Ultimate WordPress Hacking Recovery Guide

First, a confession: I have had my WordPress sites, and my clients’ WordPress sites, hacked a few times. Most hackers do very little damage, and you can clean and secure your site with a little bit of know-how.

We’ll divide this lengthy guide into several sections:

  • Diagnosing if You Have Been Hacked
  • Cleaning Your WordPress Site
  • Securing Your WordPress site against reinfection or future hacks

What You’ll Need to Clean Your WordPress Site

Diagnosis: How You Know Your WordPress Site Has Been Hacked, the Obvious Clues

In nearly all cases, you’ll know quite clearly that your site has been hacked. The most obvious clue will be when Google throws up a warning page like this one:
maroonscreen

Or your meticulously edited could be replaced by a political message:
hacked-saudi-blog

Or, your site might be hijacked to display a cute ninja turtle (yes, it happened):
hackerturtle

The hacks shown in the screenshots above are not serious. These are honorable (sort of) hackers who hack for sport and street cred–they rarely do any damage, and they rarely intend to re-infect your site (although below we’ll discuss mandatory measures you’ll need to take to secure your site headed forward).

Diagnosis: When the Hacking Is Less Obvious and More Malicious

If your site has been taken over by a black hat SEO, the clues may be less obvious, and the danger to your website more serious. If you’re lucky, they’ll fill your site up with keyword gibberish in Turkish:
hacked-front-page-screenshot
If you’re not lucky, you may go for weeks or even months before finding the hidden Cialis and Viagra links in your source code.

Another favorite goal of more sophisticated hackers will be to employ your website as a mail server; hackers can then send spam emails. The danger to you here is that your IP address can be blacklisted and you’ll have trouble sending legitimate mail in the future.

From time to time you should open your homepage and press Ctr-A, which may help you spot those sorts of freeloading links. Even though those links might not harm the user experience, they can significantly impact your rankings and might even get you removed from the index.

Diagnosis: Tools for Determining if You’ve Been Hacked

  • Google’s safe browsing diagnostic page can tell you if your website contains malicious software. The tool will even detect which form of malicious software or virus your site might be carrying. To use Google’s safe browsing diagnostic page, you’ll need to enter this long, ugly URL in your browser window and replace “YourSiteName.com” with your own domain: http://www.google.com/safebrowsing/diagnostic?site=YourSiteName.com
  • Check your Google Webmasters account to see if there are any malware warning messages in there. If you’ve got the maroon screen described above, there will almost always be a message in your Webmasters admin area.
  • Try the Sicuri SiteCheck scanner, it’s free and will identify major malware infections.

Procedure for Removing Hack

Find the Extent of the Incursion

Before you start repairing anything, do some sleuthing to find the hacker’s footprints. Login to FTP and search for any files which were altered recently. Filezilla has a feature which allows you to search the entire site by last modification with a touch of a button. Frequently you can narrow down to the hour when your site was compromised.

Things you will be looking for through FTP:

  • Index.php files which were recently modified. An index file in your web root will effectively hijack an entire WordPress installation
  • Any new PHP file
  • Recently modified files in your WP-themes folder. Sometimes hackers will insert hardcoded links into Header.php files and other template files
  • Uploaded media files, particularly of strange file types. Some WordPress features may allow a hacker to upload a script to your server that executes read and write commands
  • PHP files with obscured code. WordPress is an open-source software project. It will never have obscured code, or even poorly commented code.
    obscured-code
  • Large, mysterious, suspiciously named files of any type. WordPress rarely uses file names with random-seeming names.
    hackedFTPscreenshot

Examine any logs you may have available through either your cpanel or your FTP. Access logs and error logs will give you clues as to what’s going on.

Check your database for unusual activity. Log in to phpMyAdmin and search for telltale keywords like “Viagra” or “Cialis.”
phpsearch

Check your database for users with seemingly random email addresses or usernames. Hackers will happily insert their own contact information into your site so they can use the recover password function to regain access to your site.
hacked-user-phpmyadmin-screenshot

See What Google Has Found

Do a site search of your WordPress installation by typing “site:EXAMPLEDOMAIN.COM” in the Google search bar. This will give you a list of all the pages Google currently has in the index. Look for pages which the hackers generated out of whole cloth. These can persist in the index long after you’ve actually cleaned up the hack, and will have to be removed using Google Webmaster Tool’s remove URL function.

Don’t Forget to Check Your Own Computer!

