Fixed Knowledge Base

Get all the help you need here.

Fixed a hacked site

Posted 04th October, 2018

Millions of WordPress websites get hacked every year. Hacking is a very general term which implies that a third party has gained access to a website for a malicious reason (we list some here). It may manifest itself in different ways on your website. We will assume that you know or think that your website is hacked.

Save yourself time and let us clean up your website for you. We will do this for a one time-fee, or on our subscription plan - with no minimum commitment. We'll also put steps in place to protect your website in future.

Let us clean up your website

The Ultimate WordPress Cleanup Guide

These are the steps our team members follow when cleaning up a WordPress website that has been hacked. It covers preparation, cleaning, and future protection. Note that every infection is different.

1. Take a copy of the site and database

We will be making substantial changes to the Wordpress files and databases over the next few hours, including replacing core files and making edits to the database. It is therefore extremely important that we take a copy of the site as it is at the moment so that we can roll back.

Obviously this copy we are taking is infected, so this backup is a worst case option. If any one of the steps below is complicated or takes a long time, we should take another backup afterwards. Backups should be taken of both the files and database.

The Fixed.net backup tool is free of charge for sites up to 1GB, and will keep backups for 7 days.

Back Up Site with Fixed.net

2. Check for older backups

Have any other backups of the website been taken prior to the hack? If so, it may be possible to roll back the site to a previous version. Even if a backup is restored, following each step of this guide to ensure the site is fully clean.

3. Take the website offline

It is advisable for us to take the website offline. This achieves three things:

  1. It stops visitors being infected by malicious content on the website.
  2. It prevents further exploits, especially as we clean the site.
  3. It prevents a broken or hacked site being further indexed by search engines.

The website is taken offline most quickly though a .htaccess file with the following content (replace 1.1.1.1 with your IP address):

Order deny,allow
Deny from all
Allow from 1.1.1.1

This will show all other website visitors a 403 Forbidden message.

Alternatively, a plugin such as Easy Coming Soon can be installed, which will show visitors a loading page.

4. Clear out Website Caches

Wordpress supports various caching applications, which speed up a site by showing a cached version of the website rather than a live version. To ensure that our fixes are taking effect, and also that no infections are present in the cache files themselves, we need to clear these caches.

These caches can be cleared in the Wordpress Admin Area, but we can comprehensively empty these folders using FTP, SFTP or SSH.

Cache locations are as follows:

SoftwareLocation
WPSuperCache
W3TotalCachewp-content/cache
WPRocket

You should check the Wordpress configuration file for any custom cache locations.

These caching applications can also be fully removed from the wp-content/plugins directory, and re-added later.

5. Replace the Wordpress Core

The Wordpress Core includes all Wordpress files with the exception of the wp-content directory and the wp-config.php file.

Often attackers place malicious files within the WordPress core files. These can be disguised in the form of a system file (for example, wp-includ.php ; wp-authentication.php; wp-I-am-not-a-hacked-file.php; etc).

The WordPress command line interface can be used with the command wp core verify-checksums. This will verify the Wordpress default files against Wordpress.org checksums. Alternatively, the core can just be fully replaced as follows.

  1. Download the latest stable version of Wordpress from Wordpress.org.
  2. Ensuring that a backup has successfully been taken, every other folder (including wp-admin, wp-includes) and file can be deleted.
  3. Upload the latest version of Wordpress, with the exception of the wp-content folder. A wp-config.php file should not be included with the download.
  4. Navigate to the Wordpress site to ensure that it loads.

6. Manually check the wp-config.php file

The Wordpress configuration file provides the key Wordpress configuration, such as linking the site to the database. This should be manually checked through for any anomalies. It can be compared to the wp-config-sample.php file in the Wordpress download.

If in any doubt, replace the wp-config.php file, updating the database credentials as required.

7. Manually check the .htaccess file

Some of the sneakiest WordPress hacks are directed at specific visitors only - for example those coming from Google. These often edit the .htaccess file.

The .htaccess can be cut down to include only the following code:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

The RewriteBase and RewriteRule sections may need updating based on the website structure.

8. Clean Plugins and Themes

There are a few ways we can clean themes and plugins.

Quick Fix

The simplest is to remove and reinstall them.

  1. Log in to the web server using FTP or SSH
  2. Delete all of the themes and plugins, taking a note of their name. It is important to do this from the file system and not the Wordpress admin area; removing them from the latter will clear any configuration from the database.
  3. Log in to the Wordpress Admin area.
  4. Re-install the themes and plugins from scratch. Of course, there's no need to reinstall plugins and themes that aren't activated or being used.

This will reset your themes and plugins.

Detailed Scan

If these themes and plugins are custom, or not available in the WordPress repository, then the files need to be searched for any exploits.

  • Maldet should be run against the whole wp-content folder.
  • Files can be searched for base64, exec, eval, preg_replace. False positives may be found, but any instances can be investigated.
  • Sort files by last modified date, and see the latest file uploads.

9. Clean the Uploads Folder

The Uploads file is where WordPress places uploaded media. There should be no .php or executable files here. An uploaded .php file here could be run to give a third party access to your files and make changes to the website.

Connect over ssh, navigate to wp-content/uploads/ and run the following command:

find . -type f -name "*.php"

Alternatively use an FTP client to search for .php files. They can be removed.

As a further preventative step, a .htaccess can be added to the wp-content/uploads folder with the following content:

<Files *.php>
deny from all
</Files>

10. Clean up users and permissions

Some hacks can add additional users and permissions to the Wordpress database. Sanity check the wp-users table in the database, and review the admin users in the Wordpress Admin dashboard.

If required, these can be fully reset to the Wordpress default using the Extreme database technique below.

All user passwords should be changed.

11. Ensure Themes and Plugins are still supported

Third party themes are built by developers. If they go out of business or disappear, then those themes will not be updated and vulnerabilities no longer fixed. Check that the plugins the site is using are still maintained. If not, replace them with alternatives.

12. Check and Clean the Database

Sometimes code can be placed in the database which, when loaded, runs an exploit. Similiar php excution language is used to script exploits. Databases can be searched for the following terms:

base64_encode, exec, base64_decode, preg_replace, eval

These references should be investigated and removed if required.

Extreme Database Fix

Similiar to files, WordPress has core tables and additional features. For most websites, the database stores Pages and Posts.

An extreme fix is therefore for us to install a brand new Wordpress database, and retrofit the content of the wp_posts table into the database.

Note that this will require creating new users, reconfiguring themes, re-adding pages and more. However, it essentially creates a new version of a Wordpress website with a clean database.

13. Update Everything

Now that the infection has been removed we need to close the hole. We should do the following.

  1. Update Wordpress (this should be up to date as we have replaced the core, but we can ensure this in the Wordpress Admin Area).
  2. Update all themes and plugins
  3. Remove any unused themes and plugins

14. Run a security scan

Run a scan against the website to find any known vulnerabilities. Fixed.net includes a free vulnerability scanner for all websites.

15. Change all passwords

This includes

  • hosting passwords
  • ftp passwords
  • database passwords (update the wp-config.php file)
  • Wordpress admin passwords

16. Bring the site back online

If your host has taken your site offline, you can now ask them to unblock it.

You should also remove the lines you added to your .htaccess file.

17. Remove Site Blacklistings

If third party scanning sites have marked a site as containing malware, they will still be blocking access as this is not real time.

Site re-scans can now be requested in some cases; in some others the scan may take a few days.

18. Take a Back Up

Take a back up now and set up regular backups. This can be done with Fixed.net.

Useful links

Official WordPress codex