How to remove malware from a hacked WordPress website

[sowmedia_posttemplates_heading tag=’h1′ link_apply=” link=’manually,http://’ link_target=” style=” size=” subheading_active=” subheading_size=’15’ margin=” margin_sync=’true’ padding=’10’ color=” custom_font=” av-medium-font-size-title=” av-small-font-size-title=” av-mini-font-size-title=” av-medium-font-size=” av-small-font-size=” av-mini-font-size=” custom_markup=” av_uid=’av-k7q1bh6w’ custom_class=” admin_preview_bg=”][/sowmedia_posttemplates_heading]

In this article we will explain why and how WordPress websites are hacked. We will also give you a step-by-step plan for removing malware and cleaning up your WordPress website.

Why are WordPress websites hacked?

The most important motivation for most hackers is money. The hacked websites are used to promote commercial websites; particularly things like gambling, sex and pharmaceuticals. By hacking a website, for example, thousands of spam e-mails can be sent. Or links are placed on your website to mislead Google so that the commercial websites are placed higher in the search results. Every now and then hacks may be ideologically or politically motived.

How do you discover that your WordPress website has been hacked?

  • Various links appear on the website that don’t belong there. Often these are links to websites that have to do with pornography, gambling, drugs, illegal pharmaceuticals, et cetera. Sometimes the links are hidden in the color of the background of the website so that they are not visible to visitors, but can be found by search engines.
  • When you search for your own website via Google (for example ‘wpupgrader.com’ as search term), you find information about the website that isn’t yours.
  • Visitors to your websites are redirected to another website. Sometimes only mobile visitors.
  • Your website is being used to send spam. If this is the case you will usually get a message from your host company saying that an unusual amount of e-mail is being sent from your website.
  • Organic search traffic decreases because Google no longer shows your website in the search results.

How is it possible for your WordPress website to be hacked?

To gain control of your WordPress website hackers must find some way to upload or edit a file on your server. In general there are four possible ways for hackers to gain access to your website:

  1. Insecure passwords; most of the WordPress hacks that we come across could have been prevented by using more secure passwords.
  2. Update-policy; when you seldom or never update your WordPress, your plugins and your theme you greatly increase the chance that you will be hacked.
  3. Insecure themes/plugins; sometimes your website can be up-to-date, and still contain an insecure theme/plugin. Always purchase plugins/themes from a trustworthy website.
  4. Bad hosting; you may have protected your website well yourself, but if, for example, it’s possible for your hosting company to move files between different websites then your website is not properly secured.

How to make sure your WordPress website is hack free?

When a hacker has had access to your website, it is possible that files have been added/altered, passwords have been changed and possibly even new users added. If any one of these things are not detected and cleaned up then others steps will have no effect, because the hacker will still be able to gain access and cause damage once again. For this reason, clean up must be thorough.

We will try to explain all the steps as simply as possible, but some technical knowledge is required. Make sure that you have an administrators account in WordPress, that you have FTP access (and that your know how FTP works), and that you can access the database using a program like phpMyAdmin or Adminer. The steps we are going to take are:

Tip

If you know when the hack took place you can skip the clean up by replacing with a back-up from before the hack. It is possible you may lose a number of responses and web forms. Continue with step 5.

Backup your hacked WordPress website

You are going to clean up your WordPress website thoroughly. This means you may end up cleaning up too much and it might be better to start again. In that case it is always good to have a backup on hand. Make sure that you add both the files and all databases to your backup.

Close the doors

Make sure your WordPress website is temporarily inaccessible from the outside. Theoretically hackers could infect your website while you’re still going through these steps. This also prevents you from infecting your visitors with any malware that might be installed on your website.
You can usually block your website from your host company’s control pannel by way of a password or by using an IP filter. If you have access to your .htaccess file you can add the following code to allow one specific IP address (find our what your IP address is at WhatIsMyIPAddress.com):

order deny,allow
deny from all
allow from 123.456.789.123

Find the source of your WordPress website hack

It is important to find the source of the hack and the extent of the impact as soon as possible.  

