How to clean and recover a hacked or infected WordPress

If you suspect that your WordPress website has been infected or hacked in some way the least you want is greetings and hugs, or explanatory statements, so let’s get to the point to see step by step what we do if we believe or are sure that they have infected or hacked our WordPress website .

How do I know if my WordPress website has been hacked or infected?

First of all you should check if your WordPress website has really been hacked or infected in some way.

There are several possible symptoms that your WordPress website has been hacked, these are the most common:

  • Your site is redirected to another URL : Unwanted redirects can occur when a hacker adds a script that redirects people to another site when they visit yours.
  • You cannot access : Before drawing conclusions about the hack, make sure that it is not that you have forgotten your password. If you conclude that forgetting your password is not the problem, a hacker may have changed your password to prevent access or deleted your account.
  • Sudden traffic drop : This can happen if a malware or Trojan hijacks your WordPress site traffic and redirects it. Traffic drops also happen if you end up on Google’s block lists, something that can happen if your website is hacked.
  • Your site was changed : Changing from a home page to a static page with links to nasty sites, or a footer with links that you didn’t add, are all good signs of hacking. Changes to the site can occur if a hacker gains access to your administrator, the file system or – less frequently – the database. Be sure to check with the other administrators who have access to your site to confirm that they have not made the changes themselves.
  • Bad links are added to your website : Like changing your site, this can happen if a hacker has access to your administrator, the file system or the database.
  • Unknown file scripts : If you find this, it could mean that your website was compromised by a hacker who added malware or some other malicious software. This can happen if your website is susceptible to attack (for example, if you have an outdated or insecure WordPress theme, plugin or installed).
  • Suspicious user accounts in WordPress : Your site may be compromised and a hacker has created a new account in the administrator. If you have the registration option activated on your site, be sure to check that it is not a simple user. Typically, a hacker account will have an administrator profile.
  • Unable to send or receive emails with WordPress : Usually caused by hacking the WordPress mail server.
  • Increase in unscheduled tasks : If a hacker gains full access, they could increase scheduled tasks on your web server, including all kinds of malicious executions.
  • You receive notifications from the security plugin : The security plugin could give you security reports and let you know about suspicious activity. If some red flags occur, you may have been hacked.
  • A slow or unresponsive website : A DDoS attack can cause your website to show all kinds of connection errors or simply that its loading speed is suddenly excessively slow.
  • The hosting company has deactivated your website : Sometimes there are shared hosting companies that, to guarantee the security of the rest of the websites, may completely deactivate your website, sometimes notifying you, and not always in advance.
  • Google warns that your site may have been hacked : Google may display a warning sign when your site is searched. This can be an indication that the WordPress sitemap or part of the installation has been hacked, from any of the above methods.

How do you know what kind of infection or hack it is?

You can do this using scanning tools , which can locate malicious code. Also, it checks for any vulnerabilities in the WordPress core files, located in the wp-admin , wp-includes and other root folders.

Among the many online tools that you can find, I recommend checking Sucuri sites , with a huge database of possible infections, hacks and malware.

Other online services for the detection of vulnerabilities, hacks and malware that you can use are the following:

  • Mozilla Observatory – Analyze the security of your website as a whole, offering details of vulnerabilities and opportunities.
  • Inmuniweb – Complete free online service for analyzing security vulnerabilities, including those specific to WordPress.
  • WordPress Security Scanner – Specific vulnerability detection service for WordPress sites.
  • Google Safe Browsing – Google’s tool to check if your website has insecure content.

In addition, you should always review the server’s log files , requesting access to them if necessary from your hosting company, to analyze possible unrecognized accesses, file modifications, connections to unknown and suspicious URLs, etc. This can be a fantastic source for detecting the origin and actions of your WordPress hack or infection .

What to do if I am getting a DDOS attack?

If the problem is that you are receiving a denial of service attack, what you have to do is try to forward as much as possible the traffic from the attacking IPs.

For this you have some tools that can help you.

Block attacking IPs from the hosting

In the absence of another automatic tool, if you do not have one, or simply if you cannot even access your website because of how slow it loads, you can block traffic from the IPs from which you are receiving the attack.

If you have your website hosted in SiteGround you can do it from the security section, being able to add full IPs (123.123.123.123) or ranges, using asterisks as wildcards (123.123.123. *).

