Finding out that your WordPress website got hacked is no fun, especially if it keeps happening. Loss of trust, as well as regulatory, financial, and legal ramifications (if you have user data), can potentially be crippling and best avoided. So, what causes WordPress sites to keep getting hacked, and how can we prevent it?
In this article, we will be looking at how to tell if your website has been hacked, what causes it, and different ways you can fix a hacked website.
Table of contents
Tell-tale signs your WordPress site has been hacked
It’s not always easy to tell that a website has been hacked. Security breaches can be so subtle that it takes an average of 200 days for companies to identify a breach. However, do not let this dishearten you. There are tell-tale signs that can help you understand whether there has been a security breach.
Changes in content
Unauthorized content changes that seemingly pop out of nowhere can be a sign of a hacked WordPress site. Having an activity log plugin such as our own WP Activity Log will enable you to better understand where those changes are coming from, including which user account made those changes, from which IP address, and what was changed, down to the last letter.
Google Search Console
If you are using Google Search Console, and Google has confirmed that your site has been hacked, you’ll see a warning message in the Security issues report. This can be found under Security & Manual Actions > Security issues.
Search Engine
Google will display a “This site may be hacked” message in the SERPs (Search Engine Result Pages) when it believes a breach has occurred.
Redirections
Your website randomly redirecting to another webpage is another sign of a hacked website. In some cases, the entire website will become unreachable. In other cases, links may be peppered throughout your website.
Typically, redirections will take visitors to malicious or spam websites, leading to further attacks or scams. Unknown redirections can also harm your SEO rankings.
Defacement
Defacement is a form of cyber-vandalism where bad actors add unwelcome elements to your website, including text, images, and code. This may be pure vandalism with no motive other than to cause embarrassment, but it could also be a competitor looking to discredit you.
Inability to log in
If your password suddenly stops working (and you’re sure you have entered the correct password), your site might have been hacked. Attackers always aim for the account with the highest privileges since this gives them the ability to manipulate more resources.
Drop in traffic
A drop in traffic can happen for many reasons, including a breach. Make sure there haven’t been any search engine updates that might have affected your SERP rankings, and if you have an activity log plugin check for any content changes, what changed, and who made the changes.
Unknown user accounts
If new users you didn’t create start popping up on your WordPress site, chances are there has been a breach. Bad actors can create user accounts for continued access, typically aiming for accounts with administrator privileges.
How to fix hacked WordPress websites
There are multiple ways to fix a hacked website. Which route to take will depend on a number of things, including:
Backups: If you have backups, restoring your website from a backup is one option you should consider. You should follow a strict procedure to minimize the risk of further security breaches. Some technical expertise is required; however, our detailed procedure outlined below will hand-hold you every step of the way.
Clean website: If you do not have a backup to restore from, then cleaning your website is your best bet. While several tools and plugins can help you get there, it requires a more hands-on approach than restoring from a backup.
Call the professionals: If you’re uncomfortable dealing with a hacked WordPress site, consider calling the professionals. In the section below, we outline some of the options available but do keep in mind that this will require a greater financial outlay than the previous two methods.
Fix 1: Restore from backup
If you have been regularly backing up your WordPress site, restoring from a backup is one of the safest ways to fix a hacked website. Keep in mind that your website will be restored to the state it was in when the backup was taken. As such, you might lose some information if the website was updated after that.
The process listed below details how to restore from a backup. We take additional precautions to minimize the risk of any infections being carried forward to the restored site, just in case the backup we have is infected with malware.
Step 1: Put your website in maintenance mode
The first step is to put your site in maintenance mode. This creates a temporary page for visitors advising them that you’re working on the website. At the same time, this prevents visitors from accessing potentially malicious content.
You can put your website in maintenance mode by using a plugin or editing the functions.php file. Some hosting providers also allow you to put the site in maintenance mode via their backend.
Plugin maintenance mode
Use a plugin such as LightStart to enable maintenance mode without having to edit any PHP files. The plugin is very easy to use and even comes with a library of customizable templates for that personal touch.
Manual maintenance mode
If you don’t want to use a plugin, you can edit the functions.php file of the active theme to enable maintenance mode. Navigate to Tools > Theme File Editor and then choose Theme Functions (functions.php) from the Theme Files menu and add the following code:
function wp_maintenance_mode() {
if (!current_user_can('edit_themes') || !is_user_logged_in()) {
wp_die('<h1>Heading</h1><br />Message');
}
}
add_action('get_header', 'wp_maintenance_mode');Replacing Heading with a personalized heading and Message with a message for your visitors. Once ready, click on Update File for changes to take effect.
