What to do when your WordPress site gets hacked

What I am going to write here is what I did when one of the sites I work with got hacked.

What you learn very fast when dealing with hacked websites is that there is no easy 1 solution fits all way of sorting things.

But there are many things that you can do yourself to try and beat the hackers.

My aim is that this is easy to understand and follow.  Sadly there are no guarantees to sorting things, but there are lots of things to try.

When a site is hacked the first thing to do is not panic.  But you do need to act fast.

You will usually realise the site is hacked by either

  • Google will inform you via Google Webmasters
  • You will search for your blog and when you click on a link it will redirect you
  • Yours stats will be low
  • A reader will tell you
  • Your host will inform you

Prepare for the worst

So what do you do first?  Prepare for worst case and having to rebuild the site.  The hope is that this is the last resort, but if you prepare for this you have that back up in case.

Access your site and export the contents.

By contents I mean the blog posts, media, comments and pages, as these are least likely to have bad files in them.

  1. Sign in to your WordPress site and go to the dashboard – tools – export – all content

Make a note of your plugins

  1. Screen grab the list or
  2. Write down a list

CSS Changes

  1. If you use a child theme, copy and paste the contents of the Stylesheet (style.css).  Appearance – Editor – And then Stylesheet (on right hand side to select it) Then copy the contents and save it into a text file.
  2. If you use the Edit CSS function in jetpack or in your theme, make a copy of it as above and save it.

Screen grab your site

  1. Go through the main pages and do screen grabs of you site

Widgets

  1. Copy and paste the contents of any widgets that have code in, into individual text files.  Making sure you name them.

Start cleaning your site

Do some basic housework

  1. Do all  theme / plugin /WordPress updates – I won’t lecture you on these should be done all the time anyway, but well *glares*
  2. Delete unused themes.  So if you have 20 themes installed, delete all ones you aren’t using and leave a basic WordPress theme e.g. Twenty Fourteen in case your current theme breaks.
  3. Delete unused plugins, if you aren’t using them, deactivate them and then delete them all.
  4. Check your Users – delete any that aren’t needed and update you passwords for those that are. (Later I will explain about possibly adding a new user)

Add 2 plugins to monitor & clean the site

  1. Add the GOTMLS  plugin to your site.  Click here for the direct plugin link.  Once you have it on the site go back to the website and sign up for updates.  Then update the definitions on your WordPress site and run a full scan.  Wait for the result and take action. FAQ here 
  2. Add Wordfence – there are some over laps, but I found the WordFence scan onyl got some of the malicious files and things that had done the redirects.  It didn’t detect the backdoor files and the site was initially re hacked again.  But WordFence has other great uses.

Try and work out how site was attacked

The clearing the site from the hacks that are causing the redirects is only one part of the process.  Finding out how it happened and securing the site from it happening again are the next steps.

Local Machines

So your desktop,laptop, tablets, mobile devices – scan them all for malware.  We are all great at having anti spyware sitting in the bottom righthand corner.  But so many machines are infected with malware and people don’t realise.   I have used Malware bytes on a few windows machines now and it has been great.  I have only used the free version but the premium isn’t expensive, and if I owned a windows machine I would buy it.

Check who is trying to log into your site

On Wordfence you can go to Live Traffic – Logins and Logouts here you will see what people are trying to log in and out as.  If you have a look at the ip addresses and the log in attempts it may well tell you what is being hammered.

I could see that the attempts were coming through one of the users and from a certain ip. I decided to add a new user, then attribute everything from the user I wanted to remove to the new user.  Then I deleted the user. This can be seen as drastic but I had tried updating passwords already.  And it meant I could then block all attempts to login with the old user name.

Making the site more secure

First of all the log in – I now recommend the Duo plugin for two step authentication

Change your passwords for your login to your hosting account.  And then your password for your c panel /hosting platform.

Log into your cpanel / hosting account and remove any ftp accounts (you can add ones back later but right now you need to just make the site as secure as possible)

If it is possible to do these away from the machine that you think may have infected you/ been hacked via/ had malware, then that is the best way.

Monitor

Wordfence will email you when it fonds problems – also when plugin updates are needed.  It will also carry out a daily scan (free edition)  but that didn’t pick up all the issues we had. Only some of them, leading to getting re hacked.

Go scan with GOTMLS , remember to do the definition updates too.  For a donation you can get automatic updates to your site.

Check what is happening on the Wordfence live logins, have a look at IP addresses.

What if you can’t remove the hack?

If you do everything you can and you are still getting hacked, then you need to decide if you are going to move to plan B.

Because you will never know if a back up is clean you need to re build your site.

Start with a clean WordPress install in a new database. Then you can add your content, themes and plugin and then style it.  Then make sure you secure it as above.

If you can stop the hackers getting in then you won’t have to deal with it again.

Thoughts…

I have built and worked on 200+ WordPress sites in the last couple of years, I know of only 2 that have been hacked.  And both were resolved.

It isn’t common, but it does happen.

If you can put in place the basics, keep your site updated, have good passwords and keep your local machines clean then you are in a great starting place.

 

 

Pin It on Pinterest

Share This