Nuke It From Orbit

Recovering from a Bad WordPress Hack

First, if you’ve been hacked, you need to be curious. You need to ask a lot of questions about why you might have been hacked. Many hacks occur due to poor server configurations, outdated software, weak passwords, trojans or other malware on your personal computer, logging into public wifi networks, etc. You want to get to the bottom of what practice you were engaged in that got your site hacked and try to control for this in the future.

Please read my post on Enabling Two Factor Authentication which contains instructions on how to secure your user login as well as general security advice.

If your website has been hacked, you have a few choices:

  • Contact Sucuri.net. Sucuri will remove any malicious code, clean your database, run diagnostics and monitor the site for a year as well as protect it with their Firewall. The cost is about $200 for one year.
  • Hire a WordPress developer. They may not have access to the same tools as Sucuri, but they can replace all your files and check your content for hidden backdoors. The benefit of having your WordPress developer fix your site is that they can also upgrade or replace your old themes and plugins and make sure your styles come across in the process. It’s part of building a relationship with someone who becomes familiar with your site and can help you with future needs.
  • Do It Yourself. You can definitely follow these steps yourself if you are comfortable working with FTP and the files on your server. You may miss some things the first go around, but you can monitor the site yourself and become more familiar with WordPress in the process.
The instructions below assume that your site was severely hacked, and that you need to “nuke it from orbit” — in other words, replace the database.
If you think the hack only affected files and not your database, then you can simply:
  • Replace all the WordPress core files with a fresh download of WordPress.
  • Reinstall your themes and plugins from fresh copies.
  • Wxamine your wp-content folder carefully to be sure no hacked files are in your uploads folder or folders outside of the theme and plugins folder.
  • Reset all your passwords.
  • Install a Firewall plugin (see below) and monitor site activity.
  • Delete all old plugins, themes, and WordPress installs – your site can be hacked by any and all files on your server even if you are not “using” them.
I suggest the approach below if your database was compromised in some way (such as code being injected into the database or hackers getting administrative access to your site).

1 – Reset all passwords

Assume that the login credentials to your WordPress site, web hosting account, domain registrar, and FTP or Shell access and email have been compromised. Reset passwords on all of these accounts as soon as possible. You will want to reset some of these again after you have cleaned the hack.

2 – Scan your personal computer for viruses, trojans, malware, and bad browser extensions

Many hacks are the result of something on your computer tracking your passwords or injecting code onto your site through a browser extension (such as Text Enhance – https://blog.sucuri.net/2014/10/threat-introduced-via-browser-extensions.html).

3 – Scan your site using a variety of WordPress plugins

Not all scans find the same thing. Here are a few scanners you can try and what they work best for:

  • Sucuri Sitecheck https://sitecheck.sucuri.net/ checks the website for known malware, blacklisting status, website errors, and out-of-date software. It is limited in what it will find as it can only scan the front-facing pages of your site and not the actual site files.
  • Sucuri plugin https://wordpress.org/plugins/sucuri-scanner/ is reasonably good at finding files that do not belong in core. It can also be used to generate new security keys for your wp-config.php file which will kick out anyone currently logged into the site and force them to re-login. Sucuri plugin can also be used to reinstall all your plugin files with one click, which is super helpful.
  • Wordfence plugin https://wordpress.org/plugins/wordfence/ compares core WordPress files, plugins, and themes from WordPress.org against the originals in the repository. However, it does not usually find hacked files outside of the specific directories it is scanning.
  • Exploit Scanner plugin https://wordpress.org/plugins/exploit-scanner/ finds many false positives because many valid plugins and themes use PHP code that resembles a hack (such as eval and base64). However, it can find things the other plugins don’t.
What will NOT be found using a scanning tool typically are:
  • Hidden PHP backdoors. These can be buried deeply within the site’s architecture.
  • Hidden administrative users.
  • htaccess redirects.

4 – Check for hidden administrators and unknown users

Snipe has great instructions for thoroughly cleaning a hacked site as well as finding hidden administrative users: http://snipe.net/2010/01/when-wordpress-gets-hacked/

Delete any users in the WordPress Dashboard (Users > All Users) you don’t recognize.

5 – Check posts and comments for blacklisted URLs

Check your posts and pages to be sure they are all content you wrote. Delete any content added by hackers. Also, be sure you haven’t approved any comments that contain links to malware sites.

6 – Backup up the site

If you still have access to the WordPress Dashboard, you can use a plugin such as Duplicator, BackupBuddy, or Back WP Up to quickly back up the whole site, including the database, and download it to your local computer. If you don’t have access to your WordPress Dashboard (due to the hack or because your web host suspended your account), you should still be able to login to your web hosting control panel and create a “snapshot” or backup of the site to download. Alternately, you can use FTP or the web host’s File Manager to download all the files on your site.

Why are we backing up hacked files? Well, they might come in handy later when you need try to assess the damage and hunt for any other information online that might give you clues as to why you were hacked.

