First things first, do not panic.
This article will guide you through the process of cleaning a hacked WordPress website. The process is documented in an easy to follow step by step format to help you identify the source of the hack and the infection, and then clean the code to regain control of your WordPress website or blog, and removing the Google malware alert. This guide will help you recover from the typical WordPress hacks such as backdoors, malware, spam and other similar types of infections.
Is Your Hacked WordPress Website Really Hacked?
Before you start the analysis and WordPress clean-up process, confirm that your WordPress website has actually been hacked and it is not a technical issue. Read the article How to Check if My WordPress is Hacked to determine if your website or blog was hacked or not.
Make a Backup
Even if you have a WordPress backup solution in place, make a backup of the current WordPress website. Follow this guide to do a complete manual backup of WordPress. A WordPress backup is very important at this stage since:
- It allows you to analyse the infection at a later stage,
- Some hosting providers delete the website when it is hacked,
- If you do not have a backup strategy in place, at least you can salvage some of the website from this backup before things get worse,
- And an extra backup is never a bad idea!
Identify How WordPress Got Hacked
The first thing you should do is to try and identify what happened, i.e. which security weakness the hackers exploited to gain access to your WordPress. Ideally you should not change any passwords or files at this stage because this can alarm the hacker and things can get worse.
Should I simply restore a backup?
Many users recommend to restore a backup should your website be hacked. Restoring the backup of your WordPress will remove the infection but it does not close down the vulnerability or security flaw the hackers exploited, hence why this stage is very important to first fined out what happened. Here are a few things you should be looking into to try and identify the source of your WordPress hack.
Audit Logs and Web Server and FTP Server Logs
If you keep a WordPress activity log (audit trail), this might be the best place from where to start your analysis. See if you can identify any suspicious behaviour. Look for events of newly created users, or user password changes. Also check if any WordPress, plugins or theme files were modified.
You should also take a look at the web server and FTP server log files. See if you can spot something unusual, like traffic from an unusual IP address. If you have other network services running on your server, check their logs as well.
Non Used and Not Updated WordPress Plugins and Themes
Check the list of installed plugins, both from the WordPress dashboard and in the directory /wp-content/plugins/. Are all the WordPress plugins being used? Are they all up updated? Check the themes and the themes directory /wp-content/themes/ as well. You should only have one theme installed, the one which you are using. If you are using a child theme you will have two directories.
Old WordPress Code and Installations
Another common problem is old code. Sometimes developers update the code of a file and rename the old version of the file with a .old extension. For example they update index.php and rename the old version to index.php.old. Hackers can identify such files, which could contain enough sensitive information that help an attacker craft an attack against your website.
Another similar problem is an old installation of WordPress. When businesses rebuild their websites they typically leave a copy of the old WordPress installation in an /old/ sub directory. These old installations of WordPress are still accessible over the internet, hence if they are outdated, they will be hacked.
Delete any unused code, WordPress installations, WordPress plugins, WordPress themes and any other sort of old, unused files. Your website should contain the least possible files, i.e. those which are being used.
WordPress Users and Roles
Check all the WordPress users. Are all the users being used? Are there any new suspicious ones? Check that all the roles are intact. If you follow the WordPress users and roles guidelines you should only have one user with WordPress administrator role.
Shared Hosting Providers
If your WordPress is running on a shared hosting provider the source of the hack could be another website that is running on the same server as yours. Therefore when it was hacked, hackers managed to escalate their privileges and access the whole server, thus automatically gaining access to your WordPress website. How can you identify such type of hack attack? Speak to your hosting provider, after backing up your website.
.htaccess files (directory level web server configuration files) are also a common target for hackers. They are typically used to redirect users to other spammy and malicious websites. Check all of the .htaccess files on your server, even those which are not being used by WordPress. Some of the redirects can be difficult to spot.
For example once we worked on a hacked Spanish WordPress website where only mobile traffic coming from Google.es was being redirected to a malicious website. And unless you check the .htaccess files it is very difficult to spot such a hack.
Check Other Point of Entries
There are several other point of entries on a web server. Make sure you check all of them, such as FTP servers, SSH, the web server etc.
Finding the WordPress Infection & Malicious Code
Before You Start: A WordPress hack typically involves the insertion of code in a WordPress theme, plugin or core file. Hence to proceed with a clean-up, you should be comfortable with modifying code. If you are not, hire WordPress security professionals.
Once you identify the hackers’ point of entry, typically it is relatively easy to find the infection. Though just in case you haven’t found the infection yet, there are several methods you can use to find the infection. Here are a few.
Check Which Files Were Modified in the Last Few Days
Ideally, you should have a WordPress file monitor plugin that alerts you of file changes, so you do not have to do this manually. However, if you do not have a plugin you have to look for file changes manually.
If you have SSH access to your server, check which files in your WordPress website have changed in the last four or five days, or since you noticed the hack. You can do so by navigating to the directory where your WordPress website is and using the find command:
Find .mtime -5 –ls
The above command lists (-ls) all the files which has the modified time (.mtime) in the last five days (-5). If the list is too long, use the less command to be able to browse through the list:
Find .mtime -5 –ls | less
Note: if you have updated a plugin or theme in the last five days, the files changed or included in the update will show up in your search results. Logs and debug files are also updated frequently, so they will show up in your results as well. So you have to filter the results from these type of files. Note that if you use the WordPress File Changes Monitor plugin for WordPress you won’t get such false alarms. The plugin is purposely built for WordPress and can identify a file change from a WordPress core, plugin or theme updates, install or uninstall.
