First things first, do not panic.
This article will guide you through the process of cleaning a hacked WordPress website. The process is documented in an easy to follow step by step format; identifying the source of the hack, identifying the infection, cleaning the code, regaining control of your WordPress website or blog and removing the Google malware alert. This guide will help you recover from the typical WordPress hacks such as backdoors, malware, spam and other similar types of infections.
Is Your Hacked WordPress Website Really Hacked?
Before you start the analysis and WordPress clean-up process, confirm that your WordPress have been hacked. We do receive a lot of false alarms; panicked WordPress administrators can confuse a spam message, or a broken down WordPress website with a hacked website. Read the article How to Check if My WordPress is Hacked to determine if your website or blog was hacked or not.
Make a Backup
Even if you have a WordPress backup solution in place, make a backup of the current WordPress website. Follow this guide to do a complete manual backup of WordPress. A WordPress backup is very important at this stage since:
- It will allow you to analyse the infection at a later stage,
- Hosting providers tend to delete your WordPress website should they identify the hack,
- If you do not have a backup in place, at least you can salvage some of the website from this backup before things get worse.
Identify How WordPress Got Hacked
The first thing you should do is to try and identify what happened, i.e. which security weakness the hackers exploited to gain access to your WordPress. Ideally you should not change any passwords or files at this stage. This can alarm the hacker and things can get worse. Many also recommend to simply restoring a backup of your website.
Restoring the backup of your WordPress is a good thing, but by doing so you are only removing the infection. You are not closing down the vulnerability or security flaw the hackers exploited, hence why this stage is very important.
Here are a few things you should be looking into to try and identify the source of your WordPress hack.
Audit Logs and Web Server and FTP Server Logs
If you keep a WordPress audit trail, this might be the best place from where to start your analysis. Analyse the logs and see if you can identify any suspicious behaviour. Look for alerts that report a new created user, or user password change, modified plugin file, modified widgets or themes and so on.
You should also take a look at the web server and FTP server log files. See if you can spot something unusual, maybe activity from an unusual IP or a new username. If you have other network services running on your server, check their logs as well.
Non Used and Not Updated WordPress Plugins and Themes
Check the list of installed plugins, both from the WordPress dashboard and in the directory /wp-content/plugins/. Are all the WordPress plugins being used? Are they all up updated? Check the themes and the themes directory /wp-content/themes/ as well. You should only have one theme installed, the one which you are using. If you are using a child theme you will have two directories.
Old WordPress Code and Installations
Another common problem is old code. Sometimes developers update the code of a file and rename the old version of the file with a .old extension. For example they update index.php and rename the old version to index.php.old. Hackers can identify such files, which could contain enough sensitive information that help an attacker craft an attack against your website.
Another similar problem is an old installation of WordPress. When businesses rebuild their websites they typically leave a copy of the old WordPress installation in an /old/ sub directory. These old installations of WordPress are still accessible over the internet, hence if they are outdated, they will be hacked.
Delete any unused code, WordPress installations, WordPress plugins, WordPress themes and any other sort of old, unused files. Your website should contain the least possible files, i.e. those which are being used.
WordPress Users and Roles
Check all the WordPress users. Are all the users being used? Are there any new suspicious ones? Check that all the roles are intact. If you follow the WordPress users and roles guidelines you should only have one user with WordPress administrator role.
Shared Hosting Providers
If your WordPress is running on a shared hosting provider the source of the hack could be another website that is running on the same server as yours. Therefore when it was hacked, hackers managed to escalate their privileges and access the whole server, thus automatically gaining access to your WordPress website. How can you identify such type of hack attack? Speak to your hosting provider, after backing up your website.
.htaccess files (directory level web server configuration files) are also a common target for hackers. They are typically used to redirect users to other spammy and malicious websites. Check all of the .htaccess files on your server, even those which are not being used by WordPress. Some of the redirects can be difficult to spot.
For example once we worked on a hacked Spanish WordPress website where only mobile traffic coming from Google.es was being redirected to a malicious website. And unless you check the .htaccess files it is very difficult to spot such a hack.
Check Other Point of Entries
There are several other point of entries on a web server. Make sure you check all of them, such as FTP servers, SSH, the web server etc.
Finding the WordPress Infection & Malicious Code
Before You Start: A WordPress hack typically involves the insertion of code in a WordPress theme, plugin or core file. Hence to proceed with a clean-up, you should be comfortable with modifying code. If you are not, hire a WordPress security professional.
Once you identify the hackers’ point of entry, typically it is relatively easy to find the infection. Though just in case you haven’t found the infection yet, there are several methods you can use to find the infection. Here are a few.
Check Which Files Modified in the Last Few Days
If you have SSH access to your server, check which files in your WordPress website have changed in the last four or five days, or since you noticed the hack. You can do so by navigating to the directory where your WordPress website is and using the find command:
Find .mtime -5 –ls
The above command lists (-ls) all the files which has the modified time (.mtime) in the last five days (-5). If the list is too long, use the less command to be able to browse through the list:
Find .mtime -5 –ls | less
Note: if you have updated a plugin or theme in the last five days, its files will show up in such search. Logs and debug files are also updated frequently, so these can also show up in your list.
Check All HTML Files
In WordPress there are very few HTML files and hackers like to use them. Search through your website for all HTML files and analyse their content. Make sure all HTML files you have on your website are legitimate and you know what they are used for.
