How To Clean a Hacked WordPress Website
Maintaining WordPress and its Plugins
In recent months we've seen a number of hacked WordPress sites. It's not that WordPress is less secure but more a case of website owners not keeping their site and plugins up to date or having easy to guess username/password logins.
One of the main issues we see every day are WordPress sites that are running outdated WordPress core versions or old plugins. Many website owners don't realise that like all other software WordPress and its plugins must be kept up to date to avoid a website being hacked.
WordPress releases security updates as soon as security issues are discovered e.g. the last few updates have been security and maintenance releases.
The latest version of WordPress, as of writing this article, is v4.7.5. This version tackles six security issues:
- Insufficient redirect validation in the HTTP class.
- Improper handling of post meta data values in the XML-RPC API.
- Lack of capability checks for post meta data in the XML-RPC API.
- A Cross Site Request Forgery (CSRF) vulnerability was discovered in the filesystem credentials dialog.
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files.
- A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.
Failing to update to the latest version of WordPress and the plugins your site is using leaves your site open to be hacked! Note: This can result in your site being deindexed by Google!
I've Been Hacked, What Do I Do?
There are a number of things you can immediately do:
Don't rush in and start making changes as this can do more damage than good. Keeping calm will allow you to more effectively take control of the situation.
Document What's Happened
Take a moment to document what's happened. Write down:
- What you can see. What evidence is there that you've been hacked e.g. home page has been taken over with a new page, new links have appeared, your pages are being redirected.
- What version of WordPress and plugins are you using? Are they the latest available versions?
- What actions have you taken recently? Was a new plugin installed? Did you make a change to a theme?
By doing this you can create an "incident report" which may prove valuable to yourself or a professional company in identifying what has happened and how to clean up the site.
Make a Backup
This may seem like a strange idea, why backup a hacked site? However even a hacked copy of your site will still likely contain content and files which you won't want to lose if something goes wrong when you try to cleanup your site or if you decide to start from a clean template/install.
Copying your image upload folder is also helpful as it will mean you don't have to hunt down the images you've used on your site, if they're needed after cleanup.
Indentify the Hack
It's important to identify which of your files have been compromised. To do this you can use a variety of plugins e.g. Sucuri Security. Install the plugin then:
- Use it to scan your site to find malicious payloads and malware locations.
- Check for core file integrity issues in the wp-admin, wp-includes, and root folders.
- Identify hacked files by seeing if they were recently modified using the audit logs.
- Review the list of recent user logins to check if passwords have been stolen or new malicious users have been created.
Remove the Hack
Now that you have information about potentially compromised users and malware locations, you can remove malware from WordPress and restore your website to a clean state.
The wp-admin and wp-includes directories very rarely have new files added to them. So if you find anything new in those directories there is a high probability that it's malicious.
Hackers usually leave a way to get back into your site. To hide them they very often embed them into files with names similar to WordPress core files and place them in different directories. Attackers can also inject backdoors into files like wp-config.php and directories like /themes, /plugins, and /uploads.
Check for old WordPress installations and backups. Backups are not maintained and even though your main site is secure, if a hacker can gain access to the backup and infect it they can then access your main site from the backdoor they plant.
If the infection is in your core files or plugins, you can fix this by restoring any suspicious files with copies from the official WordPress repository.
For any custom or premium files (not in the official repository) open them with a text editor and remove any suspicious code.
To remove a malware infection from your website database, use your database admin panel to connect to the database. Search for suspicious content. Look for common malicious PHP functions, such as
str_replace etc. and manually remove it but be careful as these functions are also used by plugins for legitimate reasons, so be sure you test changes.
Throughout each of the changes above you should be checking your site is still operational after changes.
If you noticed any unfamiliar WordPress users, remove them so the hackers no longer have access. Change the passwords for all your user accounts, making sure secure passwords are chosen. WordPress now does an excellent job of providing passwords.
Final Website Checks
Update - make sure your WordPress core and all plugins are fully up to date.
Generate New Secret Keys - change the secret keys in the wp-config.php file to invalidate any session cookies in case the hacker had those stored on his system.
Harden WordPress - take steps to reduce the attack surface, or entry points for attackers e.g. restrict wp-content and wp-includes access. For more information see Hardening WordPress.
Set Backups - backups act as a safety net. Now that you've cleaned your site, make a backup!
Remove Malware Warnings
If you were blacklisted by Google, request a review after the hack has been fixed.
Also check any other search engines and companies for the blacklist status of your site e.g.:
- McAfee (Siteadvisor)
- Norton Safe Browsing
- Phish Tank
- Sucuri Malware Labs
- SpamHaus DBL
- Yandex (via Sophos)
Locked Out of Your WordPress Admin Dashboard?
There are times when a hack may hijack your admin account(s). If this happens there are a few things you can do to regain control of your account:
Log into your database directly via phpMyAdmin and reset your user in the users table wp_users.
Or you can simply update your admin email in the database then go to WordPress login screen, click forgot password, and when the email arrives reset your password to regain access to the admin dashboard.
We hope this overview has been of help. However if you'd prefer someone else to undertake the task of cleaning your WordPress site contact us.