WordPress Hacked: What To Do?
Is your WordPress hacked and you are confused about what to do next? Well, this guide is perfect for you. We are going to see the exact steps you need to take to make your WordPress website as it was. We will do the entire cleaning process to get back your WordPress hacked website.
Just calm down
Okay, this might sound too obvious but this is the thing that you should at first. When your WordPress is hacked, as an owner, you might be worried and would be in a lot of stress. Therefore, you should stay calm to make sure you don’t take any wrong steps. We will be sharing the complete guide that you can use to recover your website. You don’t need to worry about anything. Just make sure you follow all the steps carefully.
Analyze and note it down
The next thing that you will have to do is analyze the complete website and make a note about all the things.
How did you know the website is hacked? You need to note the same things down.
- Whether it shows the wrong password
- The website is redirecting to someplace else
- It shows the virus
- Some unusual activities are seen
- The number of visible actions taken such as change of the page, the addition of theme/plugin/widget, etc.
Once you know all this, you need to note the before and after date and time. The first date/time is when you were able to access the website without any issues and the next time is when you came to know about the WordPress hacked issue.
Try to be as brief as possible in the documentation. Whether you are planning to do the recovery yourself or you are planning to hire a team to do it, either way, having a document will be useful. So, make sure you note all the things in the documents.
Now, we will see how you can recover it yourself.
Fix and get the dashboard running
Before you get into any recovery procedure, you will need to get your dashboard running. We will do some of the things from the WordPress panel. So, if you are not able to login to your WordPress dashboard, you need to get it back.
You can easily change the password from the cPanel. You can change it from the site software that you used to install WordPress. For instance, if you use softaculous, you can change the password directly by going to “All installations” and changing it there.
Once you do it, you need to delete the themes and plugins that you didn’t install. If you see any new theme or plugin, you need to remove it.
Further, if the homepage is changed, make sure you change it back to the regular one.
This was the manual change that you will have to do. Once you have done the manual check, it’s time to analyze it in-depth.
Backup the current and restore the previous
You will need a backup of the current version of WordPress. So, you can take the complete backup of your current WordPress installation (Backup of hacked WordPress). You can easily backup from your panel and save it locally on your computer. Alternatively, you can save it on cloud storage. Make sure you don’t save the backup in the same server; you will need to store it in a different location than your original one. So, if possible, download the copy and keep it in your local machine.
The next step is to restore the previous backup. Now, if you are taking regular backups, there won’t be any problem. For instance, if you are taking daily backups, and you haven’t updated your website for 2 days, you can easily restore the newest backup. If you know the date and time when the website was hacked, it would be far easier for you to do so.
In most cases, restoring the previous version will solve all their problems. However, you will need to find the reason for which you faced “WordPress hacked situation”.
Scan the website
Your next job will be to scan the entire website for viruses and malware. Many security plugins are available in the WordPress theme directory. You can use one of the plugins to scan the entire website.
Some of the popular security plugins to fix WordPress hacked issue are
You can use one of these tools to check if the website has any of the vulnerabilities. All of these are WordPress plugins. So, you will have to install one of these plugins and check the website for vulnerabilities. Make sure you only install one tool. If two plugins are installed together, they might conflict and you will end up crashing your website.
It will scan the entire website and will show the infected files that need to be fixed. If there is an option to fix it directly, you can do it from there. If not, you can just note down the names and paths of the infected files.
Further, you can also use remote-based scanners such as the Sucuri Site check and Virustotal.
After the scans, it will give you all the warnings and infected files. You will now have to note down the location of all the infected files. Also, make sure you understand the warning message and copy the message in your document.
Check the log files and hosting company
Your hosting company will have a complete log of the actions taken on your WordPress website. You can simply check the log file. The log file is located in the home directory of your website. You can see the changes and take the steps accordingly. Make sure you note it down on your document as we will fix it later on.
In the same way, it will always be a wise decision to contact your hosting provider and address them the entire issue. Their support team will help you out.
Now, we will begin our journey to fix WordPress hacked website.