Search for Infection Text
If your website has been defaced, or some text is showing up on your website as a result of the infection, look for it with the grep tool. For example if you’ve seen the text “hacked by”, navigate to the root directory of the website and issue the following command:
grep –ril “hacked by”
The above command will return a list of files that include the content “hacked by”. Once you have the list of infected files you can analyse the code and remove the infection.
What Do the Grep Switches Mean?
The –r switch means recursive, so the search searches through the whole directory structure, including all sub directories. The –i switch is used to ignore the capitalization of the search term when searching. This is very important in Linux/Unix environments. Unlike Windows, in Linux you can have two files with the same name but with different capitalization. The –l switch is used to return the filename, rather than the content of the file. So use the below command if you also want the command to show the content of the file:
grep –ir “hacked by”
Other Malicious Code To Look For When Your WordPress is Hacked
Apart from the obvious “hacked by” catch phrases, below is a list of code and text phrases that are typically used in hacked WordPress websites. You can use the grep tool to look for:
NOTE: Some of this code can also be used in legitimate code, so analyse the code properly and understand how it is being used before flagging something as an infection or hack.
Compare the Files with an Original WordPress Install
This is an old school method, and even though it is not the most efficient method it works wonders. Compare the files of your website with those of an untampered website. Therefore if you have a backup copy of your website, compare the tampered website. If not, install a new copy of WordPress and the plugins you have on the infected website on a different host and compare them.
There are several tools you can use to compare files. We use a commercial tool called Beyond Compare, though there are several free alternatives. Below are some screenshots of a sample comparison.
When comparing the root directories of two WordPress websites, the tool highlights the difference in the content of the file index.php, the new .htaccess and wp-config.php files, and differences in the sub directories.
By double clicking the file index.php we can see what the differences are.
Find the Infection with a Plugin
You can also use a plugin such as iThemes Security to compare the files. Though iThemes Security only compares the files with those on the WordPress repository. Therefore if you have a custom theme, plugin or code you have to do the comparison manually.
What To Look For in a WordPress File Comparison?
Look for files which are typically not included in the WordPress installation. Most infections add files to the root of the WordPress installation or to the wp-content directory. If the hack is a result of a vulnerable plugin, the files of the plugin might have been modified.
Finding the Infection Automatically with a WordPress Plugin
There are several WordPress plugins which have a built-in malware scanner such as iThemes security. These plugins are similar to an antivirus, and also have quarantining feature.
These plugins have a limited list of malware signatures that they look for. Hence if your hack is not a common WordPress hack, or is not popular yet these plugins might fail to identify the infection. In fact we do get reports from WordPress administrators whose WordPress website has been hacked yet the plugins did not report anything. And that is why a manual analysis is always the best way forward, though these plugins should not be underestimated either. They can still be used and will come in handy at a later stage.
Cleaning the WordPress Hack
Once you know the source of the WordPress hack and found the harmful code, start cleaning up by following the below procedure.
Restore Your WordPress from Backup
If you have a backup of your WordPress website or blog, restore it. It is always much easier than manually cleaning the code.
Change All Passwords, Delete any Unused Users and Verify WordPress Users Roles
Change all the passwords of all your users and services including WordPress, CPanel, MySQL, FTP and your own personal computer. Check the list of users on your FTP, WordPress, MySQL and any other service to confirm that all users are legitimate. If there are any users which are no longer being used, delete them. Check that all WordPress users have the correct roles and permissions.
Upgrade WordPress Core, Plugins, Themes and All Other Software
Upgrade/update all the software you are using to the latest version, including the WordPress plugins, themes and WordPress core. Make sure you are running the latest version of PHP, MySQL, Apache or NGINX web server, the FTP server and client and so on.
Backup Your WordPress Website
Once at this stage, before removing the actual infected code make a backup of your WordPress website.
Remove the WordPress Hack
Remove all the malicious code. Most probably if you were running an old version of WordPress core or plugin, and the files were tempered, by now the infection was automatically removed with the update.
If there were any additional files delete them. Each time you remove an infected file browse the website to ensure that the removal of the code did not break any functionality. Sometimes legitimate code is modified so it depends on the malicious code, hence when the malicious code is removed the site breaks down.
Scan Your WordPress for Infections
Once you cleaned everything run another quick scan of the website. Now it is the right time to use an automated malware scanning plugin to scan your WordPress website. Do another last minute manual analysis to confirm that everything is clean and fully functional.
Remove the Google Malware Alert
If your website was blacklisted by Google, apply for a Google security review to remove the Google malware alert.
Once You Remove the WordPress Hack…
Congratulations, you recovered your WordPress website from a hack. Now you must make sure that it does not happen again. Here are some tips on what you should do:
- Install a WordPress audit trail plugin to keep track of everything that is happening on your WordPress website.
- If you do not have a backup solution in place, get one. We recommend BlogVault online WordPress backup service.
- Always use strong passwords that are hard to guess.
- Always keep your WordPress, WordPress plugins & themes and any other software you use up to date.
- Remove any unused files such as old WordPress installations, not used WordPress plugins, WordPress default themes etc. Anything that is not used should be removed from the server.
- Install a WordPress firewall. We recommend Block Bad Queries.
- Install a WordPress security plugin such as iThemes Security. None of the security solutions are bullet proof, but every little bit helps.
- Subscribe to a website which frequently publishes WordPress security news and tips such as WP Security Bloggers, which is an aggregate of WordPress security news published from leading WordPress security websites.