Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

How to Clean a Hacked WordPress Site

A hacked WordPress site isn’t a subject most WordPress site owners want to think about. But they are a real issue, impacting over 30,000 websites every single day.

If your WordPress website falls prey to a hack, what are the exact steps you should take to thoroughly clean it and get it back to functioning in a normal way? Is your hacked site now completely useless, or can it be recovered? Let’s dive in.

Introducing Kathy Zant, WordPress Security Expert

Recently, WordPress security expert Kathy Zant hosted a live webinar for iThemes, showing exactly how to clean a hacked WordPress site.

Kathy Zant has been working in the world of WordPress for over a decade. And her experience in WordPress security, especially as it relates to cleaning infected sites, is second-to-none.

Beyond her experience in WordPress security, Kathy has also worked in a marketing capacity for a number of different brands in the WordPress space. Additionally, she’s been an organizer for WordCamp Phoenix and WordCamp US.

She currently resides in Texas, where she can routinely be found hanging out with her horses and walking her Golden Retrievers.

“What we’re going to talk about first of all,” Kathy says, “is how do you know that your website has been hacked? What are some of the signs? What are the first steps you should take as soon as you even have a suspicion that you’ve been hacked?”

She goes on to say, “How do you devise a strategy, a fast and easy way to get your site cleaned up? And after it is cleaned, I’m going to show you how to get your site secured. And also provide some key tips on how to recover the reputation of your site, which is also extremely important.”

clean-up-hacked-wordpress-site

In this comprehensive guide, we’ll unlock the key points from Kathy Zant’s live webinar on cleaning hacked WordPress websites. By the end, you’ll know exactly what you need to do should you ever find yourself the victim of a hacked WordPress site.

How Do You Know When Your WordPress Site Has Been Hacked?

First of all, it’s important to understand that just because your site is broken doesn’t necessarily mean that there has been a hack or intrusion by a malicious actor. But you do need to identify if a hack has taken place.

What exactly is the problem with your site? What specifically is going on? What are the indications that you have a problem on your hands?

Here are a few things to look for if you suspect your WordPress site has been hacked:

  • Files on your server or in your WordPress installation that should not exist (this one requires a fair amount of knowledge to know with certainty).
  • Files that have recent modification dates. If all of the files in your wp-includes directory have a modification date of 2022-01-12 and one of them has a modification date of 2022-06-02, then you should be highly suspect of that recently-modified file.
  • Strange requests in your access logs. This could point you towards the file used to modify your site’s files.

The specifics of the problem you’re seeing will automatically begin to inform you of what it is you need to do to resolve it.

Now, if you have a current backup of your site, you’ll certainly want to restore your site from the backup immediately. The BackupBuddy plugin is the perfect solution for always having current backups.

In that case, your fix will be quite simple.

But if there are no current backups, you’re basically heading into recovery mode sight unseen, and it’s going to be your job to clean the site.

Kathy explains, “Imagine somebody comes to you. They’ve got a hacked site, and their web developer is missing in action. The very first thing you want to do is backup the hacked site.”

“The reason why is that we want to preserve the evidence of the hack exactly as we found it. Basically, we want to create a backup if you’re able to get to WP Admin. Simply load the BackupBuddy plugin and make sure you backup everything, including the database.”

And you’ll want to save the backup onto a location that’s off the website’s current server because you’ll want to get the entire site away from the compromised server.

Once that’s complete, it’s time to devise a strategy. What exactly is the site doing?

Is it:

  • Redirecting site traffic to a bad neighborhood?
  • Infecting the devices of site visitors when they click on links embedded in the site?
  • Stealing customer credit card numbers with a card skimmer in the WooCommerce installation?
  • Causing general harm on the internet?

If it is, you’ll want to put an immediate stop to that by taking the site completely down. Then, put up a “coming soon” page.

After that, have the site suspended by the hosting account. Some hosting accounts will suspend sites automatically if they notice that there’s an indication of compromise and that a site could be hacked.

Getting Started With Cleaning a Hacked WordPress Site

After this, you’ll want to head to the site’s cPanel and take everything under the public_html folder, zip it, and download it onto the hard drive of your local workstation. The reason you want to clean every file under public_html is that you need to assume that everything is completely infected.

