Discovering that your WordPress site has been hacked can be a distressing experience, but it's crucial to act quickly and systematically to mitigate the damage and prevent future security breaches. This article will guide you through the steps to take when your WordPress site has been compromised and offer recommendations to strengthen your site's security.
The process of restoring the site from a safe point or attempting to clean an infected website can be technical and time consuming. We strongly recommend you seek assistance from your website manager or web developer for help in completing these steps and any other steps they recommend.
Restore the Site to a Safe Point from a Clean Backup
The first step in addressing a hacked WordPress site is to restore it to a safe point from a clean backup. Regularly backing up your website is essential in such situations.
Generally speaking, we retain 21 daily backups and 2 end-of-month backups of all accounts hosted on our servers. To have your site or account restored from our backups, please open a ticket at our technical support department. Our team will then work on restoring your site within 24 hours. Learn more about our backups here: Do You Provide Backups?
If you have your own backups, follow these steps:
- Ensure your backup is from a date before the hack occurred and it's complete/valid.
- Access your hosting control panel or use an FTP client.
- Remove all existing files and folders from the domain's document root (usually that's the
public_htmlfolder). - Drop all tables from the database.
- Upload all files and the database from your clean backup.
Please note that if you restore the files and the database without removing the existing ones first, the malware infections will most likely remain in place. It's recommended to remove all existing data before performing a backup restore.
Install a WordPress Security Plugin
To enhance your site's security, consider installing a reliable WordPress security plugin. These plugins can help detect and prevent security threats, perform security scans, and provide other valuable features. Some popular security plugins include Wordfence, Sucuri Security, and iThemes Security.
Consider Using an Enhanced Web Application Firewall (WAF)
A Web Application Firewall (WAF) acts as an additional layer of protection for your website. It helps filter and block malicious traffic, including known and emerging threats. All our hosting services come with a WAF included with a set of generic and custom attack detection rules to protect your site from many known vulnerabilities and types of attack.
You can use a dedicated WAF service and integrate it with your hosting service. Popular options include SiteLock, Sucuri and CloudFlare.
Look for Unknown WordPress Admin Accounts
Hackers may create hidden administrator accounts to maintain control over your site. Check your WordPress user accounts and delete any suspicious or unknown admin accounts. Ensure that you change the passwords for all legitimate admin accounts as well.
Look for Unknown Email / FTP / MySQL Accounts, SSH Keys and Cron Jobs
Other backdoors that hackers often implement are email accounts, FTP accounts, MySQL accounts, SSH keys and cron jobs that add the malicious files back automatically.
In cPanel, please review the following sections for any unknown accounts, forwarders, keys and automated tasks:
- Files -> FTP Accounts
- Email -> Email Accounts
- Email -> Forwarders
- Security -> SSH Access
- Advanced -> Cron Jobs
- Databases -> MySQL Databases
Although it's less probable for other areas to be manipulated, if you want to make sure, you should also check for unknown email filters that possibly forward emails to foreign email addresses, modified DNS records that point parts of your domain to foreign servers, forwarder for the default address, etc.
Change Passwords for WordPress, cPanel, FTP Accounts and MySQL Database
Changing passwords is a critical step and preventive measure in securing your website and hosting account. Update the passwords for your WordPress admin accounts, cPanel, FTP, and MySQL database credentials. Choose strong, unique passwords and consider using a password manager to keep track of them securely.
How to change or reset your passwords
Look for Other Hidden Backdoors
Hackers often leave hidden backdoors within your site to regain access later. These backdoors may be hidden in various places, such as your theme files, plugins, or even the database. A comprehensive security scan using a security plugin can help you detect and remove these backdoors.
Verify the WordPress Files Integrity
It's important to check the integrity of WordPress core files by verifying them against their reference checksums from wordpress.org. If checksums fail to match, you can quickly reinstall WordPress core files without affecting your site content.
WP Toolkit can verify the WordPress Core files and reinstall them with just a few clicks. Open cPanel and navigate to the WP Toolkit page, then click on the "Check WordPress Integrity" button, followed by the "Verify Checksums" button. If there are any files that have failed to pass the integrity check, please click on the "Reinstall WordPress Core" button.
If the integrity check reports "error_log" files, these can be ignored. These files are normally safe and contain errors and warnings generated by WordPress and other scripts, but you may want to check their content using a text editor to make sure.
Please note that it's highly recommended to replace the plugin and theme files as well from their original source, but this would need to be done manually. It may be necessary to manually back up configuration files, if there are themes or plugins that store settings in files.
Update the WordPress Core
Outdated WordPress installations are more vulnerable to attacks. Regularly updating your WordPress core to the latest version is essential for security. You can update WordPress from your dashboard or using WP Toolkit:
How to update your WordPress site with WP Toolkit and Smart Update
Update All Plugins and Themes
Hackers often target outdated plugins and themes. Make sure to keep all your plugins and themes up to date. If you have inactive themes and plugins, it's a good practice to delete them to minimize potential security risks. Even if a plugin is deactivated, its files would still exist in your hosting account, which could allow remote attackers to exploit possible vulnerabilities.
Please note that premium/paid themes and plugins may need to be manually checked for updates and updated. WordPress, WP Toolkit and Softaculous may be unable to update such plugins/themes. You should check the documentation of your premium/paid themes and plugins for their update procedure, and bookmark or subscribe to the release log to be aware when a new version is released. Many premium themes have other premium plugins bundled, and those can only be updated if you update the theme first, then refer to the theme's documentation on how to update the bundled plugins.
For premium plugins that come bundled with themes, we generally recommend purchasing your own standalone license if possible. It often happens that theme vendors stop maintaining the theme and no longer provide updates of the bundled plugins, which would prevent you from getting security updates of those plugins. Some theme vendors are also very slow in providing security updates for the bundled plugins. With your own standalone license of the premium plugin, you would have access to security updates as soon as they're released, without having to rely on the theme vendor.
Only Have One Active Theme
Keeping multiple installed themes on your WordPress site can increase your vulnerability. Keep only the active theme and delete any unnecessary or unused themes. This reduces the potential attack surface.
Check the .htaccess File for Manipulations
Sometimes hackers can add various malicious rules to the .htaccess file (located in the document root directory, such as public_html). For example, your visitors could be redirected to malicious URLs, possibly even in complex ways that are difficult to detect, such as redirecting only visitors that come from search engines or fulfill other targeted criteria.
To assure that no such manipulations are in place, it's a good idea to verify that the .htaccess file was not manipulated. This file most often contains a set of standard WordPress rules, but it can also contain various legitimate rules added by the installed plugins or themes, or by your web developer.
The default rules of an usual WordPress site would look like this:
# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
If you've enabled Multisite, you can find the default set of rules here: htaccess – Documentation – WordPress.org
Any other rules should be verified with caution and possibly removed if they're suspicious, but please make sure to always save a backup of the file before applying any modifications.
Isolate Sites onto Their Own Hosting Accounts
If you manage multiple websites, consider hosting each site on its own hosting account instead of hosting them under a single account. This isolation can prevent a security breach on one site from affecting others.
Why two businesses should not share one hosting account
Conclusion
Recovering from a hacked WordPress site can be a challenging process, but by following these steps, you can restore your site's security and prevent future attacks. Regularly monitoring and maintaining your website's security is key to keeping it safe from threats. Always stay informed about the latest security practices and consider seeking professional help if needed to secure your WordPress site effectively.
If you have a website manager or web developer, please ask them what additional steps they recommend taking.
Updated by SP on 08/03/2024
