In this article we will explain why and how WordPress websites are hacked. We will also give you a step-by-step plan for removing malware and cleaning up your WordPress website.

Why are WordPress websites hacked?

The most important motivation for most hackers is money. The hacked websites are used to promote commercial websites; particularly things like gambling, sex and pharmaceuticals. By hacking a website, for example, thousands of spam e-mails can be sent. Or links are placed on your website to mislead Google so that the commercial websites are placed higher in the search results. Every now and then hacks may be ideologically or politically motived.

How do you discover that your WordPress website has been hacked?

  • Various links appear on the website that don’t belong there. Often these are links to websites that have to do with pornography, gambling, drugs, illegal pharmaceuticals, et cetera. Sometimes the links are hidden in the color of the background of the website so that they are not visible to visitors, but can be found by search engines.
  • When you search for your own website via Google (for example ‘wpupgrader.com’ as search term), you find information about the website that isn’t yours.
  • Visitors to your websites are redirected to another website. Sometimes only mobile visitors.
  • Your website is being used to send spam. If this is the case you will usually get a message from your host company saying that an unusual amount of e-mail is being sent from your website.
  • Organic search traffic decreases because Google no longer shows your website in the search results.

How is it possible for your WordPress website to be hacked?

To gain control of your WordPress website hackers must find some way to upload or edit a file on your server. In general there are four possible ways for hackers to gain access to your website:

  1. Insecure passwords; most of the WordPress hacks that we come across could have been prevented by using more secure passwords.
  2. Update-policy; when you seldom or never update your WordPress, your plugins and your theme you greatly increase the chance that you will be hacked.
  3. Insecure themes/plugins; sometimes your website can be up-to-date, and still contain an insecure theme/plugin. Always purchase plugins/themes from a trustworthy website.
  4. Bad hosting; you may have protected your website well yourself, but if, for example, it’s possible for your hosting company to move files between different websites then your website is not properly secured.

How to make sure your WordPress website is hack free?

When a hacker has had access to your website, it is possible that files have been added/altered, passwords have been changed and possibly even new users added. If any one of these things are not detected and cleaned up then others steps will have no effect, because the hacker will still be able to gain access and cause damage once again. For this reason, clean up must be thorough.

We will try to explain all the steps as simply as possible, but some technical knowledge is required. Make sure that you have an administrators account in WordPress, that you have FTP access (and that your know how FTP works), and that you can access the database using a program like phpMyAdmin or Adminer. The steps we are going to take are:

Tip

If you know when the hack took place you can skip the clean up by replacing with a back-up from before the hack. It is possible you may lose a number of responses and web forms. Continue with step 5.

Backup your hacked WordPress website

You are going to clean up your WordPress website thoroughly. This means you may end up cleaning up too much and it might be better to start again. In that case it is always good to have a backup on hand. Make sure that you add both the files and all databases to your backup.

Close the doors

Make sure your WordPress website is temporarily inaccessible from the outside. Theoretically hackers could infect your website while you’re still going through these steps. This also prevents you from infecting your visitors with any malware that might be installed on your website.
You can usually block your website from your host company’s control pannel by way of a password or by using an IP filter. If you have access to your .htaccess file you can add the following code to allow one specific IP address (find our what your IP address is at WhatIsMyIPAddress.com):

order deny,allow
deny from all
allow from 123.456.789.123

Find the source of your WordPress website hack

It is important to find the source of the hack and the extent of the impact as soon as possible.  

  • Look for your plugins, themes and WordPress version in the WPScan Vulnerability Database and see if there are known vulnerabilities for the versions you installed on your website.
  • Do you use Google Webmasters? Go to your dashboard and see if there are any reports of malware.
  • Check your website in Google: http://www.google.com/safebrowsing/diagnostic?site=www.example.com
  • Many hosting parties make access logs available. This is a list of all requests for files, saved at server level. Files placed by hackers are usually requested using a ‘POST-request’. By looking for ‘POST’ in your access log you can filter a list of of php files to further examine. Later in this article we will explain what to look for when examining php files. These files may not necessarily be infected however; a POST-request is also used when you fill in a contact form or if you log in to wp-login.php.
  • We sometimes come accres situations where an old WordPress website is on the same server, for example in the file ‘old’. Often this installation will have been forgotten and no longer up-to-date, which makes the whole website vulnerable to all sorts of old security flaws.

Clean up the files on your hacked WordPress website

During a successful hack a hacker can potentially place or alter a file in every folder on your web server; not just the folder containing the infected plugin. This means that you should examine all your folders and files, and this is painstaking work. Thankfully you can limit this work to various steps. We explain how below.