Note: At this point, it is worth taking a snapshot of your WordPress site in its current state. This can be used later to determine how bad actors managed to gain access. Make sure you save it somewhere safe, ideally on external media such as a thumb drive.
Step 2: Restore to a staging environment
Next, locate your latest backup. If you have documented backup and restore procedures, find that document as this will make the process much easier.
Now that we have located the backup, it is time to restore it. It is very important, critical even, to restore the backup to a staging website first, not the live website. We need to carry out a number of processes before the site is ready.
Many hosting providers offer staging environment functionality, which makes the process much easier. Alternatively, you can set up a local staging environment using an application such as Flywheel Local or WordPress Studio. If you prefer something online, InstaWP is worth considering.
Step 3: Re-install WordPress and plugins
At the start of the article, we mentioned that companies, on average, take 200 days to detect a breach. So, we need to make sure that the backup we are restoring is free from malware.
There are two steps to this process – first, we’ll need to re-install WordPress core files and plugins. Once this is done, we’ll run a malware scan for good measure.
3.1: Re-install WordPress files
Reinstalling WordPress core files is dead easy. Simply log in to your WordPress dashboard using your WordPress admin account, navigate to Dashboard > Updates, and click on Re-install version X, where X is the current WordPress version number.
This will re-download and install the core WordPress software, replacing any infected files with legitimate ones directly from the WordPress repository.
3.2: Re-install plugins and themes
Next, we will re-install all WordPress plugins and themes. The thinking behind this is the same as in the previous step – to ensure any potentially infected files are replaced with clean, legitimate ones.
- Step 1: Connect with SFTP to your WordPress server
- Step 2: Navigate to wp-content > plugins
- Step 3: If you don’t remember which plugins you have installed, take note of the filenames
- Step 4: Delete all plugin folders
- Step 5: Navigate one folder up and click on the themes folder
- Step 6: Take note of all installed themes. If you have a custom theme, make sure you have a backup copy of the folder
- Step 7: Delete all theme folders
- Step 8: Disconnect from SFTP
Why not uninstall plugins from the WordPress dashboard? Good question!
When we uninstall plugins from the WordPress dashboard, a script runs to delete the plugin files. Plugins can hook to that script to, for example, delete any database entries it created. If the plugin files have in fact been infected with malware, they can hook to the same script to copy the malware files to another location. By deleting the files manually, we can ensure no scripts are run, and any malicious code is deleted along with the file.
But, I hear you ask, what about those database entries? Yet, another good question.
We will leave those database entries there so that when we re-install the plugins, they will retain all their settings. Cool, right?
Note: If you have a custom theme but cannot locate a backup folder, you might want to skip deleting the theme. The same holds true for any custom plugins.
Step 4: Scan for malware
Next, we’ll scan WordPress for malware. At this point, this is more out of an abundance of caution than anything else. However, if you’ve been experiencing repeated attacks, an abundance of caution is warranted.
Use a plugin such as Wordfence or Sucuri. Make sure the plugin is fully updated before running the scan to ensure you have the latest signatures available.
Step 5: Reset all passwords, including your own (including hosting provider, SFTP, and database)
Before we push the site to live, it is worth resetting the passwords of all users. This ensures that any compromised passwords no longer work should an attacker attempt to breach your defenses again.
At this point, it is worth thinking about a WordPress password policy to ensure all users use strong passwords. Minimum password length and a healthy mix of upper and lower case characters, special and numeric characters go a long way in making passwords more secure.
Equally, you should encourage users to change their passwords often and discourage them from reusing old passwords. This ensures that any passwords that have been compromised in the past can no longer be used against your website.
The surest way to accomplish this is to use a password policy plugin, such as our own Melapress Login Security.
Step 5.1: Change the MySQL user password
Next, we will need to reset the MySQL user password.
There are two parts to this process – first, we need to change the actual MySQL user password, and then we need to update the wp-config file with the new password.
First, connect to your WordPress MySQL server. You can do this through cPanel or SSH – depending on your hosting provider. If you get stuck, contact your hosting provider for instructions on how to update the MySQL user password.