Check All HTML Files
In WordPress there are very few HTML files and hackers like to use them. Search through your website for all HTML files and analyse their content. Make sure all HTML files you have on your website are legitimate and you know what they are used for.
Search for Infection Text
If your website has been defaced, or some text is showing up on your website as a result of the infection, look for it with the grep tool. For example if you’ve seen the text “hacked by”, navigate to the root directory of the website and issue the following command:
grep –ril “hacked by”
The above command will return a list of files that include the content “hacked by”. Once you have the list of infected files you can analyse the code and remove the infection.
What Do the Grep Switches Mean?
The –r switch means recursive, so the search searches through the whole directory structure, including all sub directories. The –i switch is used to ignore the capitalization of the search term when searching. This is very important in Linux/Unix environments. Unlike Windows, in Linux you can have two files with the same name but with different capitalization. The –l switch is used to return the filename, rather than the content of the file. So use the below command if you also want the command to show the content of the file:
grep –ir “hacked by”
Other Malicious Code To Look For When Your WordPress is Hacked
Apart from the obvious “hacked by” catch phrases, below is a list of code and text phrases that are typically used in hacked WordPress websites. You can use the grep tool to look for:
NOTE: Some of this code can also be used in legitimate code, so analyse the code properly and understand how it is being used before flagging something as an infection or hack.
Compare the Files with an Original WordPress Install
This is an old school method, and even though it is not the most efficient method it works wonders. Compare the files of your website with those of an untampered website. Therefore if you have a backup copy of your website, compare the tampered website. If not, install a new copy of WordPress and the plugins you have on the infected website on a different host and compare them.
There are several tools you can use to compare files. We use a commercial tool called Beyond Compare, though there are several free alternatives. Below are some screenshots of a sample comparison.
When comparing the root directories of two WordPress websites, the tool highlights the difference in the content of the file index.php, the new .htaccess and wp-config.php files, and differences in the sub directories.
By double clicking the file index.php we can see what the differences are.
What To Look For in a WordPress File Comparison?
Look for files which are not part of the WordPress core. Most infections add files to the root of the WordPress installation or to the wp-content directory. If the hack is a result of a vulnerable plugin, the files of the plugin might have been modified.
Finding the Infection Automatically with a WordPress Service
If the above seems to much to handle it is ok. There are several WordPress security services and plugins which you can use to scan your website for malware and other infections. We recommend the Malcare WordPress Security Services.
These plugins have a limited list of malware signatures that they look for. Hence if your hack is not a common WordPress hack, or is not popular yet these plugins might fail to identify the infection. In fact we do get reports from WordPress administrators whose WordPress website has been hacked yet the plugins did not report anything. And that is why a manual analysis is always the best way forward, though these plugins should not be underestimated either. They can still be used and will come in handy at a later stage.
Cleaning the WordPress Hack
Once you know the source of the WordPress hack and found the infection, it is time to start cleaning up by following the below procedure.
Restore Your WordPress from Backup
If you have a backup of your WordPress website or blog, restore it. It is always much easier than manually cleaning the code.
Change All Passwords, Delete any Unused Users and Verify WordPress Users Roles
Change all the passwords of all your users and services including WordPress, CPanel, MySQL, FTP and your own personal computer. Check the list of users on your FTP, WordPress, MySQL and any other service to confirm that all users are legitimate. If there are any users which are no longer being used, delete them. Check that all WordPress users have the correct roles and permissions.
Upgrade WordPress Core, Plugins, Themes and All Other Software
Upgrade/update all the software you are using to the latest version, including the WordPress plugins, themes and WordPress core. Make sure you are running the latest version of PHP, MySQL, Apache or NGINX web server, the FTP server and client and so on.
Backup Your WordPress Website
Once at this stage, before removing the actual infected code make a backup of your WordPress website.
Remove the WordPress Hack
Remove all the malicious code. Most probably if you were running an old version of WordPress core or plugin, and the files were tempered, by now the infection was automatically removed with the update.
If there were any additional files delete them. Each time you remove an infected file browse the website to ensure that the removal of the code did not break any functionality. Sometimes legitimate code is modified code, hence when the malicious code is removed the site can break down.
Scan Your WordPress for Infections
Once you cleaned everything run another quick scan of the website. Now it is the right time to use an automated malware scanning service such as Malcare to scan your WordPress website. Do another last minute manual analysis to confirm that everything is clean and fully functional.
Remove the Google Malware Alert
If your website was blacklisted by Google, apply for a Google security review to remove the Google malware alert.
Once You Remove the WordPress Hack…
Congratulations, you recovered your WordPress website from a hack. Now you must make sure that it does not happen again. Here are some tips on what you should do:
- Install a WordPress activity log plugin to keep track of everything that is happening on your WordPress website.
- If you do not have a backup solution in place, get one. We recommend BlogVault online WordPress backup service.
- Use a WordPress security scanning service. We recommend Malcare.
- Always use strong passwords that are hard to guess.
- Always keep your WordPress, WordPress plugins & themes and any other software you use up to date.
- Remove any unused files such as old WordPress installations, not used WordPress plugins, WordPress default themes etc. Anything that is not used should be removed from the server.
- Install a WordPress firewall. We recommend Block Bad Queries.
- Subscribe to a website which frequently publishes WordPress security news and tips such as WP Security Bloggers, which is an aggregate of WordPress security news published from leading WordPress security websites.