Clean up a WordPress hacked site requires hard works as well as deep knowledge about it. If your WordPress site has been hacked, you can follow this step by step and video to clean it up.
Table of Contents
- WordPress Hacked: The Signs
- What to do if your WordPress site is hacked?
- How to keep your WordPress site from being hacked?
- How to remove Google unsafe site warning?
- How to scan malware on Linux VPS?
WordPress Hacked: The Signs
To indicate whether or not your site has been compromised, you need to look around the site with the different signals.
I hold the selective list contain most common insignias, it would assist you in debugging and narrow down the possibilities.
High CPU, RAM, and average load
This is the most common favor to show that your website has been attacked.
Provided that your website has malware, it will use your resource to send the spamming emails or attack other websites, given rise to the abuse of resources.
To avoid the false positive, you would need to monitor the numbers in an amount of time, to make sure your evaluation correct.
WordPress Redirect Hack & Spam Pages
This kind of attack is becoming a regular method in recent years.
Instead of exhausting your hosting resources and got cleaned up by webmaster, it would leverage your website as the spam traffic.
The malware after has been uploaded to your hosting, it will create the spam pages with random slugs, those pages will be indexed by search engines.
So that when the visitor searches and click on the result, they will be redirected to the spamming site, instead of your website.
Other variants of this malware might randomize all the traffic to your website at a rate, i.e 50/50 of the visitor will be redirected to spamming website from your site.
Hidden backlink and iframe
This type of malware serves the same SEO purpose as the spamming page above, your site will look normal as usual.
In fact, it would downrank your website, no matter how hard you put the works into it.
The hacker will use your website to provide the backlinks to other harmful websites, such as drug, pharmaceutical, casino, gambling.
They also embed the tiny iframe into your website to increase traffic for their pages.
Looking at the user list under the WordPress dashboard, you might notice several users with administrator role, whom you couldn’t identify.
It is easy to understand! Since the hacker put a script to create the random user with the highest role, and from that, they can do whatever they want to your site!
What to do if your WordPress site is hacked?
If your website has the problem or looks like the issues that I have listed above, you need to clean up the site.
Here are the 9 steps to fix the WordPress hacked site, it’s easy to follow, as long as you read carefully one by one.
Step 1: Backup Source code & Database
Already knew that your site had been hacked, so whatever you do on the website, it won’t help you eliminate the root cause.
As for how police quarantine & examine the crime scene, you need to backup everything on your website as the .zip file and download it to your computer.
To backup your website, we will install a backup plugin. I personally recommend “Duplicator” plugin, I have used it since its first releases.
Here’s the video that shows you how to use the plugin:
Step 2: Extract the backup files
Given the malware affected and expanded to most of the files, so you don’t know what file do delete or clean up.
So, our method will replace all the core files, plugins, and themes. We only keep the uploads folder since our images will be there.
After download the .zip backup file, we will extract the file on the computer under /hackedsite folder and start to check the source code.
Step 3: Reinstall hacked WordPress core
You can download the latest WordPress version from this URL: https://wordpress.org/latest.zip
When the downloading completed, you can follow this step to start cleaning up the site.
- Extract the latest WordPress version to a new folder
Let’s extract the downloaded WordPress to another location, different from the hacked WordPress site.
- Config the new wp-config file
On the new & clean source, you will rename the wp-config-sample.php file to wp-config.php
Then, you should create the new database, copy the credentials to the new wp-config.php file. (Because the hacker might copied your old database connection, so reuse it will make your WordPress site can be hacked again)
Step 4: Reinstall & upgrade themes
This step, we will reinstall the theme you’re running for the site.
On the hacked WordPress source that we downloaded, it might have more than one theme, but we should only download the theme we use. The unused theme might have the vulnerability and we wouldn’t know.
The best way to reinstall the theme is download the theme from origin sources.
It can be where you bought the theme, or from WordPress.org repository if it’s the free theme.
Do not use the nulled WordPress theme, never, you will regret very soon.
Step 6: Reinstall & upgrade plugins
For each plugin you are having, you should download the latest version manually from the original source, i.e from the author’s page or WordPress.org repository.
The downloaded plugins should be extracted and put into /wp-content/plugins/ folder, where the new source of WordPress located.
You should not use the outdated plugins, that has been update in the recent years.
If you have to use that outdated plugin, you should check if the plugin has any security issues.
You can check here: https://www.cvedetails.com/
Step 7: Clean up Uploads folder
To clean up WordPress upload hacked folder, we need to use the 3rd software to scan.
Do not rely on the online scanning service like VirusTotal or so, it might detect the generic malware, but not the deep ones, which has been covered from many layers.
You should scan the uploads folder with the antivirus software, such as Kaspersky or ESET NOD32.