  • Look for your plugins, themes and WordPress version in the WPScan Vulnerability Database and see if there are known vulnerabilities for the versions you installed on your website.
  • Do you use Google Webmasters? Go to your dashboard and see if there are any reports of malware.
  • Check your website in Google: http://www.google.com/safebrowsing/diagnostic?site=www.example.com
  • Many hosting parties make access logs available. This is a list of all requests for files, saved at server level. Files placed by hackers are usually requested using a ‘POST-request’. By looking for ‘POST’ in your access log you can filter a list of of php files to further examine. Later in this article we will explain what to look for when examining php files. These files may not necessarily be infected however; a POST-request is also used when you fill in a contact form or if you log in to wp-login.php.
  • We sometimes come accres situations where an old WordPress website is on the same server, for example in the file ‘old’. Often this installation will have been forgotten and no longer up-to-date, which makes the whole website vulnerable to all sorts of old security flaws.

Clean up the files on your hacked WordPress website

During a successful hack a hacker can potentially place or alter a file in every folder on your web server; not just the folder containing the infected plugin. This means that you should examine all your folders and files, and this is painstaking work. Thankfully you can limit this work to various steps. We explain how below.

  • Clean up WordPress core (wp-admin and wp-includes)

    Log in with FTP and go to the folder of your WordPress website. In the root of your WordPress website there are at least three folders: ‘wp-admin’, ‘wp-content’ and ‘wp-includes’. In the ‘wp-content’ folder all the specific changes to your website are saved, but ‘wp-admin’ and ‘wp-includes’ only contain files from the WordPress core; files that only change when a new version WordPress is released.

    To make sure in one go, that there are no files in your WordPress core that have been added or infected you can remove the ‘wp-admin’ en ‘wp-includes’ files and replace them with a clean version by downloading WordPress again.

    • Not sure which WordPress version you are running? Check in ‘wp-includes/version.php’ and you will find the version number on line 7.
    • Download a zip-file of this version from the WordPress release-archive and unzip it on your computer.
    • Remove the ‘wp-admin’ and ‘wp-includes’ using FTP from the root of your WordPress website.
    • Upload the ‘wp-admin’ and ‘wp-includes’ from the file you just unzipped.

    Along with folders there are also files in the root of your website. Replace these files – except wp-config.php (!) – with the files from the unzipped zip file.

    Are there other files and folders in the root of your website? Examine them critically and decide whether or not they are familiar to you; is there any other software running on your site? If not then they may have been placed by the hacker. When in doubt confer with your web host. Sometimes your web host will preinstall a folder like ‘stats’, ‘webstats’, ‘logs’ and ‘cgi-bin’ . Always take a look at these folders and look for files that end in ‘.php’. Because, normally speaking, they shouldn’t be there.

  • Cleaning up plugins (wp-content/plugins)

    Just like the WordPress core, you can find original clean versions of your plugins in the WordPress plugin repository. It is, however, possible that not all your plugins come from here; you may have purchased premium plugins, for example, elsewhere. Premium plugins cannot always be updated automatically. Either way, to be sure that your plugin folder is clean, you will have to locate all the originals.

    • This is a good time to remove inactive plugins and plugins that are used infrequently. Do this first.
    • The plugins from the WordPress plugin repository can only be removed via FTP. After removing them download clean versions from the repository and upload them via FTP. A plugin like Wordfence may be able to do this step for you.
    • It is also important get clean versions of plugins that do not come from the WordPress repository. Make sure you find these files and repeat the above step for these plugins. Can’t find the original plugin files? Then you will have to remove the entire plugin, because it is very possible that the plugin is (partially) responsible for the hack. More importantly, you will not be able to update the plugin in the future and that could be disastrous to the safety of your website in the future. Often you will be able find an alternative plugin for the functionality you are looking for.

    In this step you will update all your plugins to the newest version. That is safe, but may lead to conflicts if your WordPress core or theme, for example, is not compatible with the newest version of the plugin. In that case, replace it with an older version of the plugin or – better yet – update your theme (see the following step) to see if that will resolve the problem.

