How to Clean a Hacked WordPress Website or Blog

Last updated on May 30th, 2018 by Robert Abela. Filed under WordPress Security Tutorials

First things first, do not panic.

This article will guide you through the process of cleaning a hacked WordPress website. The process is documented in an easy to follow step by step format to help you identify the source of the hack and the infection, and then clean the code to regain control of your WordPress website or blog, and removing the Google malware alert. This guide will help you recover from the typical WordPress hacks such as backdoors, malware, spam and other similar types of infections.

Is Your Hacked WordPress Website Really Hacked?

hacked WordPress websiteBefore you start the analysis and WordPress clean-up process, confirm that your WordPress website has actually been hacked and it is not a technical issue. Read the article How to Check if My WordPress is Hacked to determine if your website or blog was hacked or not.

Make a Backup

Even if you have a WordPress backup solution in place, make a backup of the current WordPress website. Follow this guide to do a complete manual backup of WordPress. A WordPress backup is very important at this stage since:

  • It allows you to analyse the infection at a later stage,
  • Some hosting providers delete the website when it is hacked,
  • If you do not have a backup strategy in place, at least you can salvage some of the website from this backup before things get worse,
  • And an extra backup is never a bad idea!

Identify How WordPress Got Hacked

The first thing you should do is to try and identify what happened, i.e. which security weakness the hackers exploited to gain access to your WordPress. Ideally you should not change any passwords or files at this stage because this can alarm the hacker and things can get worse.

Should I simply restore a backup?

Many users recommend to restore a backup should your website be hacked. Restoring the backup of your WordPress will remove the infection but it does not close down the vulnerability or security flaw the hackers exploited, hence why this stage is very important to first fined out what happened. Here are a few things you should be looking into to try and identify the source of your WordPress hack.

Audit Logs and Web Server and FTP Server Logs

If you keep a WordPress activity log (audit trail), this might be the best place from where to start your analysis. See if you can identify any suspicious behaviour. Look for events in the WordPress activity log of new created users, or user password changes, modified WordPress plugin file, modified widgets or themes and so on.

You should also take a look at the web server and FTP server log files. See if you can spot something unusual, like traffic from an unusual IP address. If you have other network services running on your server, check their logs as well.

Non Used and Not Updated WordPress Plugins and Themes

Check the list of installed plugins, both from the WordPress dashboard and in the directory /wp-content/plugins/. Are all the WordPress plugins being used? Are they all up updated? Check the themes and the themes directory /wp-content/themes/ as well. You should only have one theme installed, the one which you are using. If you are using a child theme you will have two directories.

Old WordPress Code and Installations

Another common problem is old code. Sometimes developers update the code of a file and rename the old version of the file with a .old extension. For example they update index.php and rename the old version to index.php.old. Hackers can identify such files, which could contain enough sensitive information that help an attacker craft an attack against your website.

Another similar problem is an old installation of WordPress. When businesses rebuild their websites they typically leave a copy of the old WordPress installation in an /old/ sub directory. These old installations of WordPress are still accessible over the internet, hence if they are outdated, they will be hacked.

Delete any unused code, WordPress installations, WordPress plugins, WordPress themes and any other sort of old, unused files. Your website should contain the least possible files, i.e. those which are being used.

WordPress Users and Roles

Check all the WordPress users. Are all the users being used? Are there any new suspicious ones? Check that all the roles are intact. If you follow the WordPress users and roles guidelines you should only have one user with WordPress administrator role.

Shared Hosting Providers

If your WordPress is running on a shared hosting provider the source of the hack could be another website that is running on the same server as yours. Therefore when it was hacked, hackers managed to escalate their privileges and access the whole server, thus automatically gaining access to your WordPress website. How can you identify such type of hack attack? Speak to your hosting provider, after backing up your website.

.htaccess Files

.htaccess files (directory level web server configuration files) are also a common target for hackers. They are typically used to redirect users to other spammy and malicious websites. Check all of the .htaccess files on your server, even those which are not being used by WordPress. Some of the redirects can be difficult to spot.

For example once we worked on a hacked Spanish WordPress website where only mobile traffic coming from Google.es was being redirected to a malicious website. And unless you check the .htaccess files it is very difficult to spot such a hack.

