It starts with a sinking feeling that something is amiss with your WordPress website. Maybe your security plugin has alerted you to a changed file that you know you didn’t touch. Or you see some unfamiliar content within your post listing.
Whatever the indicator, it leads to one conclusion: Your website has been hacked. What to do now?
While it’s perfectly normal to feel scared and/or frustrated, it’s not the time to panic. Instead, it’s time to spring into action! Kind of like a superhero, but your weapons of choice are a security scanner and an FTP client.
Still, you have the ability to save the day. Just follow our guide for dealing with a hacked WordPress website.
Use Your Backups
Managing a website – whether it runs on WordPress or not – means being prepared to act at a moment’s notice when something goes wrong. How do you do that? By keeping regular backups of your entire site – including its database and files.
Restoring clean versions of your files and data will quickly get your website back to a good place. If you don’t have a backup to turn to, recovering from a hack can be all the more difficult.
Without a backup, well, it’s a matter of going through your installation with a fine-toothed comb. You’ll need to look for potentially malicious code, remove it and hope you’ve caught everything.
There may be a saving-grace: Your web host may well have a clean backup to help you out. However, it’s still best to take matters into your own hands. Relying on others to bail you out of a tough spot isn’t a sustainable strategy.
Change Passwords and Salt Keys
Depending upon the vulnerability an attacker used to hack your site, they very well could have administrator access. Therefore, it’s best to change the passwords for every administrator account. If you have unused accounts lying around, consider deleting them.
In addition, the site’s database password should also be changed. This could help prevent any MySQL injection attacks that may have been going on.
Lastly, a quick change of your WordPress salt keys is also recommended. This will kick out any logged-in users who may be snooping.
Look for Hints of Changed Files
If your website has been compromised, it’s not enough to simply restore a backup. It’s also important to try and figure out exactly what happened. The backup files may be clean, but they still could contain security holes that will lead to yet another hack.
Therefore, it’s a good idea to download a copy of your hacked site before restoring that backup. Or, if your site is backed up daily, you may be able to just grab that latest copy if you suspect that it too has the same affliction.
You may also want to run it through a security scanner, such as Sucuri’s free SiteCheck tool. This could potentially lead you directly to a specific security issue that caused the hack.
Once you have a copy of your infected site, it’s time to dig through and look for clues. Here are a few items worth checking out:
Check WordPress Core, Plugins and Themes
One thing to keep in mind is that malicious code could be injected into any area of your WordPress website. That could be a core file, a plugin or theme. Even inactive items could have provided a backdoor.
It’s also worth checking your server’s file permissions to make sure they’re in line with what WordPress recommends.
Look at the Modified Dates
A telltale sign of an infected file is a suspicious modified date. For example, if you haven’t changed a theme’s template in months – and the modified date was last week – that could be a sign of foul play.
This can be a bit more difficult to spot in plugins, as they tend to be updated more frequently. But if something doesn’t look right, check out the plugin’s changelog. That can tell you when the last update was. Even if you didn’t update the moment the new version was released, you’ll at least have a time range to look for.
Open Suspicious Files (Carefully)
If you’ve found some suspicious-looking files, you may want to open them and inspect their code. Before doing that, it may be a good idea to run them through a malware scanner – just to be safe.
Malicious code seems to stick out like a sore thumb, yet the eyeball test alone may not be enough to be sure. In this case, you can grab another copy of the file – one that’s known to be clean – and compare. If you spot any differences, you’ll know something is up.
Search the Web
The WordPress.org support forums can be a great place to gather intelligence. If you suspect a specific plugin or even WordPress core, odds are other users have experienced something similar. You may just find that you’re not alone in your suffering.
In addition, the WPScan Vulnerability Database offers a laundry-list of core, plugin and theme security info. It’s a great place to look for known issues.
Contact Your Web Host
There’s no guarantee that your web host could have prevented a particular hack. But even so, it’s worth reaching out to them in these situations. This is especially so if you aren’t quite sure of the culprit. And, it’s just plain good practice if you’re on a shared hosting account, as it may affect other users (or other sites you’re hosting).
If you’re unable to pinpoint a specific vulnerability that led to the hack, your host can be a great resource. They may have seen other customers with similar issues, or it may set off a red flag that leads to a security hole being patched.
In addition, some hosts also offer security scans and malware cleanup. While they’ll likely cost you a bit of cash, it might help you stamp out a recurring problem. Just make sure to ask about any warranties and find out what’s covered before making the investment.
Take Note of Lessons Learned
When it’s all said and done, there’s a good chance that you’ve learned a thing or two about WordPress security. That’s good news, because you can apply this new knowledge towards keeping your website safe.
For example, recovering from a hacked website could lead to using stronger passwords or updating software more frequently. You might even implement measures such as two-factor authentication. It may also make you aware of server settings that can make it more difficult for a malicious actor to do damage.
The point is to stiffen security to the point where you can at least fend off the most common sorts of attacks. Beyond that, it’s about staying vigilant and never taking security for granted.