  • Update theme (wp-content/themes)

    WordPress themes sometimes contain customization done by you or your website builder. These modifications will be lost if you update the theme, unless the modifications are saved in a separate folder by using a child theme.

    Your WordPress website doesn’t use a child theme? Then you have the option to update your theme, as explained in the previous step, but any modification will be lost. Want to keep your modifications? Then you can use this opportunity to first save your modifications in a child theme. The child theme manual by WordPress will explain how (caution: it’s not simple).

    Does your WordPress website have a child theme? In that case you can update your WordPress theme as explained in the previous step. Afterwards you will need to make sure that your child theme folder is clean. If you have a local copy of your child theme you can replace it (sometimes an old backup will work just fine, as long as you know that the website wasn’t hacked at the time the backup was made). If you don’t have a copy then you will have to go through the folder containing the child theme by hand. Read the next step for more information.

    Finally, do not forget to remove any unused themes; this way you will decrease the chance you’ll run into problems in the future.

  • Checking remaining files (wp-content)

    You have now cleaned up as much as you can without have to look in detail, but there are always a number of files and folders that you will have to check by hand.

    • Look for .php, .asp, .exe, and .sh files in the wp-content/uploads files. These do not belong here and may have been placed by hackers. It takes time, but don’t forget to check all the subfolders. Many FTP programs allow you to search automatically within a folder.
    • Some plugins add their own folders to the de wp-contents folder. This is not necessarily bad, but go ahead and go through these folders for above mentioned files.
    • Are there php-files that you no longer have the original to, that you will have check by hand? Think about php files in the wp-contents folder (like object-cache.php), your child thema, or wp-config.php in the root. Follow these steps:
      • Open them in text editor and scroll in all directions; sometimes hackers put code in a file ‘out of sight’ by placing it very far to the right or really far down.
      • Keep looking for any worrying code. Look for terms like ‘eval’, ‘exec’, ‘base64’, ‘hash’, ‘decode’ and see if you find any code that doesn’t belong.
      • Not sure about something? Copy a section of the code and look it up in Google. Sometimes you’ll come across all kinds of malware forums and you’ll know that something’s not right.
  • Check wp-config.php

    Up until now you have left the wp-config.php file untouched, but you do have to check it. This file contains all kinds of basic configurations for your WordPress website. Do you have a backup available? Then we advise you use the wp-config.php file from the backup for your website. Edit the list under ‘Authentication Unique Keys and Salts’ by adding a few characters to each line of random code. This way you make sure that any users that are logged in (potentially hackers) will no longer be logged in.

    Don’t have a back up? Open your wp-config.php and fill in the values you see in the wp-config.php generator by following all these steps. Chose ‘Auto Generate’ in Authentication Keys & Salts . Click update after the last step and copy and paste the code to your wp-config.php. Then you know for certain that you have generated a clean wp-config.php.

  • Looking for .htaccess

    A .htaccess file makes it possible to configure a lot of server settings. If a hacker modifies these kinds of files it can lead to very destructive behavior. There is definitely a .htaccess file in the root of your WordPress website, but in theory there could be one in every folder in your website. Use an FTP program to look for ‘htaccess’ on your website.

    The .htaccess file in the root of your website will contain the following lines:

    # BEGIN WordPress
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    
    # END WordPress

    Is there more code in your .htaccess file? This could have been added by a plugin, but it could be a hack. If in doubt, remove all extra code from your .htaccess file; the plugin may no longer work optimally, but most plugins are able to add the necessary code to the .htaccess file automatically if need be.

    Find more .htaccess files?

    Go to the place where you found them. Are they in a plugin or theme folder? Then in theory they are safe, since you cleaned up all these folders in the previous steps. However, if you find any in your uploads folder, child theme etc. then it’s a good idea to take a closer look. Sometimes a .htaccess file is placed in wp-content/uploads to prevent visitors from going through your upload folders without permission. In this case you may come across the following line in your .htaccess file:

    Options -Indexes

    This is not a harmful line, so your can safely leave it as is.

