By
In blog

How to Clean a Hacked WordPress WebsiteHas your website been backed? Don’t worry; it happens. The most important thing is NOT TO PANIC and make any rash decisions. Anything can be fixed, especially by WordPress specialists in Toronto. Read on and find out what are the steps you should take when your WordPress website gets hacked:

1. Are you sure your WordPress website  has been hacked?

We have often received desperate phone calls from WordPress websites admins who complained about their website being hacked. In fact, their website was just displaying an unfamiliar behavior or receiving spammy comments. None of these are indicators of a website being hacked. On the other hand, if you notice something like this, your WordPress website has been, indeed, hacked, and it is time you took action:

  • The header or footer of your website display adverts for things that you do not recognize; most often, they are pornography, illegal services or drugs. You may see them displayed in a completely unaesthetic manner; sometimes, you may even encounter black text on a black background – even if you can’t see it or read it properly, search engines can and that’s the whole point of the hack.
  • When you search for your website in Google (i.e. type in “mybusiness.com”), the results show content that is unfamiliar to you and/or content that looks malicious.
  • Your users report that they have been redirected to malicious or spammy websites. In this case, you may wonder why you’ve never seen anything looking suspicious: it’s because the hack may detect that you are the admin and not spam you as a means to keep you uniformed. These are the most dangerous types of hacks and you should deal with them immediately.
  • Your hosting provider notifies you that your website has a malicious or spammy behavior. One classical example is that of your hosting provider receiving reports of spammy emails that contain a link to your website. In fact, the link may look like it sends people to your website; it actually sends them to another one that spammers want to advertise and use your good reputation to do so.

OK, now you know how to spot if you’ve really been hacked. If your WordPress issues fits one of the scenarios above, here’s what you can do:

2. Back up your WordPress website immediately

Many hosting providers will immediately delete your website if they receive reports that it has been hacked or if they detect this on their own. This is a normal safety measure and there is nothing you can do to stop them. Instead, what you can do is download a copy of the website immediately. You can use a backup system (most hosting providers offer one), a FTP or one of the many WordPress backup plugins. Backing up your files and your database are now your number 1 priority; otherwise, you will have to start everything from scratch.

3. Before starting the actual cleaning:

Even if you have a backup, you may not want to lose more of your website than it is absolutely necessary. Here are some rules to keep in mind when proceeding to clean your hacked WordPress website:

  • Deleting anything in the wp-content/plugins directory won’t (usually) cause you to lose data or harm your website any further. As the name says, this directory contains plugins and you can easily re-install them once your security issue has been fixed. However, you need to pay some attention and delete everything under a certain directory and the directory itself. If you only delete some files, your WordPress website may become inoperable.
  • In the wp-content/themes directory you typically have a single theme directory that is responsible for the look of your website. If you have more than one theme, you can easily delete all the ones you are not currently using without harming your website. Be sure you know what the current theme is, though! Also, if you have a “child theme”, this may take up more than one directory; deleting any of them will cause your website to become inoperable. This is a rare occurrence, but if you are not sure what you should be deleting, it is advisable to speak to a WordPress specialist rather than act on your own.
  • You can start your search for the malicious items that have infected your website in the wp-admin and wp-includes directories. It is very rarely that these directories have new files; if you find any, it is very likely that they are the source of your hack.
  • Be wary of old WordPress backups and installations. The majority of our clients believed that no harm could come to their website if they kept it up-to-date, had security plugins installed and did everything by the book. In fact, this behavior could be one of the infection sources: most developers use subdirectories like “old” to back-up all the site’s files – the problem is that such a subdirectory is accessible from the web and hackers can easily get in, infect the files and then use them as a backdoor to the main website. Ideally, you should never allow your old files to be accessible from the web; if you get hacked, search these files first as they are most likely to be the source of the infection.

4. Some useful tools for hackers’ victims

Sign in to SSH (if you have this type of server access) and run the command below to see every file that has been modified over the last few days. Please note that a dot indicates current directory; to find out what your current SSH directory is, type “pwd” – with no quotes):

find . -mtime -2 –ls

Alternatively, you can specify the directory:

find /home/yourdirectory/yoursite/ -mtime -2 -ls

Or search for files that have been modified during the last 10 days:

find /home/yourdirectory/yoursite/ -mtime -10 -ls

The best way to approach this is to gradually increase the period of time until you changed files start to pop up. If you can distinguish infected files from those you modified yourself (if you did no modifications recently, this should be easy), you can start manually editing them on your own. This is the safest and fastest way to cleanup an infected website – most professional WordPress website cleaning services use it.

