WordPress hacked? Don’t panic, this post will help you fixyour hacked site. In a previous post I wrote about 10 signs you have been hacked, I want to extend this post and tell you how to clean up a hacked site.
I say don’t panic because people immediately go into crisis mode when their site has been hacked, they think the world is out to get them. I’m here to tell you it’s probably not personal and it can be fixed. WordPress is so widespread that people spend time probing and trying to find weaknesses in WP and hosting companies that host WordPress. It’s an easy target, that is probably why your site has been attacked.
It’s only a website, and it can be fixed, we can get this back up and running quickly. Take a deep breath and read on, Uncle WP Dude is gonna make it all better …
UPDATE November 2012
Feel free to read the whole post, but I recently starting working with a hack recovery specialist.
I’ve been working with Sucuri.net on a number of hacked WordPress sites for my clients. At $80 their hack recovery and security monitoring package is absolutely excellent, get them on the case for a fast hack recovery.
Stop The Rot
The first thing to do is stop your site from upsetting any of your readers or clients, often a hack attack will contain a payload your site visitor does not want such as a redirection to a dubious site or a malware download.
I recommend installing the plugin Maintenance Mode, it will close down access to your site and only give a maintenance message.
If you are still getting issues, rename the file index.php in the root of your site. Your visitors will get errors, but that is better than malware downloads.
Change Your Passwords
Your passwords may have been compromised, so immediately change all passwords. Here is a list to check off
- Your hosting account password – see hosting account for details
- Your ftp password – see hosting account for details
- All admin level WordPress passwords – change in the dashboard -> users section
- Your WordPress database password – this will be changed on your hosting account and needs to be updated in wp-config.php
I also recommend you use strong passwords that are hard to guess, I like to use this site to create random passwords http://www.pctools.com/guides/password/
Backup The Site As-Is
Create a backup of your database and files as they are now, the rest of this process will require files to be edited and deleted, we need a fall back point just in case, even if it is to a hacked state.
Backup your database, this can be done from your hosting account
Connect to your site using FTP and copy all of the WordPress files to your pc.
WARNING: We are going to be doing some fundamental changes to WordPress you could damage your site if you do some of these changes incorrectly, you have been warned.
Install a Clean version of WP
Download a clean copy of WordPress from http://wordpress.org. We are not going to do any auto-upgrades, we need complete control of this process to ensure all infected files are removed.
Connect to your site using ftp and delete wp-admin and wp-includes, this will make sure any rogue files in these directories are removed. DO NOT delete wp-content, this is where all your theme, plugin and uploads are held. We will deal with these separately.
Unpack and upload your clean version of WordPress to your site overwriting all of the existing files.
Disinfect Your Plugins
Go into the dashboard and disable all of the plugins you have installed, taking care to make a note of which are active.
Download clean versions of your plugins.
Connect to your site using ftp and delete the contents of the directory wp-content/plugins
Re-install all of your plugins, and then re-activate them from the dashboard.
Disinfect Your Theme
Get clean copies of your theme files from your theme developer.
NOTE: If you have made changes to your theme, adding plugin code, changing footer code etc this will be removed, and will need to be re-created./
Make a note of what makes up your sidebar widgets, take copies of any code, and what types of widgets you are using.
connect to your site using ftp, and delete your theme files from wp-content/themes
Upload the clean theme files and make sure it is activated correctly, if it is not goto appearance -> themes and activate the files.
Check and correct your widgets, and re-add any changes you have made.
Check your wp-config & .htaccess files
Review all wp-config and .htaccess files on your site to ensure they do not have rogue code inserted. Remove any unwanted code.
Audit your Uploads Directory
Sometimes hackers leave malware scripts in the uploads directory. This is because there are so many sub directories amd files
I wrote a plugin review of wp-malwatch, get this installed as soon as possible and do a scan, this is particularly helpful to audit your uploads directory. This plugin will check various files and locations for known hack attack signature and inform you.
Audit Your Database
Get access to your database and review it for unusual entries
Things to look for
- Unusual tables,
- Unusual users in th wp_users tables
- Unusual entries in wp-options table
I’m sorry I cannot be more specific, you need an understanding of the WordPress tables and what plugins you have installed to spot issues.
Re-Check after a couple of days
Re-check your site after a couple of days, you may have missed a back door and your site can get re-infected.
Do A Post Mortem
Shout at your hosting company, ask them to analyse your logs, ask them to identify how the hackers got in. Many of the hack attacks I have fixed recently have been because of poor hosting security, the hackers found a back door on the hosting setup, and infiltrate many sites. If it was an issue with hosting, consider migrating to a new company.
Check you logs to look for unusual activity, try and see how they got in.
Secure your system
Once the hack attack and it’s payload it gone, you need to secure your system, but that is for another post. Please subsrive be my RSS feed or join my mailing list to be informed when that post is available.
Do You Still Need Help?
I offer a wordpress hack recovery and security review package, I would love to help you solve your WordPress hacked issue.