Next, go into the version file under wp-includes and you’ll see the version of WordPress the site is using. The current version of WordPress is 6.0. But there’s a chance the site hasn’t been updated in a while.

We want to build a clean version of the site based on the version that it’s currently using. So if it’s using an earlier version, download the zip file for that particular version, then begin building out a clean version of the site with that fresh download.

Next, you’ll need to determine what themes are being used on the hacked site. Let’s say that the site is running Kadence 2020, 2021, and 2022. If the site is still up and functional, simply log into the wp-admin and check to see what theme is running.

You’ll also want to see what version of the theme is being used. To do that, go down to the “readme” and it’ll indicate the version in use.

In the theme files, find the stable tag that you want to go with that your particular theme. Then, go to the theme version repository, where you’ll find all of the different versions of the theme that are available.

If the site isn’t using the most current version of the theme, download the exact version it is using.

The same rule holds true for plugins. When you go into any plugin in your site’s plugin list and navigate to Advanced View, simply scroll down to the bottom to find the version of the plugin.

Of course, there’s a chance that your site is compromised due to a vulnerable plugin. But even if that’s the case, you’re still going to want to build out the site exactly as it is, including the vulnerable plugin.

This will help show us exactly where the malware exists on the hacked site.

What’s most important is that you want to start out your clean site exactly where it currently sits. Then, use a tool such as UltraCompare that will quickly show you what has gone wrong with the site. This is a great tool and has a free version that you can use for 30 days.

From here, you’ll be building out a clean site that matches up with your hacked site. The UltraCompare tool will show you exactly what doesn’t match, so the hacked site can be properly cleaned.

Devise Your Plan of Attack

Next, you’ll need to take a guess on the intrusion vector. It could inform you of exactly where to look for the existence of malware:

  • Is there a current attack campaign happening?
  • How long has the website been infected?
  • Which themes and plugins are in need of an update?

You can now devise your plan of attack. Make sure to remove the most dangerous pieces first, in the following order:

  1. Change all passwords
  2. Remove all spam links
  3. Remove backdoors
  4. Patch all vulnerabilities
  5. Remove malicious redirects

Once you’re confident that all of the dangers have been removed from the site, you can head back to your site’s cPanel and upload the clean site files to restore your website.

Now it’s time to get the site fully secured so that any potential hacks in the future will be quickly thwarted.

To secure your site:

  • Remove any unrecognizable admin users (or set them to subscriber-only)
  • Change all admin/editor passwords
  • Change FTP password
  • Change hosting account password
  • Change the WordPress database password and update your wp-config.php file
  • Change the wp-config.php salts
  • Check settings to ensure “anyone can register” is only set to subscriber
  • Install the iThemes Security plugin and activate the following settings:
  • Make sure backups are running on a schedule
  • Test backups

As Kathy explains, “You’re definitely going to want to install iThemes Security and activate the settings that’ll inform you if the site ever gets any type of intrusion happening, ever again. And make sure to activate two-factor authorization for all of your administrative users.”

She goes on to say, “You’re going to want to secure the site in every way that you can. Run a site scan on iThemes Security to scan for vulnerable themes, plugins, and WordPress core versions. Just make sure that everything’s OK.”

“And turn on Version Management. This will be your first line of defense if another intrusion ever happens again. Then make sure you’ve got the BackupBuddy plugin installed, and test your backups. Make sure your backups are being sent off of the server, and test them to make sure that you’re able to restore them.”

“Make sure that all of the SQL files for the database are also there, and ensure your backups are all happening on a schedule.”

Recovering Your Site’s Reputation After a Hack

Simply cleaning and restoring your hacked WordPress site won’t automatically restore the reputation of the site. In fact, there are several things you’ll need to do to make sure that Google and the other search engines don’t continue to penalize your site after it’s been hacked and cleaned.

Often, the first sign you’ll have that your site has been hacked is that Google informs you of the situation. In order to see how Google is currently viewing your site, head to the Google Search Console.

First, if you find any extraneous Sitemaps in the Search Console that shouldn’t be there, or seem to be putting out spam links, you’ll want to delete those immediately.

