How to Clean and Repair a Hacked WordPress Website

Cyber Security UK Blog
Ad - Web Hosting from SiteGround - Crafted for easy site management. Click to learn more.

Oh no! So, your WordPress website has been hacked, huh? Don’t panic. It’s a terrible feeling when you realize your site has been compromised, but I’m here to walk you through the process of cleaning and repairing it. We’ll get your website back on its feet in no time. Just take a deep breath, grab a cup of coffee, and let’s dive into it step by step.

How Did My WordPress Site Get Hacked

Before we jump into the cleanup process, it’s crucial to understand how the hack might have happened. WordPress is incredibly popular—like, millions of websites popular. While that’s great for you, it’s also why hackers love targeting WordPress sites. Common vulnerabilities include outdated plugins or themes, weak passwords, or even insecure hosting environments. Knowing where the attack might have originated can help you avoid similar issues in the future.

Step 1: Stay Calm and Assess the Damage

Alright, the first thing you need to do is stay calm. It’s easy to get overwhelmed, but panicking won’t help. Instead, let’s take a good look at what’s going on. Ask yourself these questions:

  1. Can You Access Your Website’s Backend?
    If you can still log in to your WordPress dashboard, that’s a good sign. It means the hacker hasn’t completely locked you out, and you have some control over the situation.
  2. What’s Been Compromised?
    Has your entire site been defaced, or are there just a few strange posts or pages? Maybe your site is redirecting visitors to another website, or perhaps your traffic has suddenly plummeted. Take note of everything that seems off.
  3. Check for Warnings from Your Hosting Provider
    Sometimes, your hosting provider might be the one to alert you that your site has been hacked. If you’ve received an email or notification from them, take it seriously. They might have already quarantined your website or given you some instructions on what to do next.
  4. Scan Your Computer for Malware
    In some cases, your computer might be the weak link. Before diving into your WordPress site, run a complete malware scan on your personal computer. If your system is compromised, the hacker could easily gain access again.

Step 2: Back Everything Up

Even though your site is hacked, you still want to back up everything. This might sound counterintuitive, but if anything goes wrong during the cleanup process, you’ll want to have a copy of your site’s current state. You can use plugins like UpdraftPlus or your hosting provider’s backup tool if you have one.

Backing Up Manually via cPanel or FTP

If you prefer doing things the old-school way, you can back up your site manually:

  1. Access Your Site via cPanel or FTP
    Log into your hosting account and access your cPanel or use an FTP client like FileZilla to connect to your site.
  2. Download All Your Files
    Navigate to your WordPress directory (usually in a folder called public_html or something similar) and download everything to your local computer.
  3. Export Your Database
    In cPanel, go to phpMyAdmin, select your WordPress database, and export it as a .sql file. This file contains all your posts, pages, and other essential data.

Having this backup ensures that you can restore your site to its current state if needed, even though it’s compromised.

Step 3: Take Your Website Offline

Now that you have a backup, it’s time to take your website offline. You don’t want visitors stumbling onto your hacked site, and you definitely don’t want the hackers doing more damage while you’re trying to clean things up.

Enabling Maintenance Mode

The easiest way to take your site offline is by putting it into maintenance mode. You can do this by using a plugin like WP Maintenance Mode. This plugin lets you display a custom message to your visitors while keeping your site hidden.

If you can’t access your dashboard to install a plugin, don’t worry. You can also achieve this by editing your .htaccess file to restrict access to everyone except your IP address. Here’s how:

  1. Connect to Your Site via FTP or cPanel
    Use your FTP client or cPanel’s File Manager to access your website’s root directory.
  2. Edit the .htaccess File
    Find the .htaccess file and add the following lines:

    Order Deny,Allow
    Deny from all
    Allow from [Your IP Address]

    Replace [Your IP Address] with your actual IP address. This will block everyone else from accessing your site while allowing you to continue working on it

Step 4: Scan and Clean Your Website Files

Now it’s time to roll up your sleeves and start cleaning up the mess. The first thing you’ll need to do is scan your website for malware or suspicious code. There are a few different ways to do this:

Using a Security Plugin

One of the easiest methods is to use a security plugin like Wordfence, Sucuri, or iThemes Security. These plugins can scan your website for malicious code, infected files, and vulnerabilities.

  1. Install the Plugin
    If you can still access your WordPress dashboard, install and activate the security plugin of your choice.
  2. Run a Full Scan
    Once the plugin is activated, run a full scan of your website. This might take a while, depending on the size of your site.
  3. Review the Results
    After the scan is complete, review the results carefully. The plugin should identify any infected files or suspicious activity.
  4. Clean or Delete Infected Files
    The plugin will usually give you the option to clean or delete infected files. Be cautious here—if you’re not sure what a file does, research it before deleting it.

