How to fix a hacked WordPress Website?

As a WordPress designer, I have witnessed people succeed in their businesses. Businesses that were made possible only because of WordPress. Like a Job Portal or an Online Shop. These things would be too expensive and beyond the reach of most solopreneurs and small businesses. On the other hand, I have also witnessed the sad situations where these very businesses are destroyed along with the dreams of the business owners, leaving them devastated. This is especially difficult for websites that have no back up mechanism in place. Fixing a hacked website can cost a lot of money. A moderate pricing costs $150. However, there is some hope. Not all hacking attacks are the same. Some can be fixed by yourself. It is worth the effort. I have performed the process in this blog multiple times, and the secured sites have stayed cleaned and safe. If the effort is successful, it cans ave you some money. So let’s dive right into the topic: 

How to fix a hacked WordPress Website?

The process of fixing a hacked Website involves multiple steps and scenarios. let’s explore them.

1. Restore a backup or contact your host to restore one

If you have a backup system in place, and you have access to your site, immediately restore a backup that you know is clean. In case you do not have a backup system, contact your hosting support. Hosts usually have backup datacenters where they store backup data. It may take 24 to 48 hours to restore a backup. The host may insist on a cleanup before they restore a backup. In that case, confirm with the host that a backup is indeed available, and uninstall WordPress and delete all the files in the site’s folder, essentially leaving it blank. You’ve dodged a bullet. But this is far from over. You still have to strengthen the security because the attack will definitely return, because the site is now in a database of a hacker, and these are automated processes, so it will definitely return. Keep reading.

2. Gain control of your Website

If you weren’t able to restore a backup in the above step, chances are, you are unable to access the admin dashboard of your site. This is because, a hacker will most certainly delete the admin account or change its password. In such cases, there are two things you can do :
 Sometimes, the site’s database may have been changed. In such situations, find the database name in phpMyAdmin. The site url will be in the wp_options table, and help you to correctly identify the database that belongs to the site.
Once you know the database name, either create a new user or change password of an existing user assigned to this database. Now edit the wp-config.php file and enter the database name, db username and password.
Now you should be able to login to your admin dashboard.

3. Immediately remove suspicious user accounts

Once you log in to the admin dashboard, immediately delete any suspicious user accounts. The third user in the below image was created by a hacker attacking the site: Deleting this user account will prevent them from doing any further damage.

4. Immediately take the site offline

A good host has Intrusion Detection Systems that will detect any suspicious activity and either take the site offline or restrict access to it. Some hosts will restrict access by IP so that the site can be accessed only by devices allowed. Other visitors trying to reach the site will see a message that the site is offline. This is very important because if an infected or compromised site stays online for a long time, it will be blacklisted by Google and anti virus vendors like AVG and Mcaffe. However, if your host does not take the site offline, you should do it immediately. You can follow WPBeginner article on How to Put Your WordPress Site in Maintenance Mode. Taking the site offline will also protect it from further attacks while you clean it and boost security.

5. Scan and fix Malware

A hacked site will be infected with Malware. This Malware may try to turn the site into a phishing farm, or a backlink farm, or cause it to display unrelated ads that you did not integrate. I prefer to use the GOTMLS Malware scanner to scan and remove malware. You can read my post on it here: Best Malware cleanup tool for WordPress (and it’s free!). It is by far the best malware cleanup plugin that I have used, and I highly recommend using it.

6. Replace all the files

As I have mentioned before, once a site is infected, it will be a target for repeated attacks and infections. The process is automated and relentless. As part of cleanup and boosting security, it is advised to replace the site files. Please follow the instructions in these posts: How to replace WordPress core files?      How to manually update a WordPress Theme?  How to replace plugin files?

7. Install and configure a firewall & security plugin

In order to boost security, a firewall is essential. While there are many security plugins to choose from, I use Shield Security. You can read my post about it here: 5 Reasons why you should use Shield Security plugin

8. Integrate Cloudflare (or another DNS firewall)

Although a security plugin like Shield is good, it is better to filter some traffic before it reaches your website. For this purpose, I use Cloudflare. 3 Reasons why you should use Cloudflare (or something similar). A DNS firewall sits between your site and visitors, and all traffic has to pass through it. While I use the free version of Cloudflare, it has premium plans that offer a full fledged Web Application Firewall among other security features. Sucuri is another well known DNS level firewall. Sucuri’s security platform is WordPress specific. They also provide a Web Application Firewall. All in all, filtering traffic before it reaches your site will improve the security.
That’s it. Now you have a site ready to go live!

9. Hire a professional

In case these steps did not clean up your site, or the infection keeps returning, please hire a professional. The steps mentioned here will work most of the time. However, the threat you’re facing may be more severe. In the steps, you may have noticed there is no mention of scanning the database. That is because files are the real threat as a database value on it’s own cannot do anything. This article is to help you fight 90% of hacks/malware infections. For something more complicated, you should approach professional cleanup services.
I hope this guide helps you. As always, prevention is better than cure, and using the security measures discussed here will reduce the chances of an attack.Also, make sure every theme and plugin you use is obtained from legitimate sources. Otherwise, you are leaving a serious backdoor that will be exploited.

Leave a Reply