Sucuri releases a website hacked trend report for each quarter. In their latest report, they have revealed that WordPress powered 78% of the sites hacked in the second quarter of 2016. WordPress hacked sites remain a real problem. (Read More: the Sucuri Website hacked report here)
That is not surprising since WordPress is by far the largest platform to create new websites. This leads to the fact that hackers always find it more profitable to look for vulnerabilities in WordPress sites. It doesn’t matter what security measures you take; it is impossible to guarantee the perfect security for any website. Being the most popular platform for creating websites, the risk is significantly higher for WordPress sites.
Because of the increased risk and fewer guidelines about WordPress security, we have decided to take things in our hand. The result is this in-depth tutorial. In this tutorial, we are going to introduce you to 7 essential steps you should take to fix your WordPress hacked site.
Before we begin the procedure, let’s find out what causes the problem in the first place. In general, there are two types of vulnerabilities –
- Common Vulnerabilities and
- Security Vulnerabilities.
Let’s take a closer look at each type. Both types can be exploited by security hackers.
Before you begin - restoring a WordPress hacked website is not something which can be undertaken by people without sufficient knowledge. It is highly advisable to ask for help from WordPress developers who are highly skilled before attempting to do this if you're not comfortable tinkering around.
Common Vulnerabilities which result in hacked WordPress sites
The common vulnerabilities can come from either your local machine or from the hosting provider. Most of us are probably familiar with this type of problems. These problems can happen if your PC or local network is compromised. When hackers gain access to your PC or the network, they can easily target a website you own - with the result being a compromised or hacked WordPress site.
You can avoid these situations by using reliable anti-virus and anti-malware scanning tools. You need to apply common sense when using the internet. Comodo and Malwarebytes have provided some handy tips to keep your PC safe from hackers. If you are using a router, it is also important to keep the device updated with the latest firmware.
Secondly, the problem can arise from your hosting provider, especially if you are using a shared hosting package. As you probably know, a shared hosting package shares the server among numerous users. If any of these users doesn’t follow the best practices, the whole server is under serious threat.
In some cases, one site in a shared hosting package gets compromised, and it allows the hacker to infiltrate other sites on the same server. On that case, you need to consult with your hosting provider, and they will take the necessary steps. This means, even if your site is fully updated and protected, you may still end up with a WordPress hacked site.
Incidentally, if you’re looking for a very secure hosting provider, you should seriously consider InMotion hosting - we feel very well protected on this service.
Now that we have identified the common vulnerabilities, let’s take a look at the security aspects.
WordPress hacked through Security Vulnerabilities
There are several types of security vulnerabilities for WordPress. We will talk about the ones which are most common –
- Weak username/password combinations: We don’t think we have to tell you the importance of using a secure password. Since the 3.8 version, WordPress itself has started to put more focus on forcing the users to use a strong password. There is a built-in password strength detection feature in the admin dashboard. The rule of thumb is never to use any predictable username (such as admin), and always use strong passwords. These will make it more difficult for the hackers to access your WordPress site.
- Theme/plugin bugs: While it is a best practice to use familiar themes and plugins, sometimes the most popular ones can have a hidden security flaw too. If that happens, you will find the news in the WordPress blogs. However, you will probably be safe if you make sure that you are using only trusted themes or plugins. Check out the reviews, rating, number of downloads, etc. to analyze the reliability. And never ever use pirated themes or plugins. It is a known fact that most of these contain harmful code, which can lead to a backdoor in your site. You’ll surely end up with a hacked WordPress site in no time if you use pirated versions of themes and plugin. What you think is free will cost you much more than you expect if fixing your hacked website.
- Not updating WordPress, themes, or plugins: Using an outdated version of WordPress, themes, or plugins is another major reason of security breaches resulting in WordPress hacked. Most updates include something to improve the security and performance of your website. Therefore, it is necessary that you update WordPress, themes, and plugins as soon as they are available. Make sure to perform a full site backup before updating.
What to Do When Your WordPress is Hacked?
It doesn’t matter whatever security measures you take; some evil jerk will always find newer ways to access your site. If you have fallen victim to WordPress hacking, don’t panic and follow the steps described below.
1. Identify the Type of WordPress Hack
The solution to getting your site back depends on the type of WordPress hack. That means the first step is to define the type.
Here are the questions you should ask to do that :
- Can you access the admin section?
- Is your site being redirected to another site?
- Are there any unknown link(s) on your site?