  • Clean up WordPress core (wp-admin and wp-includes)

    Log in with FTP and go to the folder of your WordPress website. In the root of your WordPress website there are at least three folders: ‘wp-admin’, ‘wp-content’ and ‘wp-includes’. In the ‘wp-content’ folder all the specific changes to your website are saved, but ‘wp-admin’ and ‘wp-includes’ only contain files from the WordPress core; files that only change when a new version WordPress is released.

    To make sure in one go, that there are no files in your WordPress core that have been added or infected you can remove the ‘wp-admin’ en ‘wp-includes’ files and replace them with a clean version by downloading WordPress again.

    • Not sure which WordPress version you are running? Check in ‘wp-includes/version.php’ and you will find the version number on line 7.
    • Download a zip-file of this version from the WordPress release-archive and unzip it on your computer.
    • Remove the ‘wp-admin’ and ‘wp-includes’ using FTP from the root of your WordPress website.
    • Upload the ‘wp-admin’ and ‘wp-includes’ from the file you just unzipped.

    Along with folders there are also files in the root of your website. Replace these files – except wp-config.php (!) – with the files from the unzipped zip file.

    Are there other files and folders in the root of your website? Examine them critically and decide whether or not they are familiar to you; is there any other software running on your site? If not then they may have been placed by the hacker. When in doubt confer with your web host. Sometimes your web host will preinstall a folder like ‘stats’, ‘webstats’, ‘logs’ and ‘cgi-bin’ . Always take a look at these folders and look for files that end in ‘.php’. Because, normally speaking, they shouldn’t be there.

  • Cleaning up plugins (wp-content/plugins)

    Just like the WordPress core, you can find original clean versions of your plugins in the WordPress plugin repository. It is, however, possible that not all your plugins come from here; you may have purchased premium plugins, for example, elsewhere. Premium plugins cannot always be updated automatically. Either way, to be sure that your plugin folder is clean, you will have to locate all the originals.

    • This is a good time to remove inactive plugins and plugins that are used infrequently. Do this first.
    • The plugins from the WordPress plugin repository can only be removed via FTP. After removing them download clean versions from the repository and upload them via FTP. A plugin like Wordfence may be able to do this step for you.
    • It is also important get clean versions of plugins that do not come from the WordPress repository. Make sure you find these files and repeat the above step for these plugins. Can’t find the original plugin files? Then you will have to remove the entire plugin, because it is very possible that the plugin is (partially) responsible for the hack. More importantly, you will not be able to update the plugin in the future and that could be disastrous to the safety of your website in the future. Often you will be able find an alternative plugin for the functionality you are looking for.

    In this step you will update all your plugins to the newest version. That is safe, but may lead to conflicts if your WordPress core or theme, for example, is not compatible with the newest version of the plugin. In that case, replace it with an older version of the plugin or – better yet – update your theme (see the following step) to see if that will resolve the problem.

  • Update theme (wp-content/themes)

    WordPress themes sometimes contain customization done by you or your website builder. These modifications will be lost if you update the theme, unless the modifications are saved in a separate folder by using a child theme.

    Your WordPress website doesn’t use a child theme? Then you have the option to update your theme, as explained in the previous step, but any modification will be lost. Want to keep your modifications? Then you can use this opportunity to first save your modifications in a child theme. The child theme manual by WordPress will explain how (caution: it’s not simple).

    Does your WordPress website have a child theme? In that case you can update your WordPress theme as explained in the previous step. Afterwards you will need to make sure that your child theme folder is clean. If you have a local copy of your child theme you can replace it (sometimes an old backup will work just fine, as long as you know that the website wasn’t hacked at the time the backup was made). If you don’t have a copy then you will have to go through the folder containing the child theme by hand. Read the next step for more information.

    Finally, do not forget to remove any unused themes; this way you will decrease the chance you’ll run into problems in the future.

  • Checking remaining files (wp-content)

    You have now cleaned up as much as you can without have to look in detail, but there are always a number of files and folders that you will have to check by hand.