The most important things to backup are:

  • The database  https://codex.wordpress.org/Backing_Up_Your_Database – this contains ALL of your content, settings, users, comments, form entries, etc. This is the most important part of your site.
  • wp-content folder – this folder contains all of your uploaded content, including themes, plugins, images, and documents. This does not contain any settings for these items. Deleting a plugin does not usually delete its settings.
  • wp-config.php file – this file contains the login credentials for your database and security keys that encrypt your login credentials in your browser’s cookies, so it’s very important to backup if you need to access your database.
  • .htaccess file – this file can be replaced but may contain important redirects or PHP configuration options that you don’t want to lose. It’s invisible, so you must be able to view invisible files with an FTP application or the web host’s File Manager to see this file.
  • Non-WordPress files – you may have files that are related to other content you store on your site, such as backups of email newsletters, favicon, images, etc.

7 – Export content, settings, and widget content

If you can still access your WordPress Dashboard, do the following:

  • Go to Tools > Export and export ALL of your content as to an XML file. Store this XML file in a safe place.
  • If you are using a premium theme, export your theme options to a file.
  • If you use a contact form plugin, go to its settings and copy the form configuration to a text file or export the settings (which you can do with Gravity Forms).
  • Go to Appearance > Widgets and copy any content in your text widgets to a plain text file. Take note of your sidebar configurations.
  • Take screenshots of any pages that you need to remember how to format.
  • Export any form entries you want to keep.

8 – Nuke it from orbit

nuke-it-from-orbitHere’s where you are going to have to be VERY brave. Note: you should have downloaded a full back up of your site.

Okay, ready, set, breathe – DELETE everything in your public_html folder except the cgi-bin folder (check for hacked files) and the .htaccess file (check for redirects you didn’t enter). It will take a while for this to complete if you use FTP. It will go faster using the File Manager in the web hosting control panel.

Once the directory is empty, you can have a small victory dance.

9 – Reinstall WordPress

Use the auto installer on your hosting control panel to reinstall WordPress.

10 – Reinstall themes and plugins

Log in to your brand-spanking new WordPress install and reinstall plugins from fresh downloads or the WordPress.org repository. DO NOT REUPLOAD plugins you downloaded in step 6.

If you had a highly customized theme, you may need to upload your old theme. You need to carefully examine the files for hacked code before doing so. Leave no stone, folder, or file unturned. This is an opportunity to upgrade your theme, which I highly recommend you do if you are using an old version that could be vulnerable.

BEWARE: I have upgrade sites for people and installed an updated version of their premium theme only to discover that the theme developer was distributing an outdated, hackable version of a premium plugin (in these cases it was Revolution Slider). Always purchase a premium plugin license even if it came bundled with your theme for free. Theme developers are not always savvy about keeping on top of updates and security risks for the plugins they bundle with their theme.

11 – Upload your uploads folder

In the backup you made step 6, you will have a folder called uploads inside the wp-content folder. You can re-upload the year/month folders to the new uploads folder, but be sure to examine the contents of every folder before you do so.

12 – Check the WordPress XML file for hacked code

In step 7, you downloaded an XML file of your post and page content. Open this in a text editor application and search for the following code:

  • script
  • display:
  • iframe
  • noscript

AW Snap has great information about finding hacked code in both your files and content: http://aw-snap.info/articles/spam-hack-wordpress.php. Items that you can search for in the database if you are not starting fresh are:

  • eval(base64_decode(
  • eval(gzinflate(base64_decode(
  • eval(gzuncompress(base64_decode(
  • eval(gzinflate(str_rot13(base64_decode(

Scripts and iframes and CSS display properties are all things you may have placed in the content of your site, but they are also frequently added by hackers.

13 – Import your content

Finally, you can use the clean XML file above and import your old post and page content. Also import your theme settings, forms, and re-configure your widgets and sidebars.

14 – Install a firewall and monitor activity

The Simple Security Firewall https://wordpress.org/plugins/wp-simple-firewall/ is the best all-around security plugin. It does three things which are essential for security:

  • Limit login attempts
  • Block bad URL requests (aka firewall)
  • Audit activity on the site
Be sure to enable of these features. It also blocks spam comments, can be used for two-factor authentication, and automatically update your plugins.

15 – Reset passwords again

To be on the safe side, reset your passwords again now that the site is clean.

16 – Consider new web host

Depending on who your current web host is, 41% of WordPress hacks are the result of poor configuration practices at the web host.

Excellent WordPress hosts include:

  • WP Engine – $30/month – includes all the security features of Sucuri (firewall, scanning, etc), plus free backups, staging environment, and fierce monitoring of vulnerabilities
  • Get Flywheel – $15/month – scalable. Great alternative to WP Engine with intuitive control panel. Excellent support.
  • Siteground – Starting at $4/month. A step above your typical shared host with dedicated WordPress, managed host.

Angela Bowman

Front-end WordPress developer since 2007 building highly custom websites for nonprofits and small businesses. Experienced in nonprofit administration, grant writing, and technical writing. Love high altitude hiking and backyard chickens.

Leave a Reply

Your email address will not be published. Required fields are marked *