- Is Google warning the visitors about your site?
- Has your hosting provider informed you that your site is looking suspicious?
- Is your site showing unknown adverts in the header, footer, or other sections?
- Are there any unwanted popups displayed?
- Is there an unexpected spike in the bandwidth usage?
Go through the questions one by one and try to find out the answers for each of them. This will help you find the best course of options to regain control of your hacked WordPress site.
2. Try Restoring from Backup
If you follow the best practices, you should have daily, weekly, or monthly backups of your WordPress site. The backup frequency depends on how frequently you post or make changes to your website.
When you are taking regular backups, regaining your hacked WordPress site is as easy as restoring the latest backup. If you have set up an automatic backup schedule, find out the last backup before your site was hacked and restore that version.
You then need to make sure that you update any plugins, themes or anything which had not been updated.
What if you didn’t take backups of your site? Does that mean you have lost your site forever?
There are other options too. Most reputed hosting services keep regular backups of their client sites. Ask your hosting provider if they keep a backup. If they have, you can ask them to restore your site from the last stable backup.
If there is no backup, you’ll have to go through a procedure of cleaning your hacked WordPress site which we show below.
3. Seek Help from Your Hosting Provider
More than 40% of the hacked websites had some security vulnerability in the hosting platform. Therefore, when you get your WordPress hacked, asking your hosting provider to help you get back your site could be a good idea.
Any reliable web hosting company should be willing to help you in these cases. They employ professionals who deal with these situations every day. They are very familiar with the hosting environment and have access to advanced website scanning tools.
Therefore, they will be able to help you fight back most of the common WordPress hacking attacks. If the hack originated from the server, your hosting company would be able to help you get back the site.
4. Scan for Malware
In many cases, hackers gain access to your website by using backdoors. Backdoors create unauthorized entry points to your website. When using backdoors, hackers can access your website without requiring any login information and remain virtually undetected.
Here are some common locations of the backdoors which you need to check if your WordPress was hacked –
- Themes: Most hackers prefer to put the backdoor in one of your inactive themes. By doing this, they will still have access to your website even if you keep WordPress regularly updated. This is why it is crucial to delete all of your inactive themes.
- Plugins: The plugins folder is another potential place for hiding the malicious code. There are several reasons for that. First of all, most people never think about checking the plugin files. They also prefer not to update the plugins as long as they are working. What’s more, there are some poorly coded plugins which could be exploited to gain unauthorized access to any WordPress site.
- The Uploads Folder: In a standard scenario, you will never think about checking the uploads folder. There is no reason to do that. That folder only contains the files you uploaded, right? Well, not that simple. Some hackers prefer this folder because they can easily hide the malicious file among hundreds or thousands of files spread in different folders. As the folder is writeable, it also serves their purpose.
- The Includes Folder: This is another folder often ignored by most users. As a result, hackers put the backdoor in this folder and get complete access to your site.
- The wp-config.php File: This is a very common place for finding the malicious code. However, as the file is very well-known, sophisticated hackers avoid using this file. But it is still a good place to get started.
Don't like to get your hands dirty with malicious scripts? Try iThemes security and let it do the dirty work.
The only way to get rid of the backdoor is to remove the malicious code from the website. There are several plugins which allow you to scan your website for malicious code. Among them, iThemes Security, WPMUDev Defender, Sucuri Security, Exploit Scanner, Theme Authenticity Checker, etc. are the most common names. You can use these free plugins to detect any unwanted change in the themes, plugins, and core files of your WordPress site.
If the plugins find any suspicious file, take a full backup and delete the file. And if a theme or plugin is compromised, remove that from your site. Download the latest copy and upload it to your website.
In case the change is detected in any of the core WordPress files, you can replace the affected file(s) with original files from another reliable WordPress installation. Alternatively, you can download WordPress manually and use the necessary files.
5. Check User Permissions
It is likely that you have several users on your WordPress site. As you already know, they have different capabilities based on their user role. Sometimes, WordPress hackers create a new user with the necessary permission so that they can log into your site even if they lose the backdoor. Or they may actually use a username which has a weak password to hack WordPress.
To prevent this from happening, go to Settings > Users from the dashboard. Review all the users and their roles. Most importantly, make sure that no unauthorized account has the admin role assigned. In the case of doubtful accounts, delete them instantly. If they are valid users, you can always recreate the accounts later.