Cleaning up users

Now that all the files have been cleaned up, hackers still may have access to your website. They could have made an extra admin account, for example, or have changed the password of one of the other users. Furthermore, it’s possible that the hackers got in because they were able to guess a weak password.
Go to ‘users’ in WordPress and remove any user who doesn’t belong. Set new (complex!) passwords for all other users. This way you know for certain that hackers cannot login using an existing account. Explain to existing users why it is necessary to use a complex password.

Check the database

The more advanced users among us can now take a look at the database. Using a program like PhpMyAdmin or Adminer it’s relatively easy to browse through your database.
First, you can have a look in the ‘wp_users’ table; do you still see any users that don’t belong here? Remove them by hand. Sometimes hackers are able to add an invisible user.
Then take a look at the structure of the table and compare it to the standard WordPress Database description; have any tables been added that you don’t recognize? Take a closer look. Some plugins add tables to your database. Only remove the tables that belong to plugins that have been removed.

Change all passwords

In the fifth step you changed the passwords of all your users, but hackers may have been able to discover other passwords as well. For this reason, at least change the password of your database, and your FTP account, host control panel, etc. as well. This way you don’t have to wonder if your website really is secure again. Fill in the new database password in ‘DB_PASWORD’ in the wp-config.php file.

Go live and test

Now you are ready to take your WordPress website live again. Remove the block from step one and check to see if your website can be accessed when you are not logged in, for example, by visiting your website from a different network or using your telephone without wifi.
You may still get a notification stating that your website contains malware. In this case your website has been placed on a blacklist, which means it also no longer comes up in Google searches. Use the options Google offers to put your website back in the search results.

  1. Google Diagnostic Center (replace www.example.com) in the url for your own domain). You can use this tool to see if your website is on the Google blacklist.
  2. Google Webmasters indicates if and when Google indexed a problem with your WordPress website.
  3. Submit a request via Google Reconsideration Tool to have Google reindex your WordPress website.

Update

Behind the scenes at WordPress there is a large community of developers constantly working on improving the code. The advantage of this is that any known leaks in WordPress, plugins and themes are often resolved quickly when a new version is released. That’s why you should always make sure your website is up-to-date. This way you greatly decrease the chance you will be hacked again and you can perform new updates very quickly because it’s usually just a small modification.

Links

Plugins

WordPress & website tips for trainers and coaches

[sowmedia_posttemplates_heading tag=’h1′ link_apply=” link=’manually,http://’ link_target=” style=” size=” subheading_active=” subheading_size=’15’ margin=” margin_sync=’true’ padding=’10’ color=” custom_font=” av-medium-font-size-title=” av-small-font-size-title=” av-mini-font-size-title=” av-medium-font-size=” av-small-font-size=” av-mini-font-size=” custom_markup=” av_uid=’av-k7q1bh6w’ custom_class=” admin_preview_bg=”][/sowmedia_posttemplates_heading]

The number of coaches and trainers in the Netherlands is growing. Over the past years we have had various coaches and trainers as customers and have advised them on how to set up their websites. In this article we’ll give you our take on websites for coaches and trainers and how coaches can make optimal use of WordPress.

A number of links in this article are embedded with an affiliate code.

 

Website tips

Tip 1. Tell your story

You could look at many of today’s trainers and coaches as modern ministers. They help customers with spiritual and practical questions. Questions you used to take to a minister you now take to a coach. The minister has his pulpit. Trainers and coaches have a blog. In the blog trainers and coaches can elaborate on issues they come across and the answers they have. There is room to go into the philosophy behind their coaching methods.

Tip 2. Stop the sales, go help people!

Services make up a prominent part of many coach’s and trainer’s websites. What are you selling your clients? This is useful when people already know the coach and want to know what they can do for them. We’ve noticed that many trainers and coaches expect that a product website will also attract new customers. Often this isn’t very realistic. There are many trainers and coaches. There aren’t many people who want to be coached by an unknown coach or hire an unknown trainer. A website visitor needs to come to trust that the trainer/coach has the right answers to the questions the they are asking.
So trainers and coaches, use your website to win your client’s trust. Use your blog to share your knowledge so that you can engage your client and help them. Once they feel like you’ve helped them, they will feel connected and commercial transactions will come naturally.