If your website is on another hosting, which has cPanel, you also have this tool.

Block attacking IPs from the CDN (CloudFlare)

If the attacked site is using CloudFlare as a CDN you can activate a couple of utilities to minimize and even stop the attack.

In the firewall section you have the so-called Bot Fight mode , a JavaScript challenge that largely avoids possible attackers, you just have to activate it.

And much more complete and radical is to indicate to Cloudflare that the site is under attack, activating the Under Attack mode, which will run a check by JS before each request to view web pages.

You can also block IPs manually from the Cloudflare firewall but the Under Attack mode is very effective, and much faster.

Confirmed, I have been hacked! What I do?

If you have confirmed that your WordPress website is compromised in some way, hacked, infected, or whatever you want to call it, I advise you to follow these steps, without leaving a single one .

In my experience of many years, every time a hacked website is not completely clean and – usually – is hacked again, it is because one of these steps has been omitted.

First of all, a lot of calm

This is essential so that you do not skip any steps and that you perform all other procedures rigorously and accurately.

It is normal to be worried when you detect that your WordPress has been infected in some way, but the damage has already been done , and that you can apply the best possible solution depends initially and fundamentally on not getting nervous, take a deep breath, and get down to business. work, as calm as possible .

You have an important task, but above all a methodical one , ahead of you, and you will not be able to do it well in a nervous state, worried or in a hurry. Do not put your urgency to solve the problem before the importance of it.

A hacker has taken his time to infect your WordPress website, and if you don’t do the same you will surely overlook something and all the time and work spent will have been in vain .

Close the rest of the agenda , turn off the phone, avoid all kinds of distractions and assume that you are going to spend at least the rest of the day cleaning your WordPress website, nothing more, and nothing less, you have nothing more important to do .

In safety, there is no room for rush, but for the method and the confirmation of carrying out each necessary step with the dedication, attention and concentration required at all times.

Show a web page under maintenance

Something that we tend to forget many times is that visitors do not know that our website is hacked , and this can sometimes also pose a risk for users, so while we clean and recover our infected WordPress website, it never hurts to offer a page indicating the site is under maintenance .

I have seen recovery guides for hacked websites that say to install a maintenance web plugin but the reality is that you will not always have access to your WordPress, so the easiest thing is to create a file called index.html , upload it to the root folder of your server, and put a warning text.

Here is a simple example of what it could contain, and what you can use if you don’t have something better:

 Web under maintenance 

The website is under maintenance - we will be back soon!

Sorry for the inconvenience, we are doing some maintenance on the web at the moment. If you need something from us you can [email protected :) "> contact us by email , the web will be active again soon

& mdash; The team

Backup the hacked WordPress website

This is a step that many people do not take and it is very important to be able to analyze all the possible elements that may have caused the vulnerability , as well as for the exhaustive review of infected files , etc.

Also, if necessary, from this backup copy, you can recover, after an exhaustive review of them, of course, some configurations, images and content that you are going to need, if you do not have clean backup copies of your website.

Another measure you can do, in case your content has not been compromised, is to export the posts, pages, products, etc. from WordPress, in the administration section of Tools → Export.

So make a backup copy of the already infected WordPress website and keep it safe, for later analysis.

If you have backup, restore a clean backup

If you have backup copies of your WordPress website, it is time to restore a copy that you are sure is not infected, to recover your website .

There are only 2 simple steps :

  1. Erase the ENTIRE infected installation, completely.
  2. Restore clean backup.

If you don’t have backup, install everything from scratch

In case you do not have any backup that you are totally sure is totally clean of infections or hacks, then you have to install everything from scratch :

  1. Install the latest secure WordPress version using the official download, without shortcuts.
  2. Install the latest secure version of the theme using the official download and license if necessary.
  3. Install the latest secure versions of all the plugins you need.
  4. If you have a clean copy of the images and files in the / uploads / folder, upload it, but only if you are absolutely sure.
  5. If you have a clean export of posts, pages, products, etc. import it (Tools → Import), but only if you are sure that they do not have anything injected.

Analyze your computer and that of all administrators

It can also happen that the source of the vulnerability comes from a computer infected by malware or back doors, so it is never necessary to analyze with good antivirus and malware software the computers of all those who have administrator access to the web or the hosting panel Well, any changes you make could be useless if their computers are going to expose passwords, old or new.