Once that is done, head to the wp-config file and update the password there.
More information on MySQL users is available here.
Step 6: Check for updates
We’ve done a lot of work so far, so do take a moment to pat yourself on the back. We are almost done and ready to go live with a clean and more secure website.
Before we do, however, we need to make sure that everything is updated to the latest version. This includes WordPress, themes, and plugins.
For the time being, you might also want to enable automatic updates. Doing so ensures that any security plugin holes are patched as soon as possible, even if you forget to update them yourself. Once the site is up and running, you might want to think about a WordPress updates strategy.
Step 7: Harden WordPress
Before we go live, it’s worth taking some time to harden your WordPress site. Doing so will help us avoid further incidents.
Limit login attempts
As a game of numbers, brute force attacks depend on unlimited login attempts to breach your WordPress site. While it’s certainly possible for an attacker to guess the password in the first few tries, it is highly unlikely. By limiting login attempts, we are essentially cutting hackers at the knee, rendering successful brute-force attacks highly unlikely.
Add 2FA
2FA, short for two-factor authentication, adds an additional authentication layer to WordPress logins. Because of this additional layer, even if users’ passwords get compromised, without users’ devices, bad actors will still be unable to log in.
Add an activity log plugin
An activity log plugin, such as our WP Activity Log, keeps a record of user and system activity on your WordPress site. It allows you to keep a record of logins and logouts, failed login attempts, and changes to your site – including the date, time, and IP address, among other information.
Change login URL
The WordPress login URL tends to get more than its fair share of attacks. One way to minimize exposure is to hide it. You can do this manually or by using a plugin such as our Melapress Login Security. The plugin is focused on improving WordPress login security and also includes password policies, geo-blocking, the ability to limit login attempts, and much more.
Install Melapress File Monitor
Next, we need to take a baseline of our folders and files to make sure we can identify any unauthorized changes. We can do this with Melapress File Monitor. The plugin takes an initial scan, during which it creates a hash of each directory and file.
Step 8: Push to live
The website is now ready to be pushed to live. Take a few moments to test the website before moving it to live. Make sure all links work and that any available functionality also works as intended.
If you have an e-commerce store, make some test purchases; if you have a membership site, test the setup, and so on. Do take the time to check the content, especially any links that might have been added without your consent.
Fix 2: Clean the website
If you do not have a WordPress backup to restore, you must clean the website manually. The process is similar to the previous option, in which we restored our website from a backup. Those with a keen eye will notice that there are fewer steps involved in cleaning up a website than doing a restore. While this is true, when cleaning a website (instead of doing a backup restore), we have fewer opportunities to minimize risk.
However, we will still take every precaution that we can to rid the hacked site of any remnants bad actors might have left. So let’s get to it.
Step 1: Put your website in maintenance mode
The first step is to put the website in maintenance mode. This procedure follows the one outlined in the previous method.
There are basically two options – using a plugin or manually editing the functions.php file.
If you opt for the plugin method, you should be able to find a few different options in the WordPress repository. One such option is LightStart, which lets you add different pages to your site, including maintenance pages.
If you opt to manually edit the functions.php file, you can do so either through SFTP or the WordPress admin backend.
Step 2: Reset all passwords
Next, reset all WordPress users’ passwords. At this point, a password policy would help ensure that new passwords meet best practices standards. You might also want to block inactive users to reduce the attack surface area. Melapress Login Security is our security plugin that helps you achieve both while offering numerous other WordPress Login security policies for improved site security.
Step 3: Scan your website for malware
With all passwords reset, it is time to scan your website for malicious code. WordPress security plugins such as Wordfence or Sucuri are your best friend in this endeavor. Whichever plugin you choose, make sure you’re running the latest version before starting the scan. This ensures you have the latest signatures available.
Step 4: Harden WordPress
Hardening WordPress improves the overall secure posture of our WordPress sites by ensuring configurations are geared toward security. This process of locking down WordPress is modular and entirely reversible, so settings can be changed at any point.
Hardening WordPress at this stage is critical to avoid future incidents. While it may seem like additional work, so keep in mind that this will help you prevent further hacking incidents.
Step 5: Check for updates and make sure everything is running on the latest version
Before we take the website out of maintenance mode, it is worth taking a few minutes to ensure WordPress, plugins, and themes are running on the latest available version. This ensures any known security holes are plugged.
