 
• Your WordPress Security Plugin warns you about a malware attack.

Symptoms of a Hacked WordPress Website

Often, users panic when the website is not responding or is getting spam comments. Sometimes it is a technical problem, one of the WordPress Plugins was not installed properly or the update went wrong. Before going to a specialist, we suggest to take a look at the list below to make sure that your website was actually hacked: 

• Redundant pop-ups appear and they were not added by you;
• Your website is automatically getting redirected to spam websites;
• Your website is continuously freezing;
• Out of place text that wasn’t implemented appears in the footer or header;
• Unusual auto-linking keywords to external websites;
• The hosting company informs you that you are doing malicious activities;
• Your website is getting blocked by browsers and the following warning is displayed “The Website Ahead Contains Malware”;
• Bizarre browser behaviour when displaying your website;
• You notice modified files that affect the integrity of core directories;
• A sudden drop or high spikes in website traffic;
• The Homepage looks defaced;
• Failed login attempts, you cannot log in;
• Unusual files or scripts on your server;
• The website is slow or unresponsive;
• Unknown user accounts in WordPress;
• You notice unusual activity in Server Logs;
• Your website has been blacklisted by search engine;
• You see unknown scheduled tasks;

If you detect any of the actions above, we highly recommend you take the next step to secure your WordPress site immediately.

Backup Your WordPress Site Right Away

It is extremely important to backup your site immediately because many hosting providers are going to delete your entire website in no time if they detect malicious content or you report that you have been hacked. This is a standard procedure to prevent other network systems from becoming infected. To avoid any further inconveniences, we suggest you download a copy of your entire WordPress website. You can use a backup plugin, FTP or your hosting provider’s backup system. Do not forget to backup your WordPress database as well. Your WordPress core files and database must be your main priority. By doing so, you will be more comfortable that you have a copy of your hacked website and not everything is lost. 

What You Need to Know Before Cleaning a Hacked WordPress Website

Before starting the cleaning process, pay special attention to the following aspects:

• Delete the entire directories in wp-content/plugins. Opt for this action and do not delete only individual files. You won’t lose data and you won’t break your site if you delete anything that’s in the wp-content/plugins/directory because these plugin files can be reinstalled and WordPress will automatically detect any deleted plugin and will disable it.
• In case you have a “child theme”, you probably use two directories in wp-content/themes. Make sure you know what theme you are using and delete all other theme file directories.
• Make sure you do not have new files in wp-admin and wp-includes directories. If you find anything new in those directories, delete them immediately because there is a high probability to be infected files. 

• Old WordPress Installations and backups are not a good idea to keep, because it is likely they are full of malware. Even if your main website is secure, a hacker can easily get to your old website site files, infect them, and access your current website. 

Steps to Fix Your Hacked WordPress Website

When you get to the conclusion that your WordPress website has been hacked, it is important to follow the steps below to clean and protect your site. Here is a step guide that will help you restore your website and have it function normally and properly: 

Step 1 – Be Calm

A security flaw might cause a lot of stress and as a website owner, you know that a lot is on the line for you. Infected sites cause loss of money, ranking, and traffic, but the good news is that not everything is lost. Therefore, take a step back and calm yourself. This attitude will help you take control of the situation more effectively and recover your online presence. 

Step 2 – Identify the Type of Hack

It is very important to know what you’re dealing with before taking any action. We are providing you with a checklist that will give you more information that will help when talking to your hosting company or even as you read the steps in this chapter to fix your website. Rundown through the following list:

• Can you access and login to your WordPress admin panel?
• Is your website redirecting to other sites?
• Does your site contain illegitimate links?
• Is your website blacklisted by search engines? Is Google marking your site as insecure?

Before starting with the malware cleanup, it is crucial to change your passwords. Keep in mind that you will also have to change them after you complete the cleanup. We suggest choosing unique passwords and making sure they’re strong passwords. 

Step 3 – Check with Your Hosting Provider

A good hosting company will be helpful in these types of situations because they have specialists who deal with these issues daily and they can offer you the needed support. Contact them and follow the given instructions. In some cases, the hack might have affected not just your website but other websites too if you are on shared hosting. You may receive additional details about the attack such as its origin, where is the source of it, etc. 

Sometimes, you might be in luck and the hosting provider will clean up the hack for you. 

Step 4 – Restore from the Previous Backup

In case you are a fan of regular backups, you can restore your site from an older version of WordPress when the site wasn’t attacked. The downside, in the case you have a blog and you post daily, you risk losing blog posts, comments, etc. We suggest weighing your options. When you do not have a backup or the attack persists for a long time, you don’t want to lose your content, then the last resort for you is to remove the hack manually. 