Here are a couple of free antivirus programs in case you don’t use any yet:

Change all access passwords to EVERYTHING

This is perhaps the most important step and one that hardly anyone takes seriously enough, in all its breadth.

You must change the access passwords to absolutely everything related to your WordPress website , and an exhaustive list, but perhaps not complete, would be the following:

  • Passwords for SQL user access to ALL databases, even those – a priori – not infected. Even safer is to delete the current SQL users and create all new ones, with new passwords (this is what I usually do).
  • Passwords and FTP and SFTP access users. Delete ALL current accesses and create new ones, only those exclusively necessary.
  • Access passwords to WordPress of ALL users. It is not enough to send an email to change them, force the change or change them all en masse.
  • Email passwords for ALL users.
  • Passwords to access services that interact with your website, such as CDN, WordPress.com accounts, GMail, plugin and theme licenses, newsletter services, etc.

Reanalyze your website for vulnerabil
ities

Now that you have uploaded (supposedly) clean copies of everything, you should go back to using the detection tools that we have seen before, to verify that the site is no longer infected and that there is no compromised content.

Make a backup copy of the newly installed and clean web

If you don’t find malware again, or any hack or backdoor, it’s time to make a totally clean backup of the WordPress website, and clearly label it in case you have to use it again to recover the site in the future.

How to remove malware and clean the hack from your WordPress website

No matter how you recover your website or if you have not been able to do it, you should always eliminate the hack, malware, backdoor or whatever it is that has compromised your WordPress site .

The following steps will help you clean your website if you have not been able to recover clean copies of your content , and they will always help you better understand your installation and learn how to better protect your website to avoid future infections or hacks.

The following process works the same for your compromised installation as it does for the infected site backup that we did in the first step of this guide.

In this process of cleaning and disinfection of the WordPress website we are not going to use plugins, as we must start from the idea that security plugins may also be compromised in a hacked installation, and could show false positives, in addition to hiding vulnerabilities, so discard any tutorial you find that recommends doing this process using WordPress security plugins .

Checking and cleaning infected or hacked WordPress files

The first step would be to search your WordPress installation files, plugins, themes, and other folders for any files that may have become infected or contain malware or back doors.

There are several ways to check …

Compare your WordPress installation versus a clean installation

Compare your installation with a newly downloaded WordPress, to see if your installation contains files that are not from the standard installation or if they have changed.

If you detect files that are not in the official installation, open them to analyze if they are files that you uploaded for a specific purpose and, when in doubt, download a copy and delete them.

You must do this with all the folders, and their subfolders, of the WordPress installation (wp-admin, wp-includes, wp-content, etc.)

The fastest and most recommended way is to use a file manager (FTP, hosting file manager, local file manager, etc.) and, sorting the files by the date of the last modification and last inclusion , look for different files, with different weight, different content.

Before starting this task, it is convenient, as I recommended before, to analyze the server logs, as well as to start looking for the files that the security scanners have detected as malware or infected.

Look for specific suspicious files or file types

If you are already clear about what file names or file extensions to look for, if you have SSH access to your installation you can do a search for the file or type of file you are looking for.

Here are some examples of possible searches:

 // Find and display all html files
find. -type f -name '* .html'
// Find and show all php files
find. -type f -name '* .php'
// Find and display all js files
find. -type f -name '* .js'
// Find a specific file
find. -type f -name 'I'm-not-suspicious-going.php'

A different search would be to locate those files that have been modified or recently uploaded . For example, with the following command we will have a list of the files that have been modified in the last 7 days:

 find .mtime -7 –ls | less

From this list we would continue searching, analyzing, and even opening files to check their integrity and locate the malicious code.

Search for specific texts

If we know exactly what text or URL to look for, either because they are URLs to which our website redirects or because it is an unwanted text that is displayed somewhere, we can perform a search for that specific text string to detect in which file of our installation is injected.

Again we would use the command interface to perform the search, for example:

 grep –Ril www.no- steal-bitcoins.com

This command will list the files that contain the URL www.no-robamos-bitcoins.com so that you can quickly locate them and clean up the code.

