My website has been hacked. What can I do?
If your WordPress website has been hacked, it can be really frustrating – not just because it is extremely troublesome to your visitors, but it is likewise truly hard to completely remove the hack. It can have an extremely detrimental effect on how Google (and Bing etc.) and Email providers view your domain, which can last for some time.
E.g. Google’s red warning display and emails not being delivered to the recipient because your domain is seen as unsafe.
If you find that your website has been hacked, you will have to put some time into removing the attack and preventing your site from getting hacked again. Frequently this is not ‘some time’, but it can be a considerable time to restore, especially in cases where no backup exists.
In this way, regardless of how it happened, your website has been hacked. Take a deep breath. Stay calm. Don’t do anything rash.
Below you will find, partly, a case study of a restore and some recommended steps to help you recover from a hacked website.
If you suspect your site is hacked, here is a good checklist to run through:
- Is your website ‘Defaced’?
- Can you log in to your WordPress admin panel?
- Is your WordPress site redirecting to another website?
- Does your WordPress site contain illegitimate links?
- Is Google marking your website as insecure?
- Do emails from this domain work, or is it now placed in the recipient’s spam folder (or not delivered at all)?
A positive on any of these can indicate that your site is hacked, and the following steps can be followed.
1 Scan the site to find out the extent of the hack.
In this case, I got an email from someone who was referred to me by a client of mine.
This hack was particularly difficult, as they did not have any backup or access to the site.
My first point of call was to do a complete backup of the site, including the database. This is to have a set checkpoint in case something breaks the site in the clean-up process and I need to roll back and start again.
My second point of call was to perform a scan of the site by Sucuri’s site-checker, which came up positive and gave a list of files it found that was suspicious or infected with malware.
As they could not log into the site using their username and password, I assumed the logins were compromised by way of altering the password and the email address used by the user. In this case, I did a scan using WP-Scan, which is a non-penetrative tool that scans the site and lists the WordPress Version, themes and plugins. It also lists all the vulnerabilities, if known, for any of the plugins and theme(s) and when a fix was implemented for that vulnerability. So if the site had not been updated for some time, the probability that at least one of the plugins is insecure would be quite large.
This tool will also list the site’s usernames if it can access them, and it often does.
It gave me this list.
Assuming that the admin user was compromised and that user root, admin36 and admin62, were inserted by the hack, I tried restoring the password of ‘administrator’. I was lucky, and we received an email to change the password. WE WERE IN! (It could have been much worse if this was a compromised user too!)
Next was to delete unwanted admin users and set up new ones with strong passwords and different usernames. Then I changed the ‘salt’ (the security keys) in the wp-config file (via FTP). This invalidates any current and saved login sessions and cookies stored for the site. After this, I did an assessment and scan of the site from the WP-Admin dashboard, and to do this, and I installed a security plugin that would scan the site. I installed Wordfence, a security plugin with this functionality, and I got a further list of files to clean up.
2 Remove the malware or other content that has been injected into your site.
Armed with these points, I performed the next step: the clean-up process.
For this, I used various scanning tools. My favourite is Wordfence, a plugin that monitors activity on the site and can scan all files looking for changed code in WordPress core files and plugins.
2.1 Replace all core files and plugins.
Then I replaced all WordPress’ core files with a clean set, and the same version of the original, that I had downloaded from WordPress’ repository.
Next was to replace the theme and all plugins with a plugin of the same version of the installed plugins. (If a plugin had not been updated when an update was released, you would need to get the same older version of this plugin so you wouldn’t mess up the overall structure of the website and database). Free plugins downloaded from WordPress should have this, and you can find this under the ‘Developers’ tab on the plugin page.
After that, I replaced any paid plugins to which they still had access to.
2.2 Manually go through the directories to check for unknown files (core, plugins and uploads)
The third step was to go through the list I had and manually check the directories for any filenames that looked suspicious, opening them to check if they had malware-injected code and clean/delete these files.