Step 5 – Scan Your WordPress and Malware Detection Removal

Start by analyzing your site and delete inactive WordPress themes and plugins. A common WordPress hack is hidden there. After this step, we recommend you to install some free plugins such as Sucuri WordPress Auditing and Theme Authenticity Checker (TAC) to inspect the integrity of your core WordPress files with Sucuri scanner and find the exact location of the hack. Of course, you can use other application-based scanners (plugins) such as Quttera, WordFence, and GOTMLS, or you can use remote-based scanners (crawlers) such as VirusTotal, Sitecheck, Cloaked Link Checker.

Hackers’ favourite places are theme directories, plugin directories, wp-config.php, uploads directory, wp-includes directory, and htaccess file. Run the TAC plugin afterwards. In case it finds suspicious or malicious code in the themes, it will show you the details and the theme file that is infected. You can fix the hack in two ways: remove the code manually or replace the file with the original one. To get rid of all malicious files, including theme files, override all affected files. Download a copy and override all the corrupted files in your theme with the new ones. This action is recommended only if you did not change your WordPress theme codes. In case you made any alterations, by overriding the files, you will lose all the changes. Repeat this step for all plugins that were infected with malicious code. 

Another important aspect to take into consideration is to make sure that your theme folder and plugin folder are the same as the original ones. Search for any additional files that might be confused with the original plugin file names such as: hell0.php, Adm1n.php, etc.

Step 6 – User Permission Check 

Make sure that the user section of WordPress is clean and only you and your assigned team members have admin accounts. If you notice any suspicious user, delete it immediately. 

Step 7 – Update Security Keys

WordPress can generate a set of security keys that have the role to encrypt your passwords. When your password is stolen and the user has logged in, even if you change the password, they will remain logged into the site, because the cookies are still valid. To disable the cookies, a new set of security keys is required. Generate the new set of secret keys and add it in your wp-config.php file. 

Step 8 – Change Your Passwords

Now it is time to change your passwords again. Update your WordPress password, cPanel / FTP / MySQL, and anywhere you use them. Make sure you set a strong password and if you have a big number of users on your website, force a password reset for all of them.

Our Tips – Protect Your Site from Future Attacks

Now that your website is clean and you removed the WordPress hack, it is time to take better security measurements to avoid a cyber attack in the future. 

• Start by having a strong backup solution in place to backup your website daily. 
• Set up a powerful firewall. This will prevent future hacks by catching and stopping well known hacking methods and behaviours. Another benefit of firewalls are the virtual security updates that will patch your website software gaps even when the security update is not applied. A website firewall will also block brute force attack and prevent anyone from accessing the wp-admin or wp-login page. This defence system will also mitigate DDoS Attack. Distributed Denial of Service attacks (DDoS) is characterized by overloading your server or application resources. The firewall will make your site available even though you are under WordPress hack attack with a high volume of fake visitors. 
• Monitor your website and perform regular malware scans; there is a type of infection that is designed to jump from your computer into FTP clients or text editors. We recommend having an antivirus that is actively protecting your system. 
• One of the best practices is to disable theme editor and plugin editor. 
• Add an extra security layer in your Admin Directory with password protection. 
• For security reinforcement, we suggest disabling PHP execution via .htaccess in certain directories. 
• Install SSL to your site. You can opt for SSL Zen free of charge, in case your hosting provider does not include it in your plan.
• Limit login attempts to avoid brute force attacks. 
• Switch to a managed WordPress hosting that will go the extra mile to keep your site secure.
• If your website was blacklisted by Google, we strongly suggest to use Safe Browsing Site Status and check the Google Transparency Report. Analyze your site’s safety details such as malicious redirects, downloads, spam, and most recent Google scan that found malware.  
• The most important aspect to secure your site is keeping all your plugins and themes up to date. 

Conclusion

It is important to keep in mind that a website cleanup does not promise that your WordPress website won’t be compromised or infected in the future. We recommend you use only third-party plugins and themes that are always updated. Also, make sure that anything that is not used or it is inactive, to be deleted because they are a potential risk or even the cause or your site performance issues. 

With a big number of WordPress websites being hacked, attacked and compromised, we suggest you stay calm, complete the process of website cleanup, and last but not least, stay informed. WordPress has a helpful FAQ page related to the hacked WordPress site. 

If you cannot fix the issue by yourself, we strongly suggest going to a professional. We, at Flowmatters have extensive experience in working with WordPress websites. We can help and advise you regarding the best practices and which actions to take, to keep your website safe. Drop us a message and let’s keep your business safe and running with application security solutions.

Frequently Asked Questions