Check Other Point of Entries

There are several other point of entries on a web server. Make sure you check all of them, such as FTP servers, SSH, the web server etc.

Finding the WordPress Infection & Malicious Code

Before You Start: A WordPress hack typically involves the insertion of code in a WordPress theme, plugin or core file. Hence to proceed with a clean-up, you should be comfortable with modifying code. If you are not, hire WordPress security professionals.

Once you identify the hackers’ point of entry, typically it is relatively easy to find the infection. Though just in case you haven’t found the infection yet, there are several methods you can use to find the infection. Here are a few.

Check Which Files Modified in the Last Few Days

If you have SSH access to your server, check which files in your WordPress website have changed in the last four or five days, or since you noticed the hack. You can do so by navigating to the directory where your WordPress website is and using the find command:

Find .mtime -5 –ls

The above command lists  (-ls) all the files which has the modified time (.mtime) in the last five days (-5). If the list is too long, use the less command to be able to browse through the list:

Find .mtime -5 –ls | less

Note: if you have updated a plugin or theme in the last five days, its files will show up in such search. Logs and debug files are also updated frequently, so these can also show up in your list.

Check All HTML Files

In WordPress there are very few HTML files and hackers like to use them. Search through your website for all HTML files and analyse their content. Make sure all HTML files you have on your website are legitimate and you know what they are used for.

Search for Infection Text

If your website has been defaced, or some text is showing up on your website as a result of the infection, look for it with the grep tool. For example if you’ve seen the text “hacked by”, navigate to the root directory of the website and issue the following command:

grep –ril “hacked by”

The above command will return a list of files that include the content “hacked by”. Once you have the list of infected files you can analyse the code and remove the infection.

What Do the Grep Switches Mean?

The –r switch means recursive, so the search searches through the whole directory structure, including all sub directories. The –i switch is used to ignore the capitalization of the search term when searching. This is very important in Linux/Unix environments. Unlike Windows, in Linux you can have two files with the same name but with different capitalization. The –l switch is used to return the filename, rather than the content of the file. So use the below command if you also want the command to show the content of the file:

grep –ir “hacked by”

Other Malicious Code To Look For When Your WordPress is Hacked

Apart from the obvious “hacked by” catch phrases, below is a list of code and text phrases that are typically used in hacked WordPress websites. You can use the grep tool to look for:

  • base64_decode
  • iframe
  • exe
  • isadmin
  • inurl
  • eval
  • gzuncompress

NOTE: Some of this code can also be used in legitimate code, so analyse the code properly and understand how it is being used before flagging something as an infection or hack.

Compare the Files with an Original WordPress Install

This is an old school method, and even though it is not the most efficient method it works wonders. Compare the files of your website with those of an untampered website. Therefore if you have a backup copy of your website, compare the tampered website. If not, install a new copy of WordPress and the plugins you have on the infected website on a different host and compare them.

There are several tools you can use to compare files. We use a commercial tool called Beyond Compare, though there are several free alternatives. Below are some screenshots of a sample comparison.

When comparing the root directories of two WordPress websites, the tool highlights the difference in the content of the file index.php, the new .htaccess and wp-config.php files, and differences in the sub directories.

Comparing the root directory of Two WordPress websites

By double clicking the file index.php we can see what the differences are.

Infected index.php in WordPress website

What To Look For in a WordPress File Comparison?

Look for files which are not part of the WordPress core. Most infections add files to the root of the WordPress installation or to the wp-content directory. If the hack is a result of a vulnerable plugin, the files of the plugin might have been modified.

Finding the Infection Automatically with a WordPress Service

If the above seems to much to handle it is ok. There are several WordPress security services and plugins which you can use to scan your website for malware and other infections. We recommend the Malcare WordPress Security Services.

These plugins have a limited list of malware signatures that they look for. Hence if your hack is not a common WordPress hack, or is not popular yet these plugins might fail to identify the infection. In fact we do get reports from WordPress administrators whose WordPress website has been hacked yet the plugins did not report anything. And that is why a manual analysis is always the best way forward, though these plugins should not be underestimated either. They can still be used and will come in handy at a later stage.

Cleaning the WordPress Hack

Once you know the source of the WordPress hack and found the infection, it is time to start cleaning up by following the below procedure.