    • Look for .php, .asp, .exe, and .sh files in the wp-content/uploads files. These do not belong here and may have been placed by hackers. It takes time, but don’t forget to check all the subfolders. Many FTP programs allow you to search automatically within a folder.
    • Some plugins add their own folders to the de wp-contents folder. This is not necessarily bad, but go ahead and go through these folders for above mentioned files.
    • Are there php-files that you no longer have the original to, that you will have check by hand? Think about php files in the wp-contents folder (like object-cache.php), your child thema, or wp-config.php in the root. Follow these steps:
      • Open them in text editor and scroll in all directions; sometimes hackers put code in a file ‘out of sight’ by placing it very far to the right or really far down.
      • Keep looking for any worrying code. Look for terms like ‘eval’, ‘exec’, ‘base64’, ‘hash’, ‘decode’ and see if you find any code that doesn’t belong.
      • Not sure about something? Copy a section of the code and look it up in Google. Sometimes you’ll come across all kinds of malware forums and you’ll know that something’s not right.
  • Check wp-config.php

    Up until now you have left the wp-config.php file untouched, but you do have to check it. This file contains all kinds of basic configurations for your WordPress website. Do you have a backup available? Then we advise you use the wp-config.php file from the backup for your website. Edit the list under ‘Authentication Unique Keys and Salts’ by adding a few characters to each line of random code. This way you make sure that any users that are logged in (potentially hackers) will no longer be logged in.

    Don’t have a back up? Open your wp-config.php and fill in the values you see in the wp-config.php generator by following all these steps. Chose ‘Auto Generate’ in Authentication Keys & Salts . Click update after the last step and copy and paste the code to your wp-config.php. Then you know for certain that you have generated a clean wp-config.php.

  • Looking for .htaccess

    A .htaccess file makes it possible to configure a lot of server settings. If a hacker modifies these kinds of files it can lead to very destructive behavior. There is definitely a .htaccess file in the root of your WordPress website, but in theory there could be one in every folder in your website. Use an FTP program to look for ‘htaccess’ on your website.

    The .htaccess file in the root of your website will contain the following lines:

    # BEGIN WordPress
    
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    
    # END WordPress

    Is there more code in your .htaccess file? This could have been added by a plugin, but it could be a hack. If in doubt, remove all extra code from your .htaccess file; the plugin may no longer work optimally, but most plugins are able to add the necessary code to the .htaccess file automatically if need be.

    Find more .htaccess files?

    Go to the place where you found them. Are they in a plugin or theme folder? Then in theory they are safe, since you cleaned up all these folders in the previous steps. However, if you find any in your uploads folder, child theme etc. then it’s a good idea to take a closer look. Sometimes a .htaccess file is placed in wp-content/uploads to prevent visitors from going through your upload folders without permission. In this case you may come across the following line in your .htaccess file:

    Options -Indexes

    This is not a harmful line, so your can safely leave it as is.

Cleaning up users

Now that all the files have been cleaned up, hackers still may have access to your website. They could have made an extra admin account, for example, or have changed the password of one of the other users. Furthermore, it’s possible that the hackers got in because they were able to guess a weak password.
Go to ‘users’ in WordPress and remove any user who doesn’t belong. Set new (complex!) passwords for all other users. This way you know for certain that hackers cannot login using an existing account. Explain to existing users why it is necessary to use a complex password.

Check the database

The more advanced users among us can now take a look at the database. Using a program like PhpMyAdmin or Adminer it’s relatively easy to browse through your database.
First, you can have a look in the ‘wp_users’ table; do you still see any users that don’t belong here? Remove them by hand. Sometimes hackers are able to add an invisible user.
Then take a look at the structure of the table and compare it to the standard WordPress Database description; have any tables been added that you don’t recognize? Take a closer look. Some plugins add tables to your database. Only remove the tables that belong to plugins that have been removed.

Change all passwords

In the fifth step you changed the passwords of all your users, but hackers may have been able to discover other passwords as well. For this reason, at least change the password of your database, and your FTP account, host control panel, etc. as well. This way you don’t have to wonder if your website really is secure again. Fill in the new database password in ‘DB_PASWORD’ in the wp-config.php file.

Go live and test

Now you are ready to take your WordPress website live again. Remove the block from step one and check to see if your website can be accessed when you are not logged in, for example, by visiting your website from a different network or using your telephone without wifi.
You may still get a notification stating that your website contains malware. In this case your website has been placed on a blacklist, which means it also no longer comes up in Google searches. Use the options Google offers to put your website back in the search results.

  1. Google Diagnostic Center (replace www.example.com) in the url for your own domain). You can use this tool to see if your website is on the Google blacklist.
  2. Google Webmasters indicates if and when Google indexed a problem with your WordPress website.
  3. Submit a request via Google Reconsideration Tool to have Google reindex your WordPress website.

Update

Behind the scenes at WordPress there is a large community of developers constantly working on improving the code. The advantage of this is that any known leaks in WordPress, plugins and themes are often resolved quickly when a new version is released. That’s why you should always make sure your website is up-to-date. This way you greatly decrease the chance you will be hacked again and you can perform new updates very quickly because it’s usually just a small modification.

Links

Plugins