Hackers typically use files that contain base64. You can search such files in your website using the “grep” tool in SSH:

grep -ril base64 *

Use the above command to list the file names. If you omit the “I” option, you can see the contents of every file where base64 occurs:

grep -ril base64 *

Use “grep” in combination with “find” in order to quickly see the files that were modified recently and those who contain a common string of text like: “a hacker was here”.

grep -irl "bad hacker was here" *

All you need are two simple command line tools and you can clean your infected WordPress website completely.

5. Cleaning your infected WordPress website with Wordfence

After this basic cleaning, you need to make sure that you did a good job and that there are no malicious files left behind. You can do this easily with a plugin like Wordfence; all you need to do is run a full scan of your website and the plugin will perform an advanced search. This is an important step because can detect infections that are new and unheard of; it uses Google Safe Browsing list to make sure that all you links are clean and data sources like SpamHaus to find malware that resides on your system.

This is what you need to do to get your website cleaned with Wordfence:

  • Upgrade to the most recent WordPress version
  • Upgrade all the themes and plugins you use to their most recent versions
  • Change all passwords, especially admin ones
  • Create a new backup and store it in a different place than the previous one – this is to help you preserve the updates you just made. If something goes wrong while you run Wordfence, you can simply restore the latest, improved backup.
  • From the options page of Wordfence, under “Scans to include”, make sure you select everything, even the files outside your WordPress installation. If the scan does not complete or takes too long, deselect this option, as well as “image file” and “high sensitivity” before trying again.
  • Work thoroughly through the list of files Wordfence deems as infected even if there are a lot of them.
  • Examine them all by hand, clean them or delete them – remember that you cannot undo deletions, though. However, you can always restore your latest backup if you delete something you shouldn’t have.
  • Plugin files, changed core and theme files should be examined thoroughly. Use Wordfence to determine what changes were made and if they look malicious, there is a Wordfence option to help you repair each file.
  • Run a new scan when the list is empty in order to confirm that the website is clean.

If you run into trouble, contact us; we’ll be happy to restore your website to safety. Our team of professionals in WordPress websites cleaning has yet to meet a problem they cannot fix. Alternatively, you can take a look at the FAQ list below and see if your issues match anything here:

Q: How can I tell if a file is suspicious or not?

A: E-mail us your file and we’ll analyze it for you. Better yet, if you don’t get a reply, then odds are it is infected and our mailing system (or yours) discarded it. If that happens, send us an email without the attachment and we’ll take it from there.

Q: What should I do if I have cleaned my infected WordPress site, but I still get the malware warning from Google?

A: This is happening because your website was not yet removed from the Google Safe Browsing list. Here’s how you can do that:

  1. Sign-in to Google Webmaster Tools
  2. Add your website
  3. Verify your website with the Google Site Verification Plugin
  4. Select your website on the Webmaster Tools home page
  5. Click the Site Status option and then the Malware one
  6. Click the Request a Review button

Q: What should I do if my visitors are still getting warnings from their anti-virus software and other security products?

A: This may require some strenuous work; even if you are no longer blacklisted by Google, there are still other services that have you marked as infected. Avira, McAffee, BitDefender, ESET – all these are major players in the anti-virus world and you should pay their websites a visit and follow their instructions for having your website removed from their blacklist.

Q: Can I manually check if my website is on Google’s Safe Browsing list?

A: Yes. Simply follow this link and replace “example.com” with your own URL: http://www.google.com/safebrowsing/diagnostic?site=http://example.com/

Q: What should I do once my website is clean?

A: You need to make sure that this will never happen again. Here are a few simple steps for that:

  • Always have WordPress and all the plugins and themes up to date. Old versions are the most susceptible to attacks.
  • Install a plugin like Wordfence and scan your website regularly. Some attacks cannot be seen with the “naked eye”.
  • Use strong passwords and change them regularly
  • Remove all old WordPress installations on your server.
Recent Posts