Is your WordPress site hacked?
Is your site built in WordPress and suddenly very slow? Are messages or content showing up in the header or footer of your WordPress website and are not supposed to be there? Or are you just suspicious that your WordPress website might hacked?
For a few years now I have seen and cleaned up many hacked websites. A vast majority of hacks on CMS based websites are ‘bots’ that are looking for the installs and attempt to wedge their way in. They are not people like Mr. Robot sitting at a desk with an open terminal or a young Sherlock Holmes sending a digital Pac-Man to eat your files while Leftfield plays loudly in the background. This isn’t a post about how things get in, this is a post about how to deal with them after they do find their way in.
I know that there are many ways to do anything in development, here are some stages and examples of what I do to clean up and attempt to prevent future malicious intrusions on my WordPress website.
First Stage (Precision Strike)
- Backup your entire site (files/database)
- Use internal (ex: Wordfence Security plugin) and/or externally scan (ex: Sucuri) your site
- If you use something like Wordfence Security to scan your site it will compare your core WP files to known installs as well as run through files to look for obvious malicious code
- Using the information above, I manually remove all reported files and/or code
- Delete any WP user with Admin as the user name
- Reset all user passwords
- Update WordPress Version, all Plugins, and all Themes as required
- Re-scan site (internal/external)
- If malicious code/files are still present or comes back move on to Second Stage
Second Stage (Napalm Attack)
- Make development environment for your WordPress site so as to test all functionality after following steps
- Delete ALL non-essential folders/files
- Delete ALL WordPress CMS core files (Everything except wp-config.php file, and the wp-content folder)
- Download fresh WordPress install and replace all files/folders that were removed above
- Delete all non-active plugins
- Delete all free or non-active themes
- Manually inspect all active theme files for malicious (ex: base 64, etc…) code (if you are not familiar with the theme files skip this step if you want)
- Make sure you know what all the Plugins do on the site and if they are used (I have seen fake malicious plugins)
- Re-scan site (internal/external)
- If malicious content/files are still present or comes back, you may want to move on to Third Stage
Third Stage (Special Operations)
- Move site to a different server with a new IP
- Get a third party involved that may have more information and ability to scan/find and fix the issues that are still present
Maintain (Preventative Measures)
If you are feeling good about the clean up, after any stage, it is important to do everything in your power to prevent the issue in the future. Regular upkeep and maintenance should be a goal from now on. You can perform the following or have someone else do it for you as a service.
- Weekly/Monthly backups of site files/database
- Weekly/Monthly CMS version, plugin, and theme updates as needed
- Weekly/Monthly internal and/or external malware scans