When your WordPress website is hacked, you can lose your search engine ranking, expose your readers to viruses, have your reputation tarnished due to redirection to erotic sites or other bad neighborhood sites, worse lose all site data. Therefore, it is crucial to know how to clean hacked WordPress site.
If your website is a business, then security should be one of your main tasks.
That’s why it’s vital that you have a good WordPress hosting company. If you can afford it, then definitely go for a best Managed WordPress hosting.
If you have multiple WordPress sites on the same server, we recommend scanning them (you can also use sitecheck to do this). Pollution between sites is one of the main causes of re-infection. We encourage the owners of each website to isolate their hosting and web accounts.
Some issues may not appear in the browser. Instead, they appear on the server (i.e. backdoors, phishing, and server-based scripts).
Check your WordPress Root file
Most of the main WordPress files should not be modified. You need to check for integrity issues in wp-admin, wp-include, and root folders.
The fastest way to confirm the integrity of the WordPress main file is to use the diff command in the terminal. If you are not comfortable with the command line, you can check your files manually via SFTP.
Without any modification, your main file is clean
You may want to use the FTP client to quickly check for WordPress malware in content directories like wp. We recommend using FTPS/SFTP/SSH instead of unencrypted FTP.
Search for recently modified files
New or recently modified files can be part of a hacker attack. You can check if they have been recently modified to identify pirated files by following these steps.
How to manually check recently modified files in WordPress:
- Log in to your server using the FTP client or the SSH terminal.
- If you use SSH, you can use the following command to list all files modified in the last 15 days:
- $found. /-Type f-m time -15
- If you use SFTP, view all files on the server in the last modified date column.
- Note the files that have been recently modified.
How to check recently modified files using terminal command in Linux:
In terminal type:
$find/etc - type f-printf '%tM-%tD%TT%P n' | Sort -r
If you want to view directory files, type your terminal:
$find/et-printf '%tM-%tD%TT%P n' | Sort -r
Unknown changes in the last 7-30 days may be suspicious.
See the Google Diagnostics page
If your WordPress website has been hacked and blacklisted by Google or other website security agencies, you can use your diagnostic tools to check the security status of your site.
How to check Google’s transparency report:
- Visit the Safe Browsing Site Status website.
- Enter your website URL and search.
- On this page you can check:
- Site security details: information about malicious redirection, spam, and downloads.
- Test Details: Google Scan of Malware recently discovered.
If you have added your site to any of the free webmaster tools, you can view your website’s security ratings and reports. If you do not already have an account with these free monitoring tools, we strongly recommend that you register at:
- Google Webmaster Central
- Bing Webmaster Tools
- Yin Webmaster
- Norton Safety Network
Steps to Clean Hacked WordPress Site
Now you have information about the location of malware, you can remove WordPress malware and restore your site to a clean state.
The best way to identify hacking files in WordPress is by comparing the current state of the site with old and known clean backups. If a backup is available, you can use it to compare two versions and determine what has been modified.
Some of these steps to clean your WordPress website requires web server and database access.
If you are not familiar with database table manipulation or PHP editing, seek help from a professional member of the event response team who can completely eliminate WordPress malware.
1. Clean WordPress files hack
If the malware is infected in your main file or plugin, you can fix it manually. Just don’t overwrite your wp-config.php file or wp-content folder and make sure you make a full backup beforehand.
A custom file can be replaced with a new copy or a recent backup (if it is not infected). You can remove any malicious payloads or suspicious files found in the first step to getting rid of hackers and clean WordPress websites.
How to manually remove a malware infection from a WordPress file?
- Log in to your server via SFTP or SSH
- Create a backup of the WordPress website before making changes.
- Identifies files that have recently changed.
- Confirm the change date with the user who changed them.
- Recover suspicious files from the official WordPress repository.
- Use a text editor to open any custom or advanced file (not in the official repository).
- Remove any suspicious code from the custom file.
- Try to verify that the website can still run after the changes.
Note:- Manually removing “malicious” code from files on your site can be extremely dangerous for the state of your site and your computer. Do not perform any action without a backup. If you are not sure, ask a professional for help.
2. Clean database tables for hacking
Remove malware infection from the WordPress database, connect to the database using the database administration panel. You can also use tools such as database search or replacement administrators.
How to manually remove a malware infection from a WordPress file?
- Log in to the database administration panel.
- Back up the database before making changes.
- Search for suspicious content (e.g., spam keywords, links).
- Open the table that contains suspicious content.
- Manually delete any suspicious content.
- Try to verify that the website can still run after the changes.
- Delete any database access tools that you uploaded.
- Beginners can use the load information provided by the malware scanner. Intermediate users can also manually encounter common PHP malicious features like eval, base64_ decoding, gzinflate, preg_replace, str_replace, etc.
Note that these functions are also used by plugins for legitimate reasons, so be sure to test the changes or get help not to accidentally interrupt your site. Data may not always be easy to replace when working with database records, especially if it is in the wp_options table.
3. Secure WordPress user account
If you notice any unknown WordPress user on your site, delete them so that hackers no longer have access through them.
We recommend that you have a single administrator user and set other user roles for tasks that a person should perform (that is, contributors, authors, editors).
How to manually remove suspicious WordPress users:
- Back up the site and database before proceeding.
- Log in to WordPress as an administrator and click User.
- Locate the new suspicious user account.
- Hover over the suspicious user and click Delete.
Remove hidden backdoors on your WordPress website
Hackers always leave a way back to your site. More often we find multiple backdoors of various types of WordPress hacking sites.
