Dealing with a hacked WordPress website isn’t all that fun. Trust us, we know.
WordPress is one of the most popular platforms upon which to power websites of all shapes and sizes. It’s an open source content management system, which is part of the reason it’s so insanely powerful—there’s an entire, global community constantly building on it and improve functionality. But, the fact that it’s open source also means security vulnerabilities are a constant concern.
A report by security researcher Daniel Cid showed that nearly 17,000 WordPress websites had been hacked in 2016. Sucuri also reported that 78% of reported hacked websites in the first quarter of 2016 were on powered by WordPress. This is not to say that you should avoid WordPress at all costs when starting your website, if fact, you should seriously consider it, but you have to be aware that there are risks when customizing, by adding plugins and themes.
If you believe your WordPress website has been hacked it is important to remain calm, as there are many different things you can do to save your website.
Make sure you’re really dealing with a hacked WordPress
There are many clues that can tell you if your website has been breached by a hacker or is infected with malware. We’ve come up with a checklist that will help you identify a hack:
- Has Google or any other search engine blacklisted your website for being insecure (you can check this by going to Is My Website Penalized or Banned from Adsense to see your status)?
- Do any illegitimate links or text appear on your website?
- Are visitors being redirected to another website when they visit your WordPress website?
- Does the “Red Screen of Death” appear warning visitors that your website has malware?
If you answered yes to any of these questions there is a good chance that your website has been compromised.
First, you’re going to want to use a malware inspection tool like the one offered by Sucuri, a company that cleans hacked websites and offers protection plans as well. If you use their free Site Checker, it’ll give you a clearer idea of whether or not your website has been compromised. However, because their software is free and remote they can not guarantee 100% accuracy.
There are also many security plugins that you can use to scan your website for intrusions. Here are some of the best free plugins that we would recommend for your website:
All of these plugins give you the ability to scan your site for file changes and potential threats attacking your website. If you own multiple websites make sure to scan them all for malware, as one of the leading causes of reinfection is cross contamination.
You’ll also want to see if any of your core files have been changed or modified. These files should never be modified, so if you see any changes there is a chance they have been tampered with. Most of these plugins will check the core files for you and give you a detailed report.
Remove malicious code from your hacked WordPress
If you find that your website has been hacked it is important to remove the malicious code as quickly as possible. The longer your website is affected, the more your online credentials will be tarnished. If you have a daily backup service then your work is going to be easy, just go back to a version of your website before it was hacked. If you don’t have a backup, don’t worry there is still plenty you can do, but we do suggest getting some form of a backup service for any future issues.
If getting your website up and running is an emergency you can try a service like SiteLock 911. SiteLock 911 is a one-time payment service where your website is immediately scanned and the malicious code is removed as soon as it’s found. Once your website has been cleared of all malicious code, your clean files are reloaded back onto your website, so that you can resume your business as soon as possible.
If your files have been infected, many of the plugins we listed can fix the issue quite quickly. You can also remove the hack manually, which is more tedious and subject to reinfection, but doable. If you are removing the hack manually just be sure to NOT overwrite your wp-config.php file or wp-content folder.
Most of the plugins we suggested handle the removal of a hack in a similar fashion to one another. Once the plugin has found corrupt files you simply follow the steps of the plugin and restore the files back to their original form before they were hacked. If you had any custom files replace them with fresh versions or a backup version you have from before your website was hacked.
For manual removal, you’ll want to make a backup of your website before making any changes, just in case you delete the wrong thing and break your WordPress website. Find any changed files on your website and confirm the date those changes were made with the user who made them. Any changes that go unconfirmed are probably hacked files and should be restored with copies from the official WordPress repository.
For files that are not on the official WordPress repository, you’ll have to open them up in text form and remove any pieces of suspicious pieces of code. After you have finished, test your website to make sure that it is still functional.
Some common pieces of malicious code that you’ll want to be expunged from your website include, base64_decode, eval, str_replace, preg_replace, gzinflate. If you find any of these hidden in your files make sure to remove them.
You’ll also want to remove any users that are unfamiliar to your WordPress website, as there is a good chance that they are the hacker. Also, reset passwords for any user accounts that may have been compromised during the hack.
Once the hack has been removed make sure that there are no backdoors installed that the hacker can use to reinfect your WordPress website. Sucuri describes backdoors by saying, “Often backdoors are embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like /themes, /plugins, and /uploads” (Sucuri Guides).
Protecting your WordPress website
Once you’ve removed malicious code from your WordPress website you’ll want to ensure that your website is not hacked again. The first step you will want to take is to update all of your plugins and other software, as out-of-date software is one of the leading causes of hacks. Next, reset all of your passwords just in case the hacker found their way in through one of your old passwords.
Finally, if you can afford some extra security you may want to consider purchasing it or even upgrading to the premium version of a plugin you’ve installed. Another thing everyone should have for their website is an automated backup. An automated backup can make getting rid of a hacker much quicker by changing to a version you had before the hack.
Once you have your website secure and under control again you can contact search engines to have them check your website and have it taken off their black list. Finding out your website has been hacked is a scary process, but with a calm and collected mind, you can get rid of the hack quickly and efficiently.
As of March 2016, Google had reported that over 50 million website users had been notified with some form of warning that a website they were visiting contained malicious software or was trying to steal their information. Hacks are a common occurrence in the world of WordPress, you just need to be prepared for it when it happens.