Manual Scanning

If you prefer a hands-on approach, you can manually scan your website files. This method is more time-consuming but gives you full control over what gets deleted or cleaned.

  1. Download Your Website Files
    Using FTP, download all your website files to your local computer.
  2. Search for Suspicious Code
    Open the files in a code editor like Sublime Text or Notepad++ and look for any suspicious code. Hackers often inject malicious code into core WordPress files like wp-config.php, index.php, or header.php. Common signs of a hack include:

    • Obfuscated or encoded strings (e.g., base64 encoded text)
    • Files with strange names that don’t belong in WordPress
    • Scripts that load external content from unknown URLs
  3. Compare with a Clean Version of WordPress
    Download a fresh copy of WordPress from WordPress.org and compare the files with your website’s files. This will help you identify any code that doesn’t belong.
  4. Remove Malicious Code
    Once you’ve identified the malicious code, carefully remove it. If you’re unsure about a particular file or line of code, it’s better to replace the entire file with a clean version from the WordPress download.

Step 5: Check and Clean Your Database

After cleaning your website files, the next step is to check your WordPress database for any signs of a hack. Hackers often inject malicious content into your database, which can persist even after you’ve cleaned your files.

Using phpMyAdmin

  1. Log into cPanel and Access phpMyAdmin
    Log into your hosting account, go to cPanel, and open phpMyAdmin.
  2. Select Your WordPress Database
    On the left-hand side, select the database that corresponds to your WordPress site.
  3. Search for Suspicious Content
    Look through your database tables, especially the wp_posts, wp_options, and wp_users tables. Common signs of a hack include:

    • Unknown administrator accounts in the wp_users table
    • Suspicious content in the wp_posts table, such as spammy links or scripts
    • Strange entries in the wp_options table, especially under options like siteurl, home, or anything that looks out of place
  4. Clean or Remove Malicious Entries
    If you find any suspicious entries, carefully delete them or reset them to their original state. For example, if you find an unknown administrator account, delete it immediately.

Using a Security Plugin

If you’re not comfortable diving into the database directly, some security plugins offer database scanning features. Wordfence, for example, can scan your database for malicious content and help you clean it.

Step 6: Reset All Passwords

At this point, it’s crucial to reset all your passwords. If a hacker gained access to your website, they might still have your login credentials, which means they could get back in even after you’ve cleaned everything up.

Reset WordPress Passwords

  1. Go to Users > All Users in Your WordPress Dashboard
    From your WordPress dashboard, go to the Users section and click on All Users.
  2. Reset Passwords for All Users
    For each user, click Edit and scroll down to the New Password section. Generate a strong password and save the changes.
  3. Delete Suspicious Users
    If you see any user accounts that you don’t recognize, delete them immediately.

Reset cPanel, FTP, and Database Passwords

It’s also a good idea to reset your cPanel, FTP, and database passwords. Log into your hosting account and update these passwords to something strong and unique.

Step 7: Update Everything

One of the most common reasons WordPress sites get hacked is because they’re running outdated software. To protect your site from future attacks, you need to update everything to the latest version.

Update WordPress Core

  1. Go to Dashboard > Updates in Your WordPress Dashboard
    In your WordPress dashboard, go to the Updates section.
  2. Update to the Latest Version of WordPress
    If there’s a new version of WordPress available, update to it immediately. Make sure you have a backup before doing this, just in case something goes wrong.

Update Plugins and Themes

  1. Go to Dashboard > Updates
    In the same Updates section, you’ll see a list of all the plugins and themes that have updates available.
  2. Update All Plugins and Themes
    Update everything to the latest version. Outdated plugins and themes are major security risks, so it’s important to keep them up to date.

Step 8: Strengthen Your Website’s Security

Now that your site is clean and up to date, let’s make sure this doesn’t happen again. Here are some steps you can take to strengthen your website’s security:

Install a Security Plugin

A good security plugin can help protect your site from future attacks. Some popular options include:

  • Wordfence: Offers a firewall, malware scanning, and login security.
  • Sucuri: Provides a comprehensive website security solution with a firewall and malware removal.
  • iThemes Security: Focuses on securing your WordPress site by locking down common vulnerabilities.

Enable Two-Factor Authentication (2FA)

Two-factor authentication adds an extra layer of security to your login process. With 2FA enabled, you’ll need both your password and a code sent to your phone to log in.

  1. Install a 2FA Plugin
    Install a plugin like Two Factor Authentication or Google Authenticator to enable 2FA on your WordPress site.
  2. Set Up 2FA for All Users
    Go to the plugin settings and configure 2FA for all users with access to your WordPress dashboard, especially administrators.

Change the Default Login URL

By default, the WordPress login page is located at yourwebsite.com/wp-admin or yourwebsite.com/wp-login.php. Hackers know this and often target it with brute force attacks. Changing the default login URL can help protect your site.