You may also find a Google file in the root of the WordPress directory that gave the hacker access to your site’s Search Console. When you navigate to Search Console and go to Settings, look closely at the sitemaps to see if there have been any illegitimate sitemaps set up in this area.

After this, you’ll want to take a look at any security issues that exist in the Search Console. If the big red screen of doom and gloom from Google is currently being shown, you’re going to see some big flags in the Search Console under Security Issues.

And this is where you will request that Google reviews your website now that it’s been cleaned.

“Now, when it comes to Google AdWords,” Kathy explains, “You may have the cleanest site in the world, but Google AdWords might still be telling you that there’s a problem. The key here is just to keep trying with them. Sometimes, they’re looking at different things than you are, but you know the Search Console is only going to help you out with AdWords’ sometimes-deceptive site warnings.”

Many of your site users may also be running Norton or McAfee antivirus software on their devices. Because of this, it’s also important that you work with those companies to clear any blacklists that your site may have landed on after it was hacked.

Additionally, if your site has been sending out spam, you’ll need to clear your reputation with Spamhaus. To do this, you’ll need your site’s IP address in order to clear the reputation of that address with Spamhaus.

Every one of these steps is important to restore your site’s reputation after a hack.

Hacked WordPress Website Cleanup Checklist

Let’s dive into Kathy’s full checklist for how to clean a hacked WordPress site. You can also download it here.

Get the bonus content: Hacked Website Cleanup Checklist

Step 1: Planning the Cleanup

  • Is the site actually infected? Yes / No / Maybe
  • Create a backup of the hacked site. (Yes, even the malware. )
  • Download the backup of the site files and the database and your log files to your computer. 
  • Determine if the site needs to be made unavailable. 
    1. Is it redirecting site visitors or using server resources? Is it under active attack? Take it down.
    2. Just spam links and not under active attack? You can likely leave it up
  • Take a guess on the intrusion vector; it might inform you of where to look for malware. 
    1. Is there a current attack campaign? 
    2. How long has the site been infected? 
    3. What plugins/themes need an update? 
  • Devise your plan of attack, in this order. Remove the most dangerous pieces first.
    1. Remove malicious redirects
    2. Remove backdoors
    3. Patch vulnerabilities 
    4. Change passwords
    5. Remove spam links
  • Note:
    • WordPress core version number: 
    • Active Theme: 
    • Inactive Themes:
    • Active Plugins: 
    • Inactive Plugins:

Step 2: Hacked Website Cleaning Process Checklist

  • Download WP core version that matches infected site
  • Compare downloaded clean site files to hacked site files
    1. Compare directories
    2. Build clean copy of wp-content
      • All active plugins
      • Active theme (and child theme) 
    3. Look for any php files in wp-content/uploads/ (other than blank index.php files)
    4. Fully review your .htaccess file manually
    5. Fully review your wp-config.php file
  • Review your WordPress database. We’ll clean this after we clean the files using PHPMyAdmin.
    1. wp_posts table
    2. wp_options table
    3. Check for any malicious users (wp_users)
    4. If you’ve got malware in your wp_posts:
      • Use WP Optimize plugin to optimize your database and remove any post drafts, deleted posts. (It just makes the amount of data to clean much easier) 

Place the cleaned site files back on the server and swap it.

  1. Using the BackupBuddy plugin, upload the rebuilt public_html_clean at the same level as your public_html directory
  2. Rename public_html to public_html_hacked
  3. Rename public_html_clean to public_html

Step 3: Hacked Website Cleaning Process Checklist

Immediately after swapping the hacked site out, it’s time to secure the site. 

  1. Remove any unrecognizable admin users (or set them to subscriber only)
  2. Change all admin/editor passwords
  3. Change FTP password
  4. Change hosting account password
  5. Change the WordPress database password and update your wp-config.php file 
  6. Change the wp-config.php salts
  7. Check settings to ensure “anyone can register” is only set to subscriber
  8. Enable two-factor authentication to all admin users
  9. Enable iThemes Site Scan to scan for vulnerable plugins, themes & WordPress core versions
  10. Turn on Version Management with automatic vulnerability patching
  11. Turn on File Change Detection
  12. Make sure backups are running on a schedule
  13. Test backups

Step 4: Restoring a Hacked Website’s Reputation

Once the site is cleaned and secured, restore the site’s reputation.

