My WordPress website has been hacked. What should I do?

My WordPress website has been hacked. What should I do?

Any WordPress website could be hacked, and when it happens, you may be tempted to panic. Don’t. Calm down and just read how to:

  • identify that your website has been hacked,
  • take appropriate steps to clean it,
  • make it more secure, and finally,
  • prevent your website from being hacked again in the future.

How to recognize that your WordPress website has been hacked?

Sometimes it’s obvious. Your website has crashed and you can’t log in. The website redirects you to another page or its content has been changed. A store payment form or gateway has been replaced with another one. Your hosting provider has warned you. Your website has been blacklisted by Google or you’ve received an email alert from a security plug-in.

But in many cases, you are unaware of a threat, as many malicious scripts try to hide and function as long as possible. That’s why every website owner should use a scanner regularly. For example, one of the following: [https://geekflare.com/online-scan-website-security-vulnerabilities/].

The basic question is why someone hacked your website?

There are many reasons, but in most cases it’s all about money. Hackers use phishing to steal money from bank accounts, ransomware to make you pay to unlock the server or to not release compromised data, or they simply use your server to mine cryptocurrency.

In very few cases you can be a target if a hacker wants to get you personally. For example, if you publish controversial content.

What should I do if my WordPress website has been hacked?

When your WordPress got hacked. Search and destroy! Start by looking for a virus. Every malware is just a code, so it has to be stored somewhere in the file system or database.

1. Search for recently modified files on the server

The best way to find recently modified files is to access the server via SSH. Then you can use the “find” command, for example:

find /path/to/your/website/root -type f -newermt 2021-02-01

to search for files with a specific date.

Check also the contents of the files and examine the code. You should focus on functions like eval, exec, system, preg_replace, move_uploaded_file, base64 or hash code like this:

var _0xf19b=["\x6F\x6E\x6C\x6F\x61\x64","\x67\x65\x74\x44\x61\x74\x65"

But be careful. The above functions can be used in the regular code of WordPress core files and plug-ins, so you need to check what they really do.

2. Check WordPress core files

Compare the WordPress core files in the root, wp-include, and wp-admin directories or download a new copy of the same WordPress version and check the number of files and their size. It’s a simple but efficient step, as WordPress does not update itself. But remember to make sure it is the same version! You can use the diff command to compare:

diff -r /path/to/your/website/root /path/to/fresh/wordpress/copy/

And when you find something, check the contents of those files.

3. Check plug-ins

Most successful attacks use insecure plug-ins. And, if you are lucky enough to observe the virus in action (redirects, replacements, etc.), you can try to disable plug-ins one by one to see if the problem persists. If you find an infected plug-in, simply compare its code to a “clean” version of the same plug-in.

4. Use information from Google

Use notifications, if your website has been blacklisted by Google. You can also use the Google developer tools [https://developers.google.com/search].

5. Check Database

Searching the file system is easier than searching the database. But in the case of WordPress, malware can unfortunately be found in the database too.

To search the database, you can download a database dump and check it locally. Look for strings that look like the function listed few paragraphs above, suspicious links, and spammy words.

How to remove virus from WordPress?

First things first. We need to remove malware and clean the hacked site. Here are some useful tips that will guide you through the process of cleaning a hacked WordPress site.

1. Replace or remove infected files

Do you have backups? You are the lucky one! First of all, make sure the backup is not infected, because a virus could reside in the backup files, and restore a clean version.

If you found hacked files, replace them manually with clean WordPress core files, plug-ins or themes. You can overwrite the infected files via FTP or command line.

Sometimes the virus not only modifies existing files but also creates new ones. Do not forget to remove them!

2. Clean the database

Basically, you have three options:

  • The first option available if you are advanced enough, is to manually modify the database dump downloaded from the server. However, make sure that you don’t change the MySQL syntax.
  • The second option is to use tools like database Search & Replace.
  • The third option is to use database clients like phpMyAdmin, adminer or others. These allow you to edit tables and records in the database through a GUI.

3. Investigate how the malware attacked your website

It’s not enough to remove viruses. If you don’t secure the website, the problem may reoccur within a few hours. Therefore, you have to find out the way your website was hacked.

  1. If you have identified a virus, search the Internet for information and some tips on how to protect your website.
  2. Read vulnerability reports such as [https://www.webarxsecurity.com/wordpress-vulnerability/]. Check the plug-ins listed, as you may be using one of them.
  3. If you have identified the time of the virus attack, search the server’s access logs.

4. Scan your computer with an anti-virus

Also recommend this to all website users who have an account, as the website can be infected during edition by a virus stored on a local computer.

How to avoid getting hacked while using WordPress?

1. Keep WordPress plug-ins and themes up to date

An old version of the software is the most common reason for the infection. Keep your WordPress up to date. You don’t