How to fix a hacked WordPress website

We love WordPress, and nearly all our sites are now developed in it, everyone else loves it too as it also powers 43% of the sites on the Internet.

Unfortunately, that means it is a prime target for hackers. There is no point searching for an exploit in software that no one uses.

With WordPress, there is multiple access point for security vulnerabilities. There are the core WordPress files themselves, but your theme, and all the plugins you use. The more complex your install, the easier it is to get hacked.

Prevention is better than cure, and that’s why we update all our client’s sites manually ourselves as part of our hosting package.

That doesn’t mean we are infallible, and occasionally problems arise that we must fix. More often than not, when we deal with a hacked site, it is not one of our own we are fixing, but a third party is approaching us on how to fix things.

The cost of fixing a hacked site is not particularly cheap as it requires a lot of work to ensure everything is secure. In general, when a site is hacked, it isn’t just one file that is uploaded or modified, a hacker, or more likely an automated bot, will modify dozens of files and upload various others throughout the site to try and hide their backdoors.

Report from Wordfence

We have catalogued some of the steps we go through to fix a site, which we hope will help anyone that hosts their own site fix a hack.

How to clean up a hacked site:

  1. Take a full backup of the hacked website
  2. If possible restore to a previous backup that we believe is unhacked
    • If there is significant time between backups, it may be required to retain the database and restore any uploads.
    • The uploads folder needs to be sanitised before being restored.
    • Ideally, delete everything other than the image uploads and re-install everything again manually.
  3. Delete all plugins and themes if we didn’t do a full delete at first.
  4. Download all the plugins and themes from official sites and re-install them.
  5. Even if we are working from a backup, a full check needs to be run. We start with Anti-Malware from GOTMLS, and this is very good at identifying if a site has been hacked, it will detect and clean any hacked files it finds. Unfortunately, it rarely completes the job thoroughly.
  6. Download the full site and manually check for any suspicious files
    • In particular carry, out a search for PHP files within the uploads folder to ensure this is sanitised
    • Carry out a bulk search on the contents of all the files within the site for the term IonCube. This can be done using DreamWeaver, but other applications should be able to do it. Nearly all hacks will modify or upload files with encrypted code; this code is almost always encoded using IonCube which needs to be called within the PHP file
  7. Change the database name and password, update the config files
  8. Change all admin user’s passwords
  9. Check for any new admin users and remove them
  10. Secure the sensitised as much as possible. Securi has some useful auto-hardening tools which can be used.
  11. Carry out daily scans with GOTMLS
  12. Carry out regular checks of the upload folder for PHP files
  13. Do a follow-up inspection by downloading the entire site and searching for IonCube in the code.

All in all, it can be an awful lot of work to fix a hacked website. Some tools do an excellent job of it, primarily Securi, which costs $199.99. This should fix everything by itself. However we prefer not to rely 100% on an automated too, so we would still carry out most of the manual procedures.

Once you have fixed the site, we will need to work with you to find out a possible cause. It is nearly always plugin or theme related. If you download a premium one from a “free” website, then you can almost guarantee your site will get hacked. Most of the time it is due to not updating the themes and plugins. The problem here is that many premium plugins no longer charge a one-off fee, but a yearly fee, so this can be quite expensive, but necessary.

If you would like help fixing your site then contact us via the form below

[gravityform id=”11″ title=”false” description=”false”]

James Smythe

Recent Posts

Understanding Google PageSpeed Insights & Core Web Vitals – A green 90+ can still show as needing improvement in Search Console

Many website owners have breathed a sigh of relief that Google has delayed the algorithm…

4 months ago

Most Google searches generate no website traffic with zero-click searches

I briefly touched upon zero-click searches in a recent post about Google featured snippets. The…

6 months ago

Takedown bad Google My Business with a new tool from Google

Online reviews can make or break a business nowadays, which has unfortunately made reviews become…

6 months ago

Google featured snippets improve to normal levels following drop

Featured Snippets in Google are a blessing and a curse. One had they offer a…

6 months ago

LiteSpeed Cache + QUIC.cloud CDN vs WP Rocket + Cloudflare CDN PageSpeed Insights with Divi WordPress Theme

We all know website speed is important, ignoring Google; a slow website provides a terrible…

7 months ago

This website uses cookies.