Restore Your WordPress from Backup

If you have a backup of your WordPress website or blog, restore it. It is always much easier than manually cleaning the code.

Change All Passwords, Delete any Unused Users and Verify WordPress Users Roles

Change all the passwords of all your users and services including WordPress, CPanel, MySQL, FTP and your own personal computer. Check the list of users on your FTP, WordPress, MySQL and any other service to confirm that all users are legitimate. If there are any users which are no longer being used, delete them. Check that all WordPress users have the correct roles and permissions.

Upgrade WordPress Core, Plugins, Themes and All Other Software

Upgrade/update all the software you are using to the latest version, including the WordPress plugins, themes and WordPress core. Make sure you are running the latest version of PHP, MySQL, Apache or NGINX web server, the FTP server and client and so on.

Backup Your WordPress Website

Once at this stage, before removing the actual infected code make a backup of your WordPress website.

Remove the WordPress Hack

Remove all the malicious code. Most probably if you were running an old version of WordPress core or plugin, and the files were tempered, by now the infection was automatically removed with the update.

If there were any additional files delete them. Each time you remove an infected file browse the website to ensure that the removal of the code did not break any functionality. Sometimes legitimate code is modified code, hence when the malicious code is removed the site can break down.

Scan Your WordPress for Infections

Once you cleaned everything run another quick scan of the website. Now it is the right time to use an automated malware scanning service such as Malcare to scan your WordPress website. Do another last minute manual analysis to confirm that everything is clean and fully functional.

Remove the Google Malware Alert

If your website was blacklisted by Google, apply for a Google security review to remove the Google malware alert.

Once You Remove the WordPress Hack…

Congratulations, you recovered your WordPress website from a hack. Now you must make sure that it does not happen again. Here are some tips on what you should do:

  1. Install a WordPress activity log plugin to keep track of everything that is happening on your WordPress website.
  2. If you do not have a backup solution in place, get one. We recommend BlogVault online WordPress backup service.
  3. Use a WordPress security scanning service. We recommend Malcare.
  4. Always use strong passwords that are hard to guess.
  5. Always keep your WordPress, WordPress plugins & themes and any other software you use up to date.
  6. Remove any unused files such as old WordPress installations, not used WordPress plugins, WordPress default themes etc. Anything that is not used should be removed from the server.
  7. Install a WordPress firewall. We recommend Block Bad Queries.
  8. Subscribe to a website which frequently publishes WordPress security news and tips such as WP Security Bloggers, which is an aggregate of WordPress security news published from leading WordPress security websites.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

6 comments

Diplo 01/03/2016

Hi, I’m a follower of your blog. Today I discovered by chance an infection in my WordPress installation, presumably called S.hnisdlmm.com: it creates links everywhere on the site to pages from that domain (s.hnisdlmm.com). The exploit was located at the end of header.php, you can find the code here: https://www.dropbox.com/s/xeb1lz1q1bf8fnl/S-hnisdlmm-com.txt?dl=0
To reproduce it, just copy the code at the end of header.php. Apparently it should be able to be detected looking for the keyword “wp_remote_fopen procedure.” Do you know if any of the antivirus checks that you have done would detect this one?

Best,

Diplo

Robert Abela 22/03/2016

Hello Diplo,

Thank you for sharing your findings. I wouldn’t know if all malware plugins would detect such infection. Unfortunately most malware plugins are very limited to what they can detect, especially when talking about a new type of infection.

Bilqees Kenchi 24/03/2016

Hello, friend my question is that, please tell how to secure wordpress blog /site from hackers? Is this responsibility of hosting providers or my-self. Kindly tell some plugins for wordpress.

Robert Abela 25/03/2016

Hello,

It is your responsibility to secure WordPress. As regards plugins, there is no magic solution. Start by reading this explanation of the different type of WordPress security plugins.

Ηeyy there!Do уyou know if they make any plugins to protect against hackerѕ?
I’m kinda paranoid about losing eѵeeгything I’vе worқed hard on. Ꭺny recommendations?

Robert Abela 09/01/2018

Hello Dziennik, there are many plugins which can help. Read this Definitive guide to WordPress security plugin for guidance and more tips on which plugins to choose etc.

Leave a Reply

Your email address will not be published. Required fields are marked *