- Here are some more best practices to follow –
- Never use the ‘admin’ username on your site. If you already have that username, change this as soon as possible. Also, avoid using any common username that hackers can guess.
- Use two-factor authentication to prevent unauthorized access to your website. Here’s how to do this by using Google Authenticator.
- Integrate CAPTCHA in your login forms. This is an effective way to prevent bots or automated scripts from accessing your website.
6. Change the Secret Keys
Secret Keys is a handy security feature of WordPress. These keys contain randomly generated text which help in encrypting the information saved in cookies. If you don’t have the numbers added already, you should do it now. And if you have them, this is high time you have changed them.
First of all, generate your security keys from this link. The random code generator will create a new set of unique codes every time you refresh the page.
Now, get back to your website and open the wp-config.php file. Head towards line 49 and you will see something like the following. The line number may vary on your file, but you need to find out the following section –
Replace the values with the ones you generated a while ago. Save the file. If you were logged in to the admin, you would be asked to log in again.
7. Change ALL Your Passwords to prevent WordPress getting hacked again
This is a common but critical step in restoring a hacked WordPress website – reset all of your passwords. The common passwords include WordPress, cPanel, MySQL, FTP, etc. Reset all these passwords along with any other service you use on the website.
When doing that, make sure you are using a strong password. If possible, you should force your existing users to perform a password reset for their accounts as well.
Here’s how to change the passwords –
- For changing the WordPress password, go to Users > Your Profile from the dashboard. You will find the new password field at the ‘Account Management’ section.
- For changing the cPanel, MySQL, FTP passwords, log into the control panel of your hosting account and follow the available options. If you are confused, contact the hosting support to get help.
Future Steps to Avoid Getting WordPress Hacked
While the steps mentioned above will help you get your WordPress site back, you should consider this as a warning sign. Here are some important steps you should take to make sure your site remains protected in the future from any other WordPress hack attempts –
- Create A Backup Schedule: As you realize now, having regular backups of your WordPress site is critical. Fortunately, you don’t have to do this manually. There are lots of free and premium plugins to help you keep regular backups of your WordPress site. UpdraftPlus is a popular free backup plugin, while VaultPress and BackupBuddy are some highly recommended premium backup solutions.
- Update Everything: We guess we don’t have to stress the importance of keeping your site updated. You should update the WordPress core, active themes, plugins. At the same time, make sure you delete the unused themes and plugins too.
- Set up a Security Plugin: If you want to enhance the security of your WordPress site, you should use a security plugin like Wordfence Security or Defender. This plugin helps you to create a firewall so that you can prevent malicious traffic, block attackers and deal with other security threats. You might also consider installing a full Web Application firewall.
- Consider a Managed Hosting: When you choose a managed hosting, they will handle the security, maintenance, performance, and other issues for your WordPress site. That means you won’t have to worry about all these steps. Some reliable managed hosting providers include InMotion, WPEngine, Kinsta and Pagely.
- Limit Login Attempts: By default, WordPress allows anyone to try unlimited passwords for any account. This leads to brute force attacks and possible site vulnerabilities. Fortunately, there are some free plugins like Login LockDown and Loginizer Security to help you limit the login attempts.
- Disable PHP Execution: In most cases, hackers create backdoors by creating PHP files which look like core files. You can prevent these threats by disabling PHP execution in the relevant directories, like the uploads and includes folder. Here’s a step-by-step tutorial to do that.
- Add Extra Password for Admin: Another handy trick to keep your WordPress site safe is to use an additional password for accessing the admin section. This is very easy to do in cPanel. Follow this tutorial to add the password in your WordPress admin.
- Install a local antivirus: it is actually quite common to have websites hacked or compromised via virus or worms which have infected your home or work machine. Make sure you've got an antivirus installed on all the machines from which you access your website
Like video? Watch this WordPress hacked video from Sucuri
If you have some time to go through the following video which can help to identify WordPress hacked sites and how to fix them. We’ve mentioned Sucuri a few times in this article, this video from Sucuri is quite a complete view about WordPress hacked sites.
Final Words: how to fix your WordPress hacked website
Being a victim of WordPress hacked site is a horrible experience, especially if this is the first time. However, now that you have read this article, you should have a clear idea about the necessary steps to get your hacked WordPress site back.
Feel free to bookmark and share this article so that others can know about the steps too.
Have you ever had any of your WordPress sites hacked? If yes, please share your experience and let us know how you got the site back in the comments below.