Apart from that obvious string of the URL, here is a list of codes and texts that are often used in hacked WordPress websites. You can use the grep tool to search for the following:

  • base64_decode
  • is_admin
  • eval
  • gzuncompress
  • passthru
  • exec
  • shell_exec
  • assert
  • str_rot13
  • system
  • phpinfo
  • chmod
  • mkdir
  • fopen
  • fclose
  • readfile

A quick way to achieve this using grep is through the following grep command, which searches for files recursively (follows any symbolic links), searches for strings that match the specified regular expression, and returns the matching text as well as the line number where the match occurred.

 grep -RPn & quot; (base64_decode | is_admin | eval | gzuncompress | passthru | exec | shell_exec | assert | str_rot13 | system | phpinfo | chmod | mkdir | fopen | fclose | readfile) *  (& quot;

Of course, keep in mind that some of this code can also be used in legitimate code, so you have to analyze the code properly and understand how it is being used before marking something as an infection or a hack.

Checking and cleaning infected or hacked WordPress databases

To check and clean the database of your WordPress site, use the MySQL database administration tool of your hosting, which will normally be phpMyAdmin .

  1. Look for suspicious content (spam keywords, spam, links, etc.).
  2. Open the table that contains suspicious content.
  3. Manually remove any suspicious content.
  4. Take a test to verify that your site is still working after the changes.

Beginners can use the payload information provided by the malware scanners we looked at earlier. base64_decode users can also manually search for the most common malicious PHP functions, such as eval , base64_decode, gzinflate , preg_replace , str_replace , etc.

Checking and cleaning rear doors

Another method that hackers use to illegally enter your website is through PHP backdoor functions that are injected into files like wp-config.php and .htaccess , as well as directories like /themes/ , /plugins/ , or /uploads/ .

The most common PHP functions, such as base64 , eval , exec and preg_replace , are used for back doors and for fair use by most WordPress plugins.

Therefore, in addition to avoiding any breakdown of the site, the back doors must be properly cleaned to avoid any reinfection of the web.

How to remove unsafe site warnings

Finally, it is convenient that you do not forget to cancel any warning that the WordPress site is not secure, so, when you have finished cleaning and recovering the hacked WordPress website, do the following:

  • If your hosting blocked the web, contact them so that they can reactivate it and make it available.
  • If the Chrome browser displayed warnings that visiting the web was not safe, go to the Google Search Console to request a review of the web .

From here on, it will depend on Google how long it takes to track and eliminate the warning , which you can check by visiting the web or from the Google Search Console itself.

In fact, if you have not yet registered your website in the Google Search Console, I recommend doing so and periodically reviewing the security section of the tool, to anticipate problems.

What to do after cleaning and recovering the hacked WordPress website

When you finish cleaning and have recovered the infected or hacked WordPress website, your main mission is to prevent this from happening again as much as possible.

For this my recommendation is the following:

  1. Always use and enforce the secure HTTPS connection using an SSL certificate .
  2. Activate at least the HSTS and CSP security headers .
  3. Put in place a good WordPress backup strategy , to avoid future disappointments.
  4. Install a good WordPress security plugin .
  5. Carry out or hire a good WordPress maintenance , always keeping everything up to date.
  6. Impose the periodic change of passwords and that these are strong.
  7. Install an activity log plugin, if the security plugin does not incorporate this functionality, to control and analyze the traffic and use of the web.
  8. Write-protect configuration files.
  9. See if your hosting company does enough to protect your site, and if not, switch to a reputable hosting company .
  10. Frequently scan the entire installation to find possible vulnerabilities, using the tools that we have seen at the beginning, or even by hiring an automated periodic scan service.

I hope I have helped you clean and recover your WordPress website if it has been hacked or infected, if you have any questions you can leave it below in the comments section, or if you prefer, hire our hacked WordPress website recovery service.

( 4 votes, average: 5 ) Rate this article to help improve the quality of the blog
Share on Twitter Share on Facebook Share on Pocket Share on LinkedIn Share on WhatsApp Share on Telegram

Did you like this article? You can’t imagine what you’re missing on YouTube !

About Us

We are BE OF THEM, a team specialized in the field of digital marketing and programming, our headquarters is in Germany, and our activity has expanded to reach all parts of the Middle East, especially the Arab Gulf countries.

Do you need to raise your site's score?

We have the perfect solution for marketing your business

Contact Us

Call us, or message us by email & whatsapp

We will be happy to talk to you, and knowing everything about your work.

All rights reserved, © 2021