Working with WordPress since v1.5...

Contact Us Today: [email protected]

Website hack repair | WordPress website hacked, how to fix

How to fix a hacked WordPress website conceptual image
WordPress website hacked – how to fix it (conceptual image)

Hacking is often done in a way designed NOT to draw attention to the breach. It’s often drawn to your attention by Google throwing up warnings to visitors, or by your hosting company blocking access to your website and giving you an ultimatum to clean up the problem within 24 hours, or else…

The first rule of website hack repair is “don’t panic” because that won’t help! Usually, the hacking efforts I’ve seen relate to exploits of inherent security weaknesses in;

  • JavaScript within plugins
  • File or directory permissions, allowing concealment of phishing (most often bank fraud) code in a sub-directory
  • Cracking Cpanel or WordPress Admin accounts

The first indication may be;

  • An email from Fraudwatch requesting you delete the offending content
  • A warning from your hosting service that the site is compromised and in danger of being shut down
  • A tip from a friend or client that Google is displaying malware or virus warnings about your website

It is rarer to have an overt, immediately obvious hacking occur. It’s mostly an out-of-sight, deeply planted problem that the hacker hopes won’t be discovered for weeks or months. The goal is to gain access without detection. Dealing with a hacked WordPress site is usually a straightforward process for an experienced WordPress consultant, as per the next section.

WordPress hacked website repair…

In the unfortunate event that your website is hacked and you need fast help, contact me for prompt assistance. An expert can fix a hacked WordPress website quickly, ensuring a full recovery after hacking attacks. Regardless of whether the  problem is a;

  • Blackhole Exploit
  • Account takeover
  • Administrator password  compromise
  • Phishing attack
  • Link injection
  • Malware infection
  • Virus infection
  • Permissions exploit

This usually consumes a couple of hours of effort because I will go through and;

  1. – Check if http://sitecheck.sucuri.net/scanner/ identifies any phishing/virus/malware files
  2. – Secure the Hosting & FTP accounts by changing passwords
  3. – Secure WordPress by changing Admin ID and passwords
  4. – Secure WordPress database by changing DB User ID and Password
  5. – Replace all core WordPress files
  6. – Remove/quarantine any suspicious files & directories
  7. – Install Wordfence; run a scan on all files, configure lockdown settings,
  8. – Apply User ID and password restrictions including 2-factor authentication
  9. – Apply a range of preventive measures to minimise further issues

The goal is to first disinfect the site and then prevent future intrusions.

In the event that you need a better hosting provider, I provide website hosting relocation services. I don’t recommend managed WordPress hosting. In my opinion, premium hosting providers with secure WHM cPanel services are better for both security and performance.

WordPress Hacking Cleanup

Usually, the fastest way to deal with a known breach of WordPress is to Restore the site to its status before the hacking occurred and then harden it – that’s if you do actually have backups… If not…

  • Run the Sucuri Scanner (https://sitecheck.sucuri.net/) to try and identify what if any malware has been uploaded and where it’s hiding…
  • Install and configure Wordfence to scan for core files, plugins, themes, images and files outside WordPress and run the scan
  • Use the Fix all fixable items and the Delete all deletable items to clean the site
  • Use the 1-click update in WordPress Dashboard / Updates to overwrite all core files that may have been compromised
  • Where a plugin is implicated. delete the plugin directory, and then upload a new copy
  • Where a Theme is implicated, copy your old files across to replace the compromised files
  • Install Malcare for a 2nd opinion from outside the site

Follow that up by viewing the site files in your Control Panel file manager or an FTP application such as Smart FTP, and look for;

  • Files and directories that were altered or uploaded and don’t belong.
  • Inappropriate file permissions – e.g. directories should usually NEVER be set to 777 permissions, as this gives access to anyone to do anything… The correct directory permissions for most hosting accounts is 755.
  • Unexpected items in /uploads/ or /backups/ directories.
  • File Modified dates that don’t match up with any edits, uploads or changes you’ve made

Reconfigure WordPress Security to;

  1. Scan files outside your WordPress installation
  2. Scan images, binary, and other files as if they were executable
  3. Enable HIGH SENSITIVITY scanning (may give false positives)

Use more than one online scanning service to examine your website. These all have strengths in different areas, and one may identify issues that another might not spot. Try VirusTotal – scan the Home page URL and get a quick report from multiple sources