Tip 3. Be patient

Most trainers and coaches probably want the same thing that our other customers want: fast results. They want new clients, now. That’s not how websites work. Most people and organisations that are successful online have been investing for years. They’ve built a faithful following after years of hard work. In the end, this is where your paid work comes from. We advise trainers and coaches to think in terms of a timespan of a few years. Use this time to share your knowledge and help your followers. Trust that the commercial work will come in time.
Rens Kroes’ website

Tip 4. Keep it simple 

Most Dutch people will have heard of Rens Kroes. And Karin from Koken met Karin (Cooking with Karin). These women have helped their readers eat better. They’ve been doing that for years. Often they started out selflessly, because they had a passion to help people eat good, healthy food. Typically these food blogs have a very simple aesthetic. The blogs almost look amateuristic. The focus is entirely on the content and this breeds trust.

Tip 5. Be personal

This is a tip we give everyone on the internet. Use pictures and video’s to tell who you are and what you stand for. This way the website visitor gets to know you and comes to trust you and your services.

Tip 6. Spread your services

Not everyone needs personal coaching or wants to hire a trainer. Training and coaching are specific ways to help. There are people who would rather read a book, listen to a lecture or take part in a workshop. We advise trainers and coacher to offer services that fit each budget.

How can coaches use WordPress as CMS?

WordPress is perfect for blogging and coaches can use this platform to share their knowledge and insights.

Tip 1. WordPress.com as Software as a Service

WordPress.com is a Software as a Service (SaaS). That means you can set up a website yourself without having to consider hosting and maintenance. WordPress.com is fine to use when you want to set up a blog and it’s okay if it is simple. The advantage of a website via WordPress is that this solution is cheap (starting at $99 per year). You don’t have to be particularly handy and you can get your website online quickly. You don’t have to worry about hosting and maintenance. A disadvantage is that you cannot use all WordPress plugins and themes. And you are not the owner of the website code.

In the following tips we assume that you have used an open-source version of WordPress and that you have installed it via a hosting company on your own server.

Tip 2. Use a free theme

Because of the simplicity of the website you may choose to use a free WordPress theme from the WordPress theme catalogue. The free themes often have a freemium business model: the basics are free. You will pay via a Premium version if you want more functionalities. Advantage is that you can set up a professional website with little money. Disadvantage is that you are responsible for hosting and maintenance yourself.

Tip 3. Thrive Themes voor websites with conversion

Thrive Themes integrate themes with conversion driven functionalities, which gives you everything in one. With themes like Rise and Storied Thrive Themes has a number of themes that are suited to blogging for coaches. Read our blogreview over Thrive Themes.

Tip 4. Use a populair and flexible WordPress theme 

We buy many WordPress themes on ThemeForest. There are a number of beautiful, simple blog themes on ThemeForest. For example Voice and Simplemag.

Tip 5. Use Enfold

We are also very enthusiastic about the Enfold theme/framework. We use it for a great number of the websites we develop. There are various demo’s available for Enfold. One of them is a lifestyle blog that can be easily used for blogging by coaches.

Tip 6. Storytelling

A populair development coaches can make use of is storytelling. Storytelling is being used by more and more newspaper and magazine websites. Consider using the Aesop Story Engine for example.

Tip 7. Take care of good hosting 

You will need a good hosting company for any solution that involves installing WordPress on your own server.

  • WP Engine; we work with the American company WP Engine. Advantage is that you have a professional environment at your disposal where you can make WordPress installations at the click or a button. WP Engine starts at $ 29 a month.

Tip 8. Skip WordPress use an alternative

WordPress is a fantastic systeem for a large community, but it’s not sacred. It has advantages and disadvantages. For a simple blog you could also consider an alternative like Ghost or Medium.

