5+ Steps to Recover My WordPress Blog from a Hack

Getting hacked is something I do not want to go through again. There are so many reasons why website downtime is bad for your blog/business: while a loss of traffic and potential income are the two most obvious, I cannot understate the amount of time I lost in getting the site restored and the amount of stress it caused me.

In this post I want to reveal what happened to my site and let you know what I have done to increase the security of my site since.

Step 1: How was my WordPress site hacked?

If you’re a casual web developer this task may seem beyond you at first. But taking a moment to assess the situation could save you a lot of time in the long run. To start, take notes on what’s affected.

  • Are strange advertisers injecting links into your pages?
  • Is the hack consistent on every page or does it appear randomly throughout the site?
  • When was the last time your site looked the way it should?
  • Can you login to your WordPress admin dashboard?
  • Is Google showing a security warning when you try to view the website?
  • Do you have any pending WordPress updates that you haven’t installed?
  • What plugins are active and do any of them have any available updates?
  • When you view the source of your pages, are there any javascript calls present that you didn’t add?

Now that you know where the problem is occurring, you have the information you need to start resolving the issue.

Step 2: Contact your hosting provider

Armed with the information from Step 1 you can now contact your hosting provider to get some help. Reliable hosts (we use Digital Ocean) will be happy to look into the issues for you and help you determine how a hacker compromised your site. If you’re on a shared hosting server it’s possible an attacker accessed your site via another website. Notifying them as soon as possible can help them address the issue in a timely fashion.

In those situations their technical support people might not be much help. If you find that’s the case with your host, now is the perfect time to switch to a more reputable provider. You’ll already be jumping through a bunch of hoops anyways, so adding a hosting change to the mix won’t add too much more to your plate. It will also give you some confidence that all the fixes you’re about to put in place won’t need repeated in the future.

Step 3: Make a Backup of What You Have Left

While it seems counterintuitive to make a backup of a hacked site, it’s important to keep in mind that it contains a lot more than just the (corrupted) system files.

As mentioned, some hosting providers will automatically delete websites from their servers that have been compromised. Since images and other media are hard to replace once they are gone, it’s a good idea to keep a copy around in case you need to rebuild the site later.

For that reason, as a first step, try to salvage what you can. There are plenty of backup solutions for WordPress out there and you can also backup WordPress manually. Do this but be sure to mark it clearly as a hacked backup.

Step 4: Restore from backup (skip this if you don’t have one)

If you backup your WordPress site on a regular basis, you’re already ahead of the curve! All you have to do is restore from a previous clean version of your website and you’re ready to rock.

Sure it might mean you have to re-do a few things on your site that have changed since the last backup—but that’s far easier than rebuilding everything. Even if you’re able to restore from a clean backup it’s a good idea to at least proceed through Step 7 of this article. This will make sure you’ve locked things down as much as possible going forward.

Chances are though if you’ve found this article, you don’t have a backup and you’re trying to avoid starting over from scratch. If that’s the case, keep reading.

Installed VaultPress

For those of you who don’t know, VaultPress is a totally automated backup and security solution for WordPress. It it owned by Automattic, the de facto “owners” of WordPress.

Having been using VaultPress for a few days now, I can’t believe I was so cheap to have not stumped up for the service beforehand. Their base package starts at $15 per month — I’ll pay that for peace of mind any day of the week.

In fact, I chose to go with their Premium package ($40 per month) which includes:

  • Realtime Backup
  • Automated One Click Site Restore
  • Archives, Stats and Activity Log
  • Priority Disaster Recovery
  • Priority “Concierge” Support
  • Daily Security Scanning
  • Security Notifications
  • One-Click Fixers for Security Threats
  • Site Migration Assistance

Basically, they’ve got you covered.

While VaultPress cannot guarantee your site’s security against hackers, it pretty much can guarantee that your site can be restored with relative ease. There’s just something very calming about seeing hourly snapshots of your sites stored on VaultPress’ servers:

VaultPress Backups

While there are plenty of free backup solutions out there, I don’t think anything beats the relative peace of mind I get from VaultPress. They’ve got 90 snapshots of my site available to restore right now, of which the most recent is just twenty minutes old. I know my site is safe in their hands.

Step 5: Scan Your Local Machine

In many cases, the hack can actually start on your computer. If a hacker has compromised your system, it’s entirely possible for them to extend their reach to the websites you frequently log into (e.g. via a keylogger).