Replace the core files
You will have to replace the core WordPress files to remove the malware and viruses. In simple language, you will have to reinstall WordPress without losing any data.
To do that, you can simply head over to your WordPress updates. You can go to Dashboard > Updates. Inside it, you will see an option to reinstall WordPress. Just click on it and WordPress will be reinstalled.
In this way, all the core files will be replaced with the new one.
Run virus scanner from cPanel
Most of the WordPress users will be cPanel. So, we will first talk about it. Inside the cPanel, there will be a virus scanner. Even if you are using any other panel, you will see an option to scan the server space for viruses.
You can run the virus scanner in the entire home directory. Please note that even if your website is infected, it is recommended that you run the scanner for all the websites. Depending on the size of the hosting, it will take some time.
For cPanel, you can even close the window. It is running on the server-side and hence, you don’t need to keep the tab open to see all the notifications.
Once the entire process is completed, you will see the list of all the files that are infected. There will be an option to fix these files. You can click on it and it will start fixing the files.
If the fix is successful, you can proceed to the next step. However, the tool was not able to fix all the files, you will have to manually fix the infected files. This brings us to the next point, that is fixing the infected files manually.
Manually fix the infected files
Now, you have a complete list of all the files that are infected. Whether it is found by the cPanel virus scanner or you have found them by the plugins that we previously mentioned. Now, your job is to fix the infected files that are not yet fixed.
So, you need to open all the files from your cPanel one by one. Once you open the files, you need to right-click on it and hit the “Code edit” button. It will open the code of the website. Just have a look at the code and see if there is any encrypted code. The words or lines that don’t have any meaning and are just a jumble of letters is encrypted code.
Just remove the encrypted code. Do the same procedure in all of the files.
Alternatively, you can replace it with the original one. For instance, if the infected file is from the WooCommerce plugin, you can download the WooCommerce plugin from the WordPress directory and you will get all the fresh files. Just replace the infected files with the fresh one. If you have done some custom coding, you might lose it. So, it is always a good option to keep the backup of the file.
Once you have done replacing or fixing all the files, you need to rescan the entire website to be sure that nothing is wrong and everything is safe. So, just run a rescan from cPanel as well as from the WordPress plugin.
If you still find some of the infected files, do the same procedure again else you can take the same file from the previous backups.
Remove the backdoors
If an attacker has hacked your WordPress site, there are good chances that they have left a backdoor. A backdoor is a way using which the attacker can enter your website again or get the data without you knowing. It is just like the back door for your website.
Don’t worry, it looks technical but we will give you the easiest way to do it. There are some of the common PHP functions that backdoor uses. Here are them.
- preg_replace (with /e/)
Now, you need to search for all these functions one by one in your code. You can either use the cPanel search to do it or you can download the code and open it in IDE.
There is a small catch. Some of the plugins also use the same functions. So, you will have to keep checking the website and see if it is functioning properly.
Change the passwords
The next task that you need to do is change your passwords. If you find any new users in the user's panel, you can delete those users especially the one with admin access. This is the most basic step. So, most of you might have already done it. So, make sure you change the password and keep the strong password this time.
Secure your website
Lastly, you need to make sure that your website doesn’t get hacked again. To make sure that doesn’t happen, install a good security plugin and take regular backups. Not to mention, you need to use strong passwords to protect yourself from the attackers. Moreover, if you are an agency or a business and have sensitive information on your website, you should get a WordPress maintenance service that will also include security. In this way, you will be more secure and your data will be safe.
Also, keep your local system secure and safe. If your website is hacked, you should also scan your local machine to make sure that it is safe. There are chances that hackers might have hacked into your system and then got into your website. It is always the best decision to scan your local system with the antivirus.
To conclude, that’s pretty much it. Make sure you keep the website safe and secure. Also, follow all the steps even if you have restored the previous version directly from the backups. Lastly, use a popular security plugin. Also, set the login limits and change the WordPress login URL. In this way, your website will be fully secure as compared to regular ones.
Why Website Maintenance is Important?
Importance of website maintenance is always the question for any business, regardless of its size. Owning a website is just like owning a brand new car.