How to Clean Your Hacked WordPress Site Without a Backup

By Catherrine Garcia

https://www.htmlgoodies.com/beyond/cms/how-to-clean-your-hacked-wordpress-site-without-a-backup.html (Back to article)

When a website is hacked, it's not the end of the world. Most webmasters and site owners reduce their chances of a quick recovery because their first reaction is panic. When cleaning a hacked WordPress site, it is important to remain calm.

This article shares important steps to identify if your site is hacked, how to clean the malware or the hack and how to enhance the security of your website. This article assumes you do not already have backups from which to recover your site.

How to Identify if Your Website Has Been Hacked

Before you start panicking, you should check if you have actually been hacked or is it just a spam attack.

When a website gets hacked, there are a few clear indicators of compromise as listed below.

Steps to Follow to Clean Your Hacked WordPress Site

First of all, you need to be calm. As a website owner, it is natural that you might think of the post-hack consequences. Your mind might become clouded with negative thoughts about losing your business and your money but you have the biggest role to play in its recovery. You can also try some breathing/meditation exercises on YouTube to help you calm you down.

Once you are in a state of mind where you can think rationally, ask yourself three questions to help you decide your next course of action:

If you can perform the procedure yourself, you can proceed with the steps explained below.

Keep Calm and Start Documenting the Hack

Documenting the hack means gathering data about it and creating an incident report baseline. This data will be useful in the long run.

Even a professional will ask you many questions to create a formal incident report. You can hand over the complete baseline; it will enable them to do their job more quickly.

Before you start cleaning the hack, you should change all your passwords (admins and non-admin users) immediately.

Now, you want to document the hack by asking following questions:

Sanitize the Site

Now, you have to isolate the virus and kick it out of your website. First, you want to remove all of the (installed but) inactive plugins and themes from your WordPress code base because they are the easiest target for hackers.

The easiest option is downloading a plugin called Sucuri or WordFence and follow the instructions to clean the complete website. The WordPress Codex tutorial for cleaning a hacked site also mentions GOTMLS and Quttera plugins from their plugin repository.

You can also use remote file scanning services such as VirusTotal. Some websites such as aw-snap and IsItHacked also provide useful resources to help you find hacked files on your site.

If the tool only reports the malicious code of your website (but does not automatically delete it), your best solution is to reinstall a fresh copy of the plugin/theme.

Now, sanitize your local system and update all your plugins

How did the hacker get access to your admin account passwords? Chances are the malware might not be on your website at all. It may have installed keylogger software that secretly reads your keystrokes and sends it to the hacker's remote server.

Hackers can also infect your computer with advanced malware and it might get uploaded through an infected image. You can use any popular desktop antivirus to do that.

Make sure you do select the full computer scan and not the partial option. For extended safety, use the second AV too because some Trojans may manage to hide from popular AVs.

Also, update all your activated plugins, themes, and the WordPress code itself. Doing this ensures you remove any potential vulnerabilities due to outdated code that may be exploited in the future.

Also, check the list of all website users. Is there a new, possibly suspicious user? Usually, these are bot accounts with weird names containing special symbols and numbers instead of English letters.

If you spot any such user account and you don't recall creating it on WordPress, delete it immediately.

Once the malware is cleaned, you can inform your hosting provider

If you are sharing a server, you may want to inform your hosting provider with the exact details from your incident report and what steps you have taken to cleanup the website. They may employ their advanced security and malware scanning tools to see if all sites on the shared server have been infected (and take steps to clean them).

Even if you are hosted on a dedicated server, you might want to accept the help of their customer service representatives as you deal with this emergency.

Tighten Your Website Security After You Have Taken the Necessary Steps

After everything is clean, you want to make sure this doesn't repeat. In this section, we discuss steps you can take to increase the security of your website.

Increase your password security

You should secure all your WordPress accounts, your PHP and MySQL logins, your cPanel logins, and your FTP logins with strong passwords. Consider using password management tools such as LastPass too. For effecting a mandatory global password change for all WordPress users, use the Force Strong Passwords WordPress plugin.

We strongly recommend using 2-factor authentication (2FA) apps like Authy or Google Authenticator for securing your website. There are numerous 2FA plugins in the WordPress repository as well.

Using 2FA is also highly recommended because it sends an additional one-time password on the user's phone/email as an additional security layer besides the strong passwords.

Don't forget to change your secret keys

WordPress encrypts passwords for all users through secret keys. It also uses cookies to save them. Changing your secret keys will reset the cookies and it forces any logged in user to get logged out.

Additional security enhancement steps

You should use a security plugin like Sucuri or WordFence to regularly check for malware on your site. Most of these plugins provide free services.

If you haven't already installed a backup plugin, this is the right time to do so. Again, don't just install them, use them to schedule automated backups of your site. In future, this will help you quickly recover your website content when a security incident occurs.

Wrapping it up

You can use any security plugin for malware scans. Once you have cleaned the malware and improved Wordpress website performance, make sure you take all of the necessary steps to enhance the security of your website.

Have you been targeted by malware or a hacker? If yes, how did you deal with the scumbag?

About the Author

Catherrine Garcia is a freelance blogger and web developer. She is currently working as a freelance writer at MarkupTrend and managing content. You can follow her on Twitter.