For that reason, install and run a full virus/malware scan on your local machine and make sure your OS is up to date. This way, you can make sure the problem didn’t come from your computer and reduce the risk of being reinfected after cleaning up the mess.

Step 6: Hire a Professional

Website security is a serious matter. If you are not comfortable dealing with code, servers and other technical stuff you might be better of hiring someone else to do it.

Hackers are also a sly bunch and sometimes hide things in several places to be able to reestablish the hack after your clean up. For that reason, paying a professional to take care of your site can be the best option and will often save you time.

Of course, for people who like to do things themselves, we also have plenty of material below. Just keep in mind that having someone else deal with the mess can also be an option.

Step 7: Reset your passwords

Regardless if your hosting provider is worth a damn or not, you have to assume that none of your passwords are safe anymore. If you start making edits to your site before updating your passwords, you could be re-hacked before you’re finished.

First start by resetting your hosting control panel password. After that, reset your MySQL root password (if you have one), followed by all your database user passwords.

You’ll also want to reset any FTP passwords you havein case those were compromised as well. Some people go as far as changing their database names entirely to be extra secure, but updating the passwords should cover you.

With all these changes, be sure to use a strong password. And for heaven’s sake, do not use the same password for any of them. There are plenty of random password generators you can find online that you can take advantage of.

Strong passwords are hard to remember so find a secure place to store them for your records. I use 1Password, which not only securely stores all my login creds, but also has a random password generator built in.

Step 8: Edit your wp-config.php file

Since you’ve changed passwords, you need to tell WordPress how to access the database again. You do this by updating your wp-config.php file with the new information you created in Step 7.

  1. // ** MySQL settings – You can get this info from your web host ** //
  2. /** The name of the database for WordPress */
  3. define(‘DB_NAME’, ‘YOUR_DATABASE_NAME’);
  4. /** MySQL database username */
  5. define(‘DB_USER’, ‘YOUR_DATABASE_USERNAME’);
  6. /** MySQL database password */
  7. define(‘DB_PASSWORD’, ‘YOUR_DATABASE_PASSWORD’);
  8. You can actually go one step further in securing your site by generating a new set of WordPress Security keys. These keys help WordPress make your password and information stored in cookies more secure.
  9. define(‘AUTH_KEY’, ‘PASSPHRASE’);
  10. define(‘SECURE_AUTH_KEY’, ‘PASSPHRASE’);
  11. define(‘LOGGED_IN_KEY’, ‘PASSPHRASE’);
  12. define(‘NONCE_KEY’, ‘PASSPHRASE’);
  13. define(‘AUTH_SALT’, ‘PASSPHRASE’);
  14. define(‘SECURE_AUTH_SALT’, ‘PASSPHRASE’);
  15. define(‘LOGGED_IN_SALT’, ‘PASSPHRASE’);
  16. define(‘NONCE_SALT’, ‘PASSPHRASE’);

WordPress offers a security key generator via their API that will generate a new set of keys each time you visit that URL. Simply click on that link and copy and paste each key into your wp-config.php file and you’ll be good to go.

Step 9: Clean up users and permissions

Now that you can access WordPress again, it’s time to do some more resetting and clean up. In your WordPress Dashboard click on Users in the left sidebar to view all your WordPress users. A lot of times once hackers have gained access, they’ll create a new administrator user to gain control over your WordPress site. Be sure to look for any user that seems out of place and if you find one, immediately delete them.

WordPress Site Hacked - User Permissions

WordPress User Permissions

This is also a great time to validate everyone’s user permissions to make sure no one has access to anything they shouldn’t. You can do this by editing an individual user and making sure they’re set to the appropriate role.

Once you’ve done that, go through each user and reset their password. This might be annoying if you have a lot of users, but better to be safe than sorry.

Step 10: Fixing your site

Now that you’ve updated the passwords for everything, it’s time to roll up your sleeves and address the hack itself. There are a million things a hacker could’ve touched. It’s impossible to address them all, but we’ll cover the more major ones.

DELETE OLD OR UNUSED THEMES

Many people have multiple themes installed for WordPress, but they’re only using one of them. Hackers can use these outdated themes to gain access to your site, so it’s a good idea to delete anything that you’re not actively using. You might also want to look in to storing your WordPress theme in Github for easy access in case of a hack and loss of data.