Those antivirus can scan better and delete the files for you too.
After scanning and sift out the hacked files, you will copy
Step 8: Upload & Import Database
So, we have been through several cleaning steps, include: WordPress core files, reinstall plugins and themes, scan and remove malware on uploads folder.
Now, we will compress the new source with almost everything is clean, and upload the files to your hosting again.
After re-uploading completed, you can delete all the files from your root folder and extract your new file.
The final step you should do is delete all the tables from the current database, and import the backed up database into the current database.
Step 9: Recheck the entire website after cleaning malware
At this point, you website is up and running again, you can recheck your website if anything goes wrong.
The most common cases happen after the cleanup process completed might caused by:
- Your outdated plugin/theme does not compatible with the latest WordPress version
- The antivirus might delete the important files
How to keep your WordPress site from being hacked?
It might not 100% sure that after malware removal your website won’t be attacked again.
Because at the time your WordPress site hacked, the attacker copied your login cookie, and they could use that cookie to login to your site again without any password or account.
Time needed: 10 minutes.
Here’s the checklist you should do to prevent your WordPress site from being attacked again.
- Change the password for all the administrator password
You should change all the passwords with the stronger passphrase to secure your site.
After changing the password, you should click on the button “Log out from other sessions“.
This will make the older cookies version erased, and the hacker will not be able to login to your site again.
- Delete strange administrator accounts
Inspect and delete all the administrator that you couldn’t recognize, to make sure no one is left, as the administrator can install the plugins, edit files…
- Install the antivirus plugin, such as Wordfence or Sucuri
They’re the best in this field.
Do not use the strange antivirus plugins or the ones that unpopular, antivirus require a lot of works and knowledge with a dig database of malware samples.
- Disable edit files
You should disable the Edit Theme and Plugin feature, which might allow the attacker to include malware or modify your source from right on the WordPress dashboard.
To disable edit files, you just need to paste the following line into your wp-config.php file.
define( ‘disallow_file_edit’, true );
- CHMOD wp-config.php file to 400
After all the configuration, and the site is up and running again. You should set the permission (CHMOD) of the wp-config.php file to 400 to prevent hackers can’t edit your wp-config.php file after this.
- Stop .php files from running in uploads folder
You should prevent the .php files from excuting in /wp-content/uploads folder.
To prevent, you can use the Nginx config part or .htaccess
- Block WordPress brute-force login attack
If you are using Cloudflare to speed up your WordPress site, you can take advantage of Cloudflare’s firewall to protect your site from brute-force login attacks.
At the Firewall tab of Cloudflare, you can add this new firewall rule.
It will block all the visits outside US to your wp-admin page or wp-login.php page.
((http.request.uri.path contains “/xmlrpc.php”) or (http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin/” and not http.request.uri.path contains “/wp-admin/admin-ajax.php” and not http.request.uri.path contains ” /wp-admin/theme-editor.php”)) and ip.geoip.country ne “US”
That’s it, with only 6 steps, you will harden your website after hacked, and the possibility of hacked again will be minimized to the smallest chance.
How to remove Google unsafe site warning?
In some cases, when your WordPress site was hacked for a long time and you didn’t know, Google Chrome will mark your website as unsafe. Like this
To remove Google unsafe site warning and got your site running again on Chrome, you should following these steps:
- Go to https://www.google.com/webmasters/tools/security-issues
- Select the website that being marked as unsafe
- Submit the review form
How to scan malware on Linux VPS?
In some cases, where you wan to double-check again the source file, you can refer to these tools to scan your source code.
Using open source software
You can use the following repository to download the malware scanner and start scanning your system.
- PHP Malware Finder: https://github.com/jvoisin/php-malware-finder
- PHPStan: https://github.com/phpstan/phpstan
- PHP-Vulnerability-Scanner: https://archive.codeplex.com/?p=phpvulnhunter
The scanning doesn’t have to source code of website, you can scan the other files, i.e the /tmp folder on your VPS, to check if it has any problem.
Using VPS command line
If you do not know how to use the tools above, you can paste the following command into your SSH and copy the file paths, and checking them out manually.
find /path-to-your-root-folder/wp-content/uploads/ -type f -not -name ".jpg" -not -name ".png" -not -name ".gif" -not -name ".jpeg" >uploads-non-binary.log
grep --include=*.php -rn . -e "base64_decode"
grep --include=*.php -rn . -e "eval"
So, we have been through a lot of works, from finding whether your site was hacked to cleaning up the WordPress site, to strengthen your website after hack.
I hope you got some insights about these WordPress hacked fix stuffs.
If you have any tips to share, just leave the comment at the form below.
You also can take a look at how to optimize your WordPress website speed with my previous article, cheers!