Usually, the back door is embedded in a file similar to the main WordPress file but in the wrong directory. Attackers can also inject backdoors into files like wp-config.php and wp-content/themes, wp-content/plugins, and wp-content/loads, etc.
These functions can also be legally used by plugins, so be sure to test any changes as it could break your site by removing benign features or not removing all malicious code.
Most of the malicious code we see on WordPress websites uses some form of encoding to prevent detection. In addition to the advanced component that uses encoding to protect its authentication mechanisms, it is very rare to see the encoding in the official WordPress repository.
It is vital that all back-doors are closed to successfully block WordPress hackers, otherwise your site will soon re-infect.
Malware Removal Warning
If you are blacklisted by Google, McAfee, Yandex (or any other webspam authority), you can request a review after your WordPress site has been cleaned and hackers have been repaired.
How to remove malware warnings on a website?
- Call your hosting company and ask them to cancel the suspension if your website has been suspended by your hosting provider.
- You may need to provide detailed information on how to remove malware.
- Fill out the audit request form for each blacklisted organization.
- That is Google Search Console, McCaffe Site Advisor, Yandex Webmaster.
Protect your WordPress website from future hackers
In this final step, you will learn how to solve the problems that make your WordPress hacked in the first place. You will also take the necessary steps to improve the security of your WordPress website.
Update and reset configuration settings
Obsolete software is one of the main causes of infection. This includes your CMS version, plugins, themes, and any other type of extension.
How to manually apply updates in WordPress?
- Log in to your server via SFTP or SSH.
- Back up your website and database (especially custom content).
- Manually delete the wp-admin and wp-include directories.
- Replacement of WP-administrators and WP-includes the use of a copy of the official WordPress repository.
- Manually delete and replace copies of plugins and themes with official sources.
- Log in to WordPress as an administrator, and then click Panel > Update.
- Apply any missing updates.
- Open your website to verify that it works correctly.
- Reset User Password
It is vital that you change the password of all access points to your WordPress website. This includes WordPress user accounts, FTP/SFTP, SSH, cpanel, and your database.
You must reduce the number of administrator accounts for all systems to an absolute minimum. Practice the concept of minimum privilege. Whenever people need it, whenever they need it, just give people the access they need.
A good password is built around three components: complexity, length, and uniqueness. It is said that remembering multiple passwords is too difficult.
Generate a new private key
WordPress uses browser cookies to keep the user session active for two weeks. If an attacker has session cookies, it will retain access to the site even after the password has been reset. Close the secret key by resetting WordPress.
It is best to reinstall all plugins after hacking to make sure they are normal and have no traces of malware. If you have turned off plug-ins, we recommend that you remove them completely from the webserver.
Premium plugins will have to be reinstalled manually as their code is not available in the official WordPress repository.
WARNING: Be careful not to touch wp-config or wp-content, as this may break your site!
We recommend manually deleting and replacing the main files instead of using the update feature in the wp-admin panel. This ensures that all malicious files added to the home directory are counted. You can delete existing home directories (wp-admin, wp-include) and then manually add those same home directories.
Hardening a server or application means that you must take steps to reduce the attack surface or entry point of the attacker. WordPress and its plugins can be harder to break when you take these steps.
Set up a backup for your WordPress website
Backup function as a safety net. Now that you know how to clean hacked WordPress site is clean, you have taken some important post-hack steps to make a backup! Having a good backup strategy is the heart of a good security posture.
Here are some tips to help you with a WordPress backup:
- Location– Store backups of WordPress offsite. Never store backups (or earlier versions) on your server; they can be hacked and used to damage your real website.
- Automation- Ideally, the backup solution should run automatically at a frequency that suits your website needs.
- Redundancy-This means that the backup policy must include redundancy, that is, backup copies.
- Evidence- Test the recovery process to confirm that the site is working properly.
- File Type- Some backup solutions exclude certain types of files, such as videos and files.
Scan your computer
There are scans of all WordPress users running with reputable antivirus programs on their operating system.
WordPress may be affected if users of the infected computer can access the dashboard. Some infections are designed to jump from a computer to a text editor or FTP client.
You should only have an antivirus to actively protect your system to avoid conflicts. If your WordPress Dashboard user’s computer is not clean, your website can easily infect again.
Using a Web Site Firewall
Trying to keep up with the administrator is a challenge. Site firewalls were invented to provide a perimeter defense system around WordPress sites. Advantages of using a website firewall:
- Prevent future hacking attacks
- The site firewall will protect your site from infections by detecting and stopping known hacking methods and behaviors.
Virtual Security Update
Hackers quickly exploit vulnerabilities in plugins and themes, while unknown vulnerabilities (known as zero-days) always occur. A good firewall for websites fixes vulnerabilities in your website software even if you do not apply security updates.
Stop violent attacks
The website firewall should prevent anyone from accessing your wp-admin or wp-login page if you shouldn’t be there, make sure you can’t use brute force automation to guess your password.
DDoS Attack Mitigation
A distributed denial of service attack attempts to overload server or application resources. By detecting and blocking all kinds of DDoS attacks, the website firewall ensures that your website is available if attacked by a large number of fake accesses.
Most wafers will provide caching at a faster global page rate. This satisfies your visitors and has proven to reduce bounce rates while increasing site engagement, conversion rates, and search engine rankings.
At ServerGuy, we offer managed WordPress hosting services where it is our job to protect your site and clean hacked WordPress site. You can just drop a comment or contact us via mail/call/chat.