When looking for injected code, it usually looks like this at the start of the code segment: base64_decode, gzinflate(base64_decode, eval(gzinflate(base64_decode, eval(base64_decode and a long string of characters after this which will look a bit like this.
I would recommend that this clean-up process is done with caution because if this is a paid plugin or theme, they may regularly have such code to protect the owners’ Intellectual Property of this plugin.
I also checked if any other anomalies should not be present, e.g. unusual filenames or files with a different date from the others in the plugin/theme.
2.3 Check to see if your site is on any blacklists
When you do a scan with Sucuri’s site checker, it will give you a blacklisted status of the site which should look like this after a clean-up.
- Domain clean on Norton Safe Web
- Domain clean on SiteAdvisor (McAfee)
- Domain clean by Google Safe Browsing
- Domain clean on SpamHaus DB
2.4 Rescan the site to check that malware has been deleted
If this scan comes up clean, the next step is to apply for a Google malware review by opening a security issue report.
The process requires you to log in to a Google account and add your website to the Google Search Console, which should take a couple of minutes. Once you submit the request for a malware review, it will take Google around 24 to 48 hours to review your website.
Once they confirm that the malware infection or harmful software has been removed, they will remove the notification. If the infection has not been removed or Google finds some other type of harmful software, you will receive a message in your Google Search Console account. This is another justifiable reason why you should include all your WordPress blogs and websites in the Google Search Console, so once there is something wrong with them, you are notified instantly, rather than finding out from your visitors.
2.5 Check to see if your site is in any email blacklists
A hacked website will get your domain blacklisted from sending emails!
Very often, when a website is hacked, it is for the purpose so the hacker(s) can use it to send out spam emails (thousands of them). This is equally detrimental to your domain reputation, and these sites should be used to check if the domain is blacklisted.
SenderBase is the world’s largest Email and Web traffic monitoring network
Spam and Open Relay Blocking System (SORBS)
These sites will have links to request removal if the domain is blacklisted. This will also normally take 24-48 hours to process.
3 Do a site audit and final backup when everything above is done and has come up clean.
Needless to say, in between each of these steps, a full file and database backup was taken to ensure that an intermediary rollback point was stored in case you had to go back and redo it. As mentioned earlier, if a part of the clean-up completely broke the site, you could roll back to a previous checkpoint and restart again from there.
One of the final things I set up was an automated backup process for the site, which I ensured worked, and I verified that the backed-up files’ integrity was all good.
Finally, I often get this question asked when a site has been hacked.
Why me? My site is not so significant that it will disrupt thousands of people.
Well, Why not! A hacker does not care what kind of site it is. For 95% of the sites that are hacked, all they want is a platform to be able to send mass emails out (spamming!), and all they need is access to a website, and off they go. For them, it is all in the $$$$. They don’t care about what website it is. Read this post on why it matters to keep your website updated and checked.
The remaining 5% are mostly larger companies/corporations and often are on a different level. In these instances, the hackers’ gain is an extorsion for the return in monies; it is on a much larger scale and often on an IT infrastructure level.
Security is a serious matter, and if you’re not comfortable dealing with codes and servers, it’s always better to call a professional to do it.
Why? Because hackers hide their scripts in multiple locations allowing for hacks to come back over and over again.
Although I have shown you how to find and clean up a hacked website in this article, many folks want peace of mind knowing an expert properly cleaned their website.
If you require assistance when your website has been hacked, don’t hesitate to contact us and if you want further peace of mind, please look at one of our WordPress Care Plans we have in place. We’d be happy to set this up for you to prevent anything like this from happening.
What we do at YUHANITO
YUHANITO can help you with everything you need to get better online. We can handle your entire digital strategy, website, profiles in social media, digital marketing and all the complicated technical details to effectively increase your online profits.
We provide a managed web design service where we manage your site and keep it updated and secure regularly.
Contact us if you have questions or need help! You can reach us by sending us an email with your questions: email@example.com or leaving your contact information below, and we will be back to you as soon as possible.