How to Clean Your Hacked WordPress Site Without a Backup

By Catherrine Garcia

WEBINAR:
On-Demand

Application Security Testing: An Integral Part of DevOps


When a website is hacked, it's not the end of the world. Most webmasters and site owners reduce their chances of a quick recovery because their first reaction is panic. When cleaning a hacked WordPress site, it is important to remain calm.

This article shares important steps to identify if your site is hacked, how to clean the malware or the hack and how to enhance the security of your website. This article assumes you do not already have backups from which to recover your site.

How to Identify if Your Website Has Been Hacked

Before you start panicking, you should check if you have actually been hacked or is it just a spam attack.

When a website gets hacked, there are a few clear indicators of compromise as listed below.

  • Sometimes if the search engines observe malicious behavior from a web property, they blacklist that site and it loses its ranking. You should check if Google flags your site in search results as "compromised." If any of your readers are reporting that their antivirus has flagged your site, it may well be malware infected.
  • Web hosting providers may disable your site, if they notice malicious activity on it, in order to stop the infection from spreading to other websites sharing the same server.
  • Often hackers will replace the homepage with a clear message that your website has been hacked.
  • Sometimes they will insert malicious code and ads (drugs, pornography, gambling) through the header/footer/sidebar. Such codes even hamper the performance of your WordPress website, which is also a sign of site getting hacked.
  • If you notice new users, new pages/posts, new themes or plugins downloaded, or any other unauthorized activity that none of your team members can validate, it definitely means one of your admin accounts has been compromised.
  • Admins may not see anything malicious but other users/daily visitors may be redirected to malicious sites.
  • Hackers could send malicious emails from your website's SMTP account to redirect users to a dirty site that will then download viruses to the visitor's computer. Using your website helps them avoid spam filters on the recipient's mailbox.

Steps to Follow to Clean Your Hacked WordPress Site

First of all, you need to be calm. As a website owner, it is natural that you might think of the post-hack consequences. Your mind might become clouded with negative thoughts about losing your business and your money but you have the biggest role to play in its recovery. You can also try some breathing/meditation exercises on YouTube to help you calm you down.

Once you are in a state of mind where you can think rationally, ask yourself three questions to help you decide your next course of action:

  • Can you give yourself a few hours of downtime due to a security incident? Usually, for high-value brands or trending ecommerce businesses, the answer is a big fat "No," they want it cleaned immediately.
  • As a protocol, many hosts completely delete a website that has been reported as compromised as a first step. So at this stage, do not approach your hosting provider for help.
  • Do you (or someone in your company) have the technical know-how to clean the hacked site manually?
  • If you are not comfortable handing the high-tech stuff by yourself, it's best for you to hire a professional to fix it for you.
  • Do you have the budget to hire a third-party or a professional to clean your hacked site? Security cleanup services could be anywhere between $100 to $250 and perhaps even higher.

If you can perform the procedure yourself, you can proceed with the steps explained below.

Keep Calm and Start Documenting the Hack

Documenting the hack means gathering data about it and creating an incident report baseline. This data will be useful in the long run.

Even a professional will ask you many questions to create a formal incident report. You can hand over the complete baseline; it will enable them to do their job more quickly.

Before you start cleaning the hack, you should change all your passwords (admins and non-admin users) immediately.

Now, you want to document the hack by asking following questions:

  • What are the visible signs of a security breach? You may use the indicators of compromise mentioned in the previous section as a checklist.
  • What was the local time (and time zone) when the hack was first reported/noticed?
  • What were the last 5 actions you performed? Did you install a new theme or a plugin?

Sanitize the Site

Now, you have to isolate the virus and kick it out of your website. First, you want to remove all of the (installed but) inactive plugins and themes from your WordPress code base because they are the easiest target for hackers.

The easiest option is downloading a plugin called Sucuri or WordFence and follow the instructions to clean the complete website. The WordPress Codex tutorial for cleaning a hacked site also mentions GOTMLS and Quttera plugins from their plugin repository.

You can also use remote file scanning services such as VirusTotal. Some websites such as aw-snap and IsItHacked also provide useful resources to help you find hacked files on your site.

If the tool only reports the malicious code of your website (but does not automatically delete it), your best solution is to reinstall a fresh copy of the plugin/theme.

Now, sanitize your local system and update all your plugins

How did the hacker get access to your admin account passwords? Chances are the malware might not be on your website at all. It may have installed keylogger software that secretly reads your keystrokes and sends it to the hacker's remote server.

Hackers can also infect your computer with advanced malware and it might get uploaded through an infected image. You can use any popular desktop antivirus to do that.

Make sure you do select the full computer scan and not the partial option. For extended safety, use the second AV too because some Trojans may manage to hide from popular AVs.

Also, update all your activated plugins, themes, and the WordPress code itself. Doing this ensures you remove any potential vulnerabilities due to outdated code that may be exploited in the future.

Also, check the list of all website users. Is there a new, possibly suspicious user? Usually, these are bot accounts with weird names containing special symbols and numbers instead of English letters.

If you spot any such user account and you don't recall creating it on WordPress, delete it immediately.

Once the malware is cleaned, you can inform your hosting provider

If you are sharing a server, you may want to inform your hosting provider with the exact details from your incident report and what steps you have taken to cleanup the website. They may employ their advanced security and malware scanning tools to see if all sites on the shared server have been infected (and take steps to clean them).

Even if you are hosted on a dedicated server, you might want to accept the help of their customer service representatives as you deal with this emergency.

Tighten Your Website Security After You Have Taken the Necessary Steps

After everything is clean, you want to make sure this doesn't repeat. In this section, we discuss steps you can take to increase the security of your website.

Increase your password security

You should secure all your WordPress accounts, your PHP and MySQL logins, your cPanel logins, and your FTP logins with strong passwords. Consider using password management tools such as LastPass too. For effecting a mandatory global password change for all WordPress users, use the Force Strong Passwords WordPress plugin.

We strongly recommend using 2-factor authentication (2FA) apps like Authy or Google Authenticator for securing your website. There are numerous 2FA plugins in the WordPress repository as well.

Using 2FA is also highly recommended because it sends an additional one-time password on the user's phone/email as an additional security layer besides the strong passwords.

Don't forget to change your secret keys

WordPress encrypts passwords for all users through secret keys. It also uses cookies to save them. Changing your secret keys will reset the cookies and it forces any logged in user to get logged out.

Additional security enhancement steps

You should use a security plugin like Sucuri or WordFence to regularly check for malware on your site. Most of these plugins provide free services.

If you haven't already installed a backup plugin, this is the right time to do so. Again, don't just install them, use them to schedule automated backups of your site. In future, this will help you quickly recover your website content when a security incident occurs.

Wrapping it up

You can use any security plugin for malware scans. Once you have cleaned the malware and improved Wordpress website performance, make sure you take all of the necessary steps to enhance the security of your website.

Have you been targeted by malware or a hacker? If yes, how did you deal with the scumbag?

About the Author

Catherrine Garcia is a freelance blogger and web developer. She is currently working as a freelance writer at MarkupTrend and managing content. You can follow her on Twitter.



Make a Comment

Loading Comments...

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
  •  
  •  
  •  
Thanks for your registration, follow us on our social networks to keep up-to-date