It is not uncommon to find your WordPress website was hacked or infected by malware, especially if you are running an outdated version of WordPress, PHP and MySQL. Most people do run out-of-date versions of core WordPress files as well as third-party themes and plugins, according to stats by WordPress.org.
We’ll list methods to clean your hacked website below but you must start with the basics. It means that in the first place you should secure your login to the administrator’s panel you are using to access and manage your website.
Introduce Secure Access Controls
Using complex passwords and changing them often is a no-brainer. It applies to any platform you might use, not only Windows-based systems. Linux and Mac systems are as vulnerable to weak credentials and network sniffing as any Windows system.
So, take your time and find a reputable VPN service that will encrypt all the data traffic between the devices you use to access your WordPress administrative panel. You can try a totally free VPN for Mac, Windows or Linux relatively easy; thus solving many of your data privacy issues and concerns.
As a VPN is not a replacement for strong passwords, you still need unique and complex passcodes to protect your web property but you’ll have an extra layer of protection to prevent hacking of your site in the first place.
Got Hacked, Now What?
First of all, you should carefully document all the suspicious events and when they occur. Also, document all your recent activities such as installing a new plugin and changes to a theme or a widget you use on WordPress.
Thus, you actually create an incident report that you or a security expert will use to explore the hack in more detail.
Make Complete Website Scan
Once you discover suspicious behaviour such as automatic creation of new users, reports that your site is in use for attacks on other websites, visitors saying their antivirus software is flagging your website, etc., you obviously need to scan your site for malicious code.
You have two basic options: to use an online scanner or a standalone app. Whatever your choice of malicious code scanner might be, bear in mind that no scanner detects all threats. Combine two or more security tools to get the best results.
Scanning your website only is not enough, though.
Scan Your Local Devices
Although many WordPress websites fail victim to automated scripts that actively search for vulnerable ports and sites online, a good number of website infections start at the local level. It means you need to scan your local environment for possible malicious agents.
Run a full antivirus scan on all your desktop and laptop computers as well as mobile devices you use to manage a WordPress site. A sophisticated malware that runs locally would allow attackers to steal your login credentials and then log in as a website administrator.
Use at least a couple of antivirus suites on any Windows, Mac or Linux machine you use for accessing your wp-admin control panel or any other administrative panel you may use.
Force Global Password Reset
If the malware scanning produces positive results, a mandatory step to take is to reset all passwords on your website and force users to change their passcodes. Thus, you minimize the risks of spreading the malware further and prevent access through compromised administrator and user accounts.
In case you have identified an active hack on your site, you also need to clear all logged in users. Change the keys in wp-config and any active user will be forced off your WordPress site.
Clean Hacked WordPress Files
Now we come to the hardest part of the job, cleaning your compromised WordPress site.
It usually works by reinstalling specific elements of your website. First, you can try to reinstall your WordPress software but make sure you are using the same version on which the site was running prior to the hack. An installer overwrites existing files and thus it will replace any core files changed by the malicious software. Official WordPress guides state that you can safely replace the contents of these two critical directories: /wp-admin and /wp-includes.
Other files you should check and replace in case of successful hacking include index.php, header.php, footer.php and function.php. Be on alert that any changes to these files might make them vulnerable, so make any changes with utmost care.
The root of your WordPress installation directory stores a file named .htaccess, which is one of the common attack vectors when WordPress sites are concerned. Any changes to this file by a third-party code might result in your site being compromised and then used for malicious activities. Check its behaviour and make any changes you deem necessary to restore its normal operation.
It is worth noting that hacks rarely affect a single site these days except for websites that are victims of a targeted attack.
Usually, malware affects dozens and hundreds of WordPress sites at once. Using shared hosting servers, which is where the average website resides, increases the chance of multiple websites being infected at the same time. So, check with your hosting provider before you implement any of the above measures. Sometimes hosting providers are able to rectify the issue by themselves.
In any case, the single most important action you can take to protect your site against hacking is by applying all available updates and patches on time, utilizing a secure and encrypted connection for accessing your control panel and implementing strong and unique passwords. Scanning your WordPress site for vulnerabilities on a daily basis is another viable preventive measure against hacking. Do not take these preventive measures lightly as many hack result in complete destruction of your website, which in turn means you need to restore it from scratch if you do not have a safe backup of all your site data.