Every day, cybercriminals compromise thousands of websites. Hacks are often invisible to users, yet remain harmful to anyone viewing the page — including the site owner. For example, unbeknownst to the site owner, the hacker may have infected their site with harmful code which in turn can record keystrokes on visitors’ computers, stealing login credentials for online banking or financial transactions. In this first step, we explain how and why hacks happen, and review options for recovery.
If you are unfortunate to experience a hacked WordPress site, while annoying, it can be fixed. We have fixed hundreds of hacked websites since 2008 and have developed this checklist to clean up and secure against future malicious intrusions.
This does require knowledge of MySQL, PHP and the WordPress code environment. If you are unsure of any of the steps, there are plenty of articles and videos if you search. Many will be technical so you may need help along the way if you get stuck. Feel free to reach out if you do need assistance.
Step 1. Preparation
- Put the website into ‘maintenance mode’ (optional but prevents people and search engines visiting and experencing undesirable activity)
- Take a complete backup of the website and database (IMPORTANT: Do this before doing anything so you have a point to revert back to if something goes terribly wrong)
- Create a copy of the site to perform the cleanup
- Scan the website to identify infected files and directories
- Scan the content to identify malware, viruses, bad links, and vulnerabilities
- Check logs for information about access and malicious activity
Step 2. Clean Files and Directories
- Remove Unused Themes and Plugins
- Scan Uploads Directory for foreign code
- Check and clean wp-config.php
- Check and clean .htaccess file
- Check and remove foreign files and directories
- Delete Infected Plugins and install clean versions
- Delete Infected Theme (if not customised) and install a clean version
- If Theme has been customised, clean up infections
- Delete WordPress Core and Install a clean version
Step 3. Clean Database
- Scan Database for infection and clean
- Remove Spam Comments
- Remove Post and Page Revisions (to prevent to accidentally reintroducing malicious content)
- Remove suspicious links
- Remove suspicious content
Step 4. Secure
- Change database Prefix
- Set file permissions to 755
- Set Directory Permissions to 644
- Create blank Index files to prevent contents of directories being accessible via browser
- Reset Salt Keys
- Remove ‘admin’ username
- Check User Roles and remove access for suspicious users
Step 5. Plugins (Install and Configure)
- WP Hashcash
- Jetpack and Activate Protect and Monitor Modules
Step 6. Completion
- Remove the infected live site
- Replace with the cleaned version
- Take a complete backup of clean site
- Optimise Database
Step 7. Ongoing Maintenance and Security
- Regular Backups of Website and Database stored securely away from the hosting server
- Keep WordPress up to date as each version is released
- Keep Plugins and Themes up to date as each version is released
- Delete Spam comments
- Keep Passwords strong and secure (Ideally use an application like LastPass.com to generate and securely store login details)
- Monitor and scan regularly for suspicious activity
- If you notice anything suspicious, take action to identify and resolve immediately
Need Help To Fix A Hacked WordPress Website
If you just want to get you website up and running again, or don’t have the time or technical know how to do it yourself, contact us and we will get you up and running again. This can normally be sorted out with a turnaround of a business day. If it is urgent we can down tools and get your website fixed in a few hours depending on the size of the site and the extent of the hacking.
You will need to provide:
- Administrator Access to the WordPress Website
- Hosting cPanel or Control Panel (with FTP and PHPMyAdmin)
- Fresh copies of Premium Themes and Plugins or login details to obtain clean versions
Ongoing WordPress Maintentance & Support
“Prevention is better than cure” – a cliche but so true online. Enquire about the Maintenance Plans available to keep your website safe, secure, backed up and optimised. If your website should be compromised you will be fully operational again in a matter of minutes rather than days. We look after and maintain WordPress sites for a number of clients directly, and for other web design and development agencies.
A news release has caused concern for a number of WordPress website owners about their website security. The news concerns the serious attack on WordPress websites by botnets harnessing thousands of home PCs infected by malware which attempt to hack WordPress sites, often overloading the website servers. Such attacks are believed to be the preparation for a larger, more serious attack that hackers may launch in the future.
The botnet attack makes use of thousands of IP addresses to try and hack WordPress sites using “admin” as the username, then trying out different passwords. This makes limiting the number of logins useless given that they have thousand of IP addresses to launch their attack from.
A similar brute force attack on WordPress websites occurred in 2012 where US financial institutions were targeted. This latest attack comes after WordPress increased their security with a two-factor authentication system.
What Is A BotNet
A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks”. The word botnet comes from two words “robot” and “network”
These botnets can result in overloading web servers or used as a distributed denial-of-service (DDoS) which renders websites unavailable to ordinary visitors.
Who Is At Risk Or A Botnet Attack?
The main targets of this botnet threat are people who use “admin” as their username and also those who use common usernames like:
In the past, the default username on a WordPress account was “admin” which could not be changed. Now users can choose a unique username, which is advisable in combination with a strong password.
How To Improve WordPress Security
- Matt Mullenweg advises on his blog that websites owners who still use “admin” as their username should change it right away. Never use “admin” as username on any of your WordPress sites;
- Use a strong password for your accounts or change your password on a regular basis. Many recommend a password with 8 or more characters that is a combination of upper and lower case letters and preferably with one or two symbols. Make difficult for hackers to guess;
- Always update your WordPress site to the latest version;
- Back up your website on a regular basis;
- Scan your website and clean up unused files
- Update Plugins as patches are released and delete unused Plugins;
- Prevent hackers browsing through your website directories by moving the wp-config.php file into a folder higher than your WordPress installation folder, and add a blank index.php file to directories that should not be available publicly.
If you’re not a tech geek, consider asking for professional help to maintain and secure your WordPress website. This is far better than having to start from scratch ‘when’ (not ‘if’) your website is hacked.
If your website has been hacked, get it cleaned by an expert as hackers often insert malicious code which is not able to be detected on normal malware and virus scans.
Please contact our WordPress Security Experts for technical help with your website security or to dehack a WordPress Website.