Once ready, it’s time to take the website out of maintenance mode. If you used the manual method, simply delete the code we added in Step 1. If you used the plugin method, deactivate the maintenance page from the plugin settings.
Fix 3: Hosting provider backend
If you don’t have access to the WordPress admin area, you’ll need to take a different approach to fixing your site. First, we will need to regain access, which can be done through the hosting provider’s backend. This section will show you how.
Step 1: SFTP to your WordPress server
If the WordPress front door is not accessible, we’ll need to go through the window. We can do this by connecting to the WordPress server using SFTP. This will provide us with access to the WordPress files and thus begin our cleaning operation.
Step 2: Delete all plugins
Once connected, head to wp-content > plugins and delete all of the folders. If you’re not sure which plugins you have installed, take note of the filenames so that you can install them later. You’ll also need to take note of the MySQL details in the wp-config.php file, as we will need these in the next step.
Step 3: Replace all WordPress core code
Download the latest WordPress version from the official wordpress.org website and extract the files to your computer. Now, upload all files and folders to the WordPress root folder using SFTP, replacing existing files. Once copied, rename the wp-config-sample.php file to wp-config.php and enter the MySQL details from the previous step.
Step 4: Log in to WordPress
Your WordPress backend will now be available for you to log in. If your password does not work, and you’re sure you have the right one, you’ll need to reset it. There are quite a few methods available at your disposal, which you can read about here.
Step 5: Final steps
Since we deleted all plugins back in step 2, we will need to re-install them. Take some time to double-check content, keeping an eye out for any suspicious links.
Fix 4: Call the professionals
If getting into the weeds of cleaning a hacked WordPress site is not something you’re comfortable with, consider calling a professional team to do it on your behalf.
Both Sucuri and Wordfence offer plans that include hands-on support. You’ll need to ensure you choose the right plan to get access to the service.
Alternatively, you can hire a specialized company such as Team of Horses or Surver. Another option is to find a freelancer from a platform such as Fiverr. If you decide to go down this route, make sure you check customer reviews before committing to any service provider.
How WordPress websites get hacked
WordPress sites can be hacked in a number of different ways. Understanding which avenues a bad actor can take to gain access to your site can help you prevent future hacks.
Outdated WordPress, plugins, and themes
It is no secret that even the best software can have security holes. While the risk is minimized when choosing reputable vendors, keeping all software up to date is your best bet against attacks such as XSS (Cross-Site Scripting) and SQL injection. Updates contain security fixes that patch vulnerabilities, making them something of an urgent best-practice necessity.
Weak passwords
Weak passwords are notoriously easy to crack. GPU advancements mean it takes mere seconds to crack basic passwords, making such passwords a huge security risk. Bad actors also use lists of commonly used passwords to make brute force attacks more efficient – making strong passwords an absolute must in WordPress security.
Leaked passwords
It is no secret that many users use the same password across multiple sites. If any of those sites experience a breach, the user’s password may end up for sale on the dark web. Bad actors buy these leaked passwords to use them in attacks. Protecting yourself from these types of attacks can be difficult since the attacker is using the correct password – unless you have 2FA.
Leftover files
Leftover and exposed files, such as temporary backups, can contain sensitive data without the protection afforded to other files. These can make them susceptible to theft, exposing any data such as passwords and settings – which can be used in future attacks.
Wrong file permissions
File permissions often confound even the most experienced administrators. Many tend to get around this problem by assigning full access rights to everyone, ensuring permissions do not get in the way. Unfortunately, this means that even bad actors get rights to those files, which information is used in future attacks.
Default settings
Default settings, such as the WordPress login URL, are known to all. Thanks to the extensive WordPress documentation that anyone can access, finding information about important elements is very easy, which aids bad actors in their reconnaissance efforts. Many hackers will also program bots to proceed as if their target website is using default settings – making a breach more likely.
WordPress security is an ongoing effort
Fixing a hacked WordPress site takes some effort, but it is entirely doable. Prevention, however, is better than cure. As such, once the site has been fixed, preventing future incidents should be your priority.
Dedicate time every week, two weeks, or month, to review and optimize settings and ensure everything is updated and backed up. Not only will this reduce the likelihood of further breaches, but ensures you’re in a better position to bounce back should it happen again.