  1. Install a Plugin Like WPS Hide Login
    WPS Hide Login is a simple plugin that lets you change the login URL to something unique.
  2. Set a Custom Login URL
    After installing the plugin, go to its settings and set a custom login URL. Make sure to remember it, as you’ll need this URL to access your dashboard in the future.

Limit Login Attempts

Limiting login attempts can prevent brute force attacks where hackers try to guess your password by making multiple attempts.

  1. Install a Plugin Like Login Lockdown or Limit Login Attempts Reloaded
    These plugins let you limit the number of login attempts allowed before locking out the user.
  2. Configure the Settings
    Go to the plugin settings and set the number of allowed login attempts, the lockout duration, and other parameters according to your preference.

Regular Backups

Regular backups are your safety net. If your site gets hacked again, having a recent backup can save you hours of cleanup work.

  1. Install a Backup Plugin Like UpdraftPlus or BackupBuddy
    These plugins make it easy to schedule regular backups of your entire website.
  2. Schedule Automatic Backups
    Set up the plugin to automatically back up your site daily, weekly, or monthly, depending on how often you update your content.
  3. Store Backups Offsite
    Store your backups in a secure offsite location like Google Drive, Dropbox, or Amazon S3. This way, if your site or server gets compromised, your backups are safe.

Monitor Your Website

Keeping an eye on your website’s activity can help you catch any suspicious behavior early. There are several tools and services that can help you with this:

  • Google Search Console: Set up Google Search Console for your website and monitor it for any security issues or warnings.
  • Security Plugins: Many security plugins offer real-time monitoring and alerts. Configure these settings to notify you of any unusual activity.
  • Activity Log Plugins: Plugins like WP Activity Log can track changes on your website and alert you to any suspicious actions, such as new user registrations or file modifications.

Step 9: Test Your Website

Now that you’ve cleaned and secured your website, it’s time to test everything to make sure it’s working correctly.

Check the Frontend

Visit your website and browse through it as a visitor would. Make sure all pages are loading correctly, images are displaying, and links are working. If you notice anything off, go back and check the related files or database entries.

Test the Backend

Log into your WordPress dashboard and navigate through different sections. Check your posts, pages, and media library to ensure everything is still there. Test the functionality of any plugins or custom features to make sure they’re working as expected.

Check for SEO Issues

A hack can sometimes affect your site’s SEO. Use tools like Google Search Console or third-party SEO tools like Ahrefs or SEMrush to check for any issues. Look for:

  • Spammy Links: Hackers often insert spammy links into your content. Use the tools to scan for any unusual outbound links.
  • Search Engine Warnings: If Google has flagged your site as unsafe, you’ll need to address this immediately. Follow the steps in Google Search Console to request a review after cleaning your site.

Step 10: Submit Your Site for Review

If your site was flagged by Google or blacklisted by other security services (like McAfee or Norton), you’ll need to submit it for review once you’re confident it’s clean.

Google Search Console

  1. Log into Google Search Console
    Go to Google Search Console and select your website.
  2. Request a Review
    If your site was flagged for malware or other security issues, Google will provide instructions on how to request a review. Follow these steps carefully and submit your site for re-evaluation.
  3. Wait for the Review
    Google’s review process can take a few days. Be patient, and check back regularly for updates.

Other Security Services

If your site was blacklisted by other services, visit their websites to find the appropriate forms or contact details for requesting a review. These services include:

Submit your site to each service where it was blacklisted and wait for the reviews to be processed.

Step 11: Educate Yourself and Your Team

Finally, the best way to prevent your site from being hacked again is to educate yourself and your team about website security. Here are some things to consider:

Stay Updated

Make sure you’re always running the latest versions of WordPress, themes, and plugins. Set a reminder to check for updates regularly, or enable automatic updates where possible.

Learn About Security Best Practices

Take some time to learn about WordPress security best practices. There are plenty of online resources, courses, and forums where you can learn from experts and other website owners.

Train Your Team

If you have a team that helps manage your website, make sure they’re also aware of security best practices. Train them on how to create strong passwords, recognize phishing attempts, and follow secure protocols when accessing your website.

Follow a Security Checklist

Create a security checklist that you and your team can follow regularly. This might include:

  • Checking for updates
  • Reviewing user accounts
  • Monitoring website activity
  • Running regular scans
  • Testing backups

Wrapping Up

Cleaning and repairing a hacked WordPress website can be a stressful experience, but with the right approach, you can get your site back up and running securely. Remember, the key to preventing future hacks is to stay vigilant, keep everything updated, and continuously monitor your site’s security.

If you ever find yourself overwhelmed or unsure, don’t hesitate to reach out to a professional. There are plenty of experts out there who can help you clean and secure your site.

Thanks for sticking with me through this guide. I hope your website is back to its former glory, safe and sound. Good luck!