  1. Google Safe Browsing
  2. From Google Search Console, request review. Expect a 24 hour turnaround. Visit: 
    1. https://support.google.com/webmasters/answer/168328?hl=en 
    2. https://www.google.com/webmasters/tools/security-issues 
  3. Go to Google and do a search for “site:example.com” to see what google sees.
  4. McAfee 
  5. Norton
  6. Spamhaus if your site has been sending out spam

Additional Website Cleanup Steps

  • Review log files to find out how they got in.
  • Ensure your site is the only WordPress installation in the hosting account. If you have other sites, they could be an intrusion vector if you aren’t securing them too. 
  • For anyone with admin access, ensure software is updated & passwords are secured
    • Secure computers
    • Secure email accounts
    • Secure social media accounts
    • Secure cellphones

How to Prevent Your WordPress Site From Being Hacked

While there is no such thing as a 100% guaranteed secure site, there are some measures you can take to harden a site as much as possible.

1. Be very careful where you download plugins and themes.

Plugins and themes can come from shady sites that have code in them that started the ball rolling on hacks. There are even plugin and theme viruses that would automatically infect every other plugin and theme on the site, so even if you cleaned one of them, it would automatically be reinfected.

2. Don’t run outdated versions of WordPress, themes, or plugins.

Make sure that WordPress and all themes and plugins on your site are up to date. Delete deactivated plugins. Don’t leave them in the wp-content/plugins folder. Deactivated plugins are a potential security risk as these don’t often get updated. iThemes Sync Pro is a tool that allows you to manage multiple WordPress sites to update WordPress, themes, and plugins with one click.

3. Don’t be without a reliable WordPress backup strategy.

Back up your WordPress site often. Having a healthy full backup of your site is key. Keep an archive of several backup files. If disaster strikes, you will need a backup to restore your site (after the server is cleaned). Quick tip on backup files: run some test restores of your backup files every now and then.

Having a backup that you can’t restore is probably the worst thing that can happen (after being hacked). BackupBuddy enables you to set scheduled backups that will run unattended, and where backup files can be saved to a remote location. This should offer you peace of mind that you will always have a healthy backup file.

4. Use a reputable WordPress security plugin.

You can take action to make your WordPress site more secure. iThemes Security, a WordPress security plugin allows you to secure your WordPress site. There are several ways you can prevent access to your WordPress dashboard, monitor for file changes, scan for malware, and so on.

5. Don’t use weak passwords.

Make sure you’re practicing WordPress password security by using long, complicated passwords. Activate WordPress two-factor authentication for an added layer of security.

6. Don’t forget to check in on your WordPress security from time to time.

Make it a habit to regularly evaluate your site’s safety situation. Just as you check your vehicle’s oil level periodically. The iThemes Security plugin allows you to run a site scan to make sure you’re running recommended security settings. Make sure to harden WordPress with these 10 WordPress security tips.

7. Use a hosting company that specializes in WordPress.

Finally, make sure that you are hosting your site with a provider that understands the issues and risks with hosting WordPress sites such as Liquid Web’s Managed WordPress Hosting. You need a hosting provider that will do their best, from their (server) side, to provide a safe and well-secured hosting environment.

Cleaning a Hacked WordPress Website Like An Expert

Now that you understand how to recognize, clean, and restore the reputation of a hacked WordPress site, your next goal should be to ensure that this nightmare never happens again.

After all, even though your site is back up and running, consider the revenue that was lost during the unscheduled downtime.

There is no better step you can take to fully secure your WordPress site than to download, install, and activate every key feature of the iThemes Security Pro plugin. And for any unexpected attacks, make sure to run your backups on a schedule with BackupBuddy.

When these two plugins are used together, you’ll never need to worry about a hack taking down your website, ever again.

Watch the Webinar Replay: How to Clean Up a Hacked WordPress Site


The post How to Clean a Hacked WordPress Site appeared first on iThemes.