How do you get Google Maps working again on you WordPress website?

[sowmedia_posttemplates_heading tag=’h1′ link_apply=” link=’manually,http://’ link_target=” style=” size=” subheading_active=” subheading_size=’15’ margin=” margin_sync=’true’ padding=’10’ color=” custom_font=” av-medium-font-size-title=” av-small-font-size-title=” av-mini-font-size-title=” av-medium-font-size=” av-small-font-size=” av-mini-font-size=” custom_markup=” av_uid=’av-k7q4q0yw’ custom_class=” admin_preview_bg=” heading=’Post title’][/sowmedia_posttemplates_heading]

Google Maps stopped working

If Google Maps is no longer visible on your WordPress website, this is probably caused by the Google policy changes. This change may have caused Google Maps to stop working on your WordPress website. If you’re using a Google service (such as Google Maps) on your website, Google decided they want you to link these to your Google account by using a so-called Google Maps API key. In this article, we explain how you can get and install this API key for Google Maps, so you can get Google Maps working again on your WordPress website.

How does the Google Maps API work?

When you’re showing a map from Google Maps on a page of your website, a connection is made with the Google Maps API at every visit. It is a free service from Google that builds up this map for you, so it loads quickly. Excessive use of this tool costs Google a lot of money, because their servers have to make calculations every single time.

That is why Google is now limiting the use of the API. A connection can be made with the Google Maps API up to 25.000 times a day. When you exceed this limit, you have to pay. Most of the websites will never exceed this limit, so for most people, this service will remain free. You do, however, have to enter an API key on your website, so Google can keep score of the times your website is making a connection with the Google Maps API.

Getting a Google Maps API key

Step 1

  • Go to the Google Maps Developers page.
  • Click the blue button ‘Get a key’.
  • Login with your Google account (if you are not yet logged in). It’s best to login with the same account as the one you’re using for example for Google Analytics.

Step 2

  • Select ‘Create a project’.
  • Click ‘Continue’.
  • Wait until you are led to the next screen. This can take several minutes, so don’t close the window and don’t click away while waiting. The next page will open automatically.

Step 3

  • Enter a clear description, under ‘Name’, e.g.: Google Maps for yourdomainname.nl.
  • Enter the domain name for which you want to use the API key, under ‘Accept requests from these HTTP referrers’. Enter it like this: *.yourdomainname.nl.
  • Enter any other domain names in the same way, if applicable.
  • Click ‘Create’.
  • You now see a screen with your API key. Copy the key and save this in a safe place.

Installing the Google Maps API key on your WordPress website (easy)

Make sure WordPress, your plugins and the theme on your website are up to date. Check which WordPress plugins and themes show the maps from Google Maps. Check their settings to make sure you can now paste your Google Maps API key. If not, you can contact your plugin or theme developer, because they should fix this immediately for all their users.

Paste the API key in the option field and save the changes. In the example on the right, you see how you can install the Google Maps API key for the newest version of the WordPress theme Enfold.

Installing the Google Maps API key on your WordPress website (advanced)

Does your website run a customized version of Google Maps, or does your plugin or theme no longer get support? Then find an alternative plugin, because using unmaintained code leads to serious safety risks for your website. In the meantime, you can take these steps temporarily – provided you know how to use an FTP program and a code editor:

  1. With your FTP program, go to the folder of the plugin or theme that’s using Google Maps.
  2. Download the folder to your computer and search through all the files in the folder for “maps.googleapis.com”.
  3. Open the files (one or more) that show up in your code editor with this search term.
  4. Scroll to the place/places with “maps.googleapis.com”. You will probably see a longer address, like “https://maps.googleapis.com/maps/api/js?callback=initMap”.
    • Check whether you see a question mark in the URL. In that case, paste the following, directly after the URL: &key=YOUR_API_KEY
    • When there is no question mark in the URL, paste the following directly after the URL: ?key=YOUR_API_KEY
    • Replace YOUR_API_KEY with the API key you got from Google.
  5. Save the files and upload them with FTP back to your website.