The overriding goal is:

  • Deleting the compromised files and replacing them with the correct versions
  • Ensuring secure permissions across directories and files

That must be followed immediately by:

  1. Changing the WordPress admin password
  2. Changing the Cpanel / Plesk / Hsphere administrator password
  3. Changing the FTP access password
  4. Deleting any “extra” FTP or User accounts that may have been added to provide easy future access for the hackers

Core File Compromises

If the /wp-config.php has been altered in any way, it is wise to reset the WordPress Database User password and add the new password to the /wp-config.php file. This can be done through the Admin Control Panel access to MySQL Database management. In the case of Cpanel, it’s very easy to change the MySQL password.

WordPress Security Implementation

Securing your WordPress business site is a mission-critical risk management strategy. I am able to;

  • Install the most appropriate WordPress website security application/s
  • Configure the site to give you the best possible protection from hacking attempts
  • Enforce strong passwords
  • Block illicit brute force login attempts
  • Block access from troublesome geographic regions (China, Russia etc)
  • Secure the Admin access
  • Daily scans for malicious code
  • Etc…

Attacks are primarily initiated in Russia, Poland, Germany and India. Generally speaking, it’s easy to minimise the potential threat with an hour of proactive efforts! Bearing in mind that often, attackers use a VPN to fake their location…

As always – an ounce of prevention is better than a pound of cure!

How to Secure WP

Several basic items need to be addressed as part of securing your WordPress installation.

#1 – A Secure WordPress User ID

The default User ID is “admin” and you should NEVER use that on your site. If you do, it immediately means 50% of the “site access” details are known – Mr Hacker only needs the password now..

A secure User ID contains a minimum of 10 characters containing a mix of the upper and lower case including numeric and special character variations e.g.;  #The_Boss#

In addition, you should then assign a User “nickname” that gives no clue as to the real Admin User ID (should you use the account to publish any pages or posts.

For example, if the Admin ID was “#The_Boss#” then using “Admin” as the nickname may prove to be an effective element of confusion… In addition to that, Wordfence allows you to immediately block anyone trying to log in with any specified user names…

#2 – Securing your passwords

Most people foolishly use a password related to their life in some guessable way. Phone numbers, wife’s name, child’s name, dog’s name etc… A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open!

A secure password contains a minimum of 10-12 characters containing a mix of the upper and lower case including numeric and special character variations e.g.;  #4X~bEwr$5$F

There are several websites specialising in secure password generation…

  • www.pctools.com/guides/password/
  • www.strongpasswordgenerator.com/
  • www.onlinepasswordgenerator.com/password.php

Always USE one of them if you are short of inspiration!

WordPress Security Plugins

A properly implemented WordPress security plugin will divert the majority of hackers’ efforts – specifically the bot-based ones! In the less likely event that a human-authored attack is made, it is easy to have basic but robust barriers in place that increase the probability of the hacker giving up and going in search of a softer target. Time is money…

Wordfence or Block Bad Queries with Limit Login Attempts are my preferred security plugins because they are robust and reliable, easy to configure and cover the most important areas of vulnerability. I may also add plugins to;

  • Block XML-RPC
  • Block REST API

These contribute negatively to your website’s online profile and consequently have a negative impact on rankings. Eliminate this easily;

  • Don’t allow user registration unless it’s necessary!
  • Don’t allow comments OR trackbacks on pages!
  • Close comments on posts after 2 – 4 weeks!
  • Don’t allow trackbacks on posts!

Installing and configuring WP Zero Spam is not at all difficult and it effectively screens out the worst of the comment spam garbage!

Maintaining WordPress core files, plugins and themes

It is crucial that you install WordPress and plugin upgrades in a timely fashion. Whenever a security breach or exploit occurs, fixes are quickly put in place. However, word of the exploited vulnerability quickly circulates amongst the hacking community, and fresh targets are sought.

Use the “Auto-enable updates” setting in WordPress / Plugins to ensure timely updates are done automatically and the latest version is installed!

Wordfence security scans also ensure you are notified immediately when WordPress or plugin upgrades are released AND if plugins are obsolete and/or abandoned, or removed from the WP repository.

WP Technical Support services are at your disposal, all you have to do is ask!

Last Updated 6 months ago by Ben Kemp