How to fix a hacked WordPress website
We love WordPress, and nearly all our sites are now developed in it, everyone else loves it too as it also powers 43% of the sites on the Internet.
Unfortunately, that means it is a prime target for hackers. There is no point searching for an exploit in software that no one uses.
With WordPress, there is multiple access point for security vulnerabilities. There are the core WordPress files themselves, but your theme, and all the plugins you use. The more complex your install, the easier it is to get hacked.
Prevention is better than cure, and that’s why we update all our client’s sites manually ourselves as part of our hosting package.
That doesn’t mean we are infallible, and occasionally problems arise that we must fix. More often than not, when we deal with a hacked site, it is not one of our own we are fixing, but a third party is approaching us on how to fix things.
The cost of fixing a hacked site is not particularly cheap as it requires a lot of work to ensure everything is secure. In general, when a site is hacked, it isn’t just one file that is uploaded or modified, a hacker, or more likely an automated bot, will modify dozens of files and upload various others throughout the site to try and hide their backdoors.
We have catalogued some of the steps we go through to fix a site, which we hope will help anyone that hosts their own site fix a hack.
How to clean up a hacked site:
- Take a full backup of the hacked website
- If possible restore to a previous backup that we believe is unhacked
- If there is significant time between backups, it may be required to retain the database and restore any uploads.
- The uploads folder needs to be sanitised before being restored.
- Ideally, delete everything other than the image uploads and re-install everything again manually.
- Delete all plugins and themes if we didn’t do a full delete at first.
- Download all the plugins and themes from official sites and re-install them.
- Even if we are working from a backup, a full check needs to be run. We start with Anti-Malware from GOTMLS, and this is very good at identifying if a site has been hacked, it will detect and clean any hacked files it finds. Unfortunately, it rarely completes the job thoroughly.
- Download the full site and manually check for any suspicious files
- In particular carry, out a search for PHP files within the uploads folder to ensure this is sanitised
- Carry out a bulk search on the contents of all the files within the site for the term IonCube. This can be done using DreamWeaver, but other applications should be able to do it. Nearly all hacks will modify or upload files with encrypted code; this code is almost always encoded using IonCube which needs to be called within the PHP file
- Change the database name and password, update the config files
- Change all admin user’s passwords
- Check for any new admin users and remove them
- Secure the sensitised as much as possible. Securi has some useful auto-hardening tools which can be used.
- Carry out daily scans with GOTMLS
- Carry out regular checks of the upload folder for PHP files
- Do a follow-up inspection by downloading the entire site and searching for IonCube in the code.
All in all, it can be an awful lot of work to fix a hacked website. Some tools do an excellent job of it, primarily Securi, which costs $199.99. This should fix everything by itself. However we prefer not to rely 100% on an automated too, so we would still carry out most of the manual procedures.
Once you have fixed the site, we will need to work with you to find out a possible cause. It is nearly always plugin or theme related. If you download a premium one from a “free” website, then you can almost guarantee your site will get hacked. Most of the time it is due to not updating the themes and plugins. The problem here is that many premium plugins no longer charge a one-off fee, but a yearly fee, so this can be quite expensive, but necessary.
If you would like help fixing your site then contact us via the form below[gravityform id=”11″ title=”false” description=”false”]