PLUGINS

Plugins are one of the great things about WordPress. But they’re also one of the easiest ways for hackers to gain access to your site. If you’re like me, you might have some plugins you were testing out and then forgot about. Take the time to go through and delete anything that isn’t critical to your site.

Next, take a look at your plugins and make sure they’re all up to date. If you find you’re using a plugin that hasn’t been updated in a long time, it might be time to delete it. Use this time to find another plugin that has regular maintenance and accomplishes the same thing.

JAVASCRIPT TAGS ADDED TO YOUR PAGES

If you noticed that there were javascript calls in your theme that you didn’t put there (see Step 1), now is the time to get rid of them. Start by checking your header.php and footer.php files. Work through your remaining template files to remove any reference to the rogue javascript.

FINDING AND REPLACING CONTENT IN YOUR BACKUP .SQL FILE

Sometimes a hacker adds the same content throughout your website. Whether it’s a specific text link or javascript reference, do a Find and Replace in your .sql file to remove all the junk data. Once you’ve removed all the junk data you can save your .sql file and re-import it into your database.

Sometimes there isn’t a string of common text that you can easily find and replace. Unfortunately in those cases you might have to manually edit each page within WordPress. Find the offending text, delete it, and then update the page or post. This is the worst case scenario, but as time consuming as it is, sometimes it’s the only way to be sure you’ve removed everything.

.HTACCESS PROBLEMS

If you find that your site is being redirected, chances are your .htaccess file has been compromised. To resolve this, delete the file and it should regenerate itself.

If it doesn’t, log into WordPress then go to Tools > Settings > Permalinks and save changes. This will regenerate the file and everything will return to normal.

Site Recovery With No Access to the WordPress Dashboard

Things change a little if you discover you have been hacked but can no longer get into the WordPress backend.

1. Reset the Administrator Password via phpMyAdmin

phpmyadmin-database-management-for-WordPress

If you can’t log into your site, it might be because the hacker has changed the password of your admin account. The good news is that you can get around this by resetting the password inside your database via an admin tool like phpMyAdmin.

Another possibility is to replace your email address instead and then go back to the login screen to get a new password via the recovery function. Of course, this option only exists if you can still access the login screen. Should your site be gone altogether, you will have to go a different route.

2. Find Affected Files

Even if you can’t access your backend at all anymore, the recovery process is still similar to what we described above. You first need find the corrupted files and then delete them or replace them with a clean version.

To find the corrupted files on your server, the best option is to use an external scanner. Here are some options:

Since each of these scanners has their own strengths, it’s best to run several or all of the them to make sure you don’t miss anything.

Apart from that, your web host can often help you find hacked files on the server. Other sources of information are Google Search Console your server logs. Jenni McKinnon has written an excellent article on the latter over at WPMU Dev.

3. Replace Corrupted Files

Once you have located them, it’s time to replace the hacked files with non-corrupted version or simply delete them. However, instead of simply re-installing WordPress, themes and plugins (or doing a full restore), you will have to do it manually this time around.

For that, will need to have FTP access or an administration backend like cPanel that lets you access file system on your server. From here, go through the entire list of corrupted files and make sure you take care of each and every one of them.

4. Re-Run Security Checks

Once you are done with that, run the security scans again. That way, you can be sure you have not forgotten anything.

If you haven’t done so yet, it’s probably also a good idea to contact your hosting provider and let them know about the breach. That way, they can take care of anything that went wrong on their end and also check whether they can find anything else on your site.

In addition to that, might have to talk to them anyway to get your site back online or removed from blacklisting.

5. Finish Up

Once you have cleaned up the hack, you will have to take the same steps mentioned earlier to increase your website security and recover anything that has been lost in the process:

  • Check user permissions
  • Change passwords
  • Replace secret keys inside wp-config.php
  • Rebuild website

However, that’s basically it. With the above steps you should be able to get your hacked WordPress site up and running again. Hopefully, this will never happen again.

Getting Hacked Sucks But It’s not the End of the World

Having your WordPress website hacked is not a pleasant experience and nothing any of us hope for. However, it does happen, even to the best of us.

If the worst has come to pass, we hope this guide can help you figure things out and get back to normal. Should the above information not be enough to take back control of your site, don’t hesitate to hire a professional. If your website is part of your livelihood (as it is for many of us), that’s a sensible investment.

Be the first to comment

Leave a Reply

Your email address will not be published.


*