Sometimes the source of a security breach is as close as your own fingertips. Whether you’re accessing your WordPress site from the home or office, there are many ways for a hacker to steal your passwords. Have you recently accessed your site through a wifi network, or from your smartphone? Never save your passwords on your FTP client. It is a simple matter for malware to read those passwords off your hard drive. The passwords for Filezilla aren’t even encrypted. Consider how easy it would be for a virus or other malicious software to grab your passwords, through keystroke capture or any other method. It’s vitally important to maintain a secure connection to your site. This would be a good time to run a Microsoft Security Essentials full scan on your computer.

Check the Other Sites on Your Server

It might be that the hack didn’t originate on your own site. Sometimes your hosting may be compromised at the server level, through no fault of your own. To test this out, visit some of the other WordPress sites on your shared hosting server to see if they have the same problem you do. You may not have ever checked out your server neighbors before, but luckily there’s a tool to help you out: the MajesticSEO Neighborhood Checker.

Change ALL the Passwords

There are at least four different passwords which unlock a WordPress site. If one of them has been compromised, the others have been peeled open too. If the hacker has your FTP password they can use that to read the database password which is displayed openly in your WP-config file, and with that they can edit the WP users. If your FTP password is the same as your cpanel login, which is default on many hosting services, then you will also need to worry about email addresses and passwords, database users, and possibly even your domains. Whatever passwords you have, change them, and change them quickly.

Screen Your WordPress Users

It will do you no good to change the passwords if the hackers can recover the passwords of an admin-level user. Make sure that all of the emails associated with your users correspond to an appropriate email address, and not an email controlled by the hacker. If you have a number of admin users and one of them has a compromised email, then you’re in trouble.
hackeduser

Rollback to Backups or Remove the Hacker Code Manually

At this point you should have a good idea of the extent and the source of the hack. If the root directory index.php has been overwritten then you can replace that file with one from a fresh WP installation. If theme files have been overwritten, then hopefully you have a backup. Frequently you can just remove any hardcoded script by hand and be more or less back to normal. Otherwise, if you have a backup of your database and WP-content folder which you know is clean, you can backtrack to those (making sure the old user passwords are secure).

Upgrade Everything

It’s easy to fall behind on updates. Sometimes we’re reluctant to install updates because nothing breaks a site quite as fast as a beta version from a volunteer open source project like WordPress. But sometimes those updates to the WordPress installation or the plugins contain important security patches. It’s not a panacea, but now that you’ve been hacked you want to leave no stone unturned.

Re-install WordPress. This will overwrite most of the critical files in the wp-admin and wp-includes folders and reduce the chance of hidden trojan code hanging around.

Steps You Can Take to Prevent Hacking in the Future

Now that you’ve cleaned up your site, you’re going to want to block attempts at re-infection.

  • Never save SQL backups on any public server.
  • Save frequent SQL backups to your home computer. Having a backup can speed up the cleaning process.
  • Keep your TimThumb.php file up-to-date. This helpful but vulnerable WordPress add-on has been particularly troublesome for WordPress owners over the years.
    Maintain security consciousness with any computer you use to access your site.
  • Add a security plugin like Wordfence. This will prevent brute force attacks from known hacker IPs and plug other security holes you might not have thought about.

Know When You’re Over Your Head!

This article won’t give you a solution to every single hacking problem. We’ll update as we learn more, but hackers are always on the bleeding edge and coming up with new ways to mess things up. If you’re getting repeatedly infected, or if you can’t restore the site to its original state, then it’s time to employ a reputable WordPress expert to lend a hand.

Send Us Your Hacking Stories!

Leave us a comment if you’ve got a hacking story to share. We want to know how they got in and how you fixed it. Show the code if you’ve got it!

3 replies
  1. Ben
    Ben says:

    This is well put together Matthew.

    I’ve just this minute finished removing a hack from one of our clients sites – they had injected a phishing page for an Italian bank. The problem is how they got in… via SSH. No WP vulnerabilities.

    I found the files they had injected just by looking at the previous commands – this made it pretty easy.

    It was put onto the server calling a .tar file using a wget command. (the file was stored on another hacked site which was obviously their hive)

    Nightmare over!

    Going to implement some of the bits you mentioned in your post right now

    Thanks!!

    Reply
    • MatthewBey
      MatthewBey says:

      That’s a scary hack, Ben, glad you figured it out! We’ve seen hackers from a lot of strange countries too, Saudi Arabia, Malaysia, and Tunisia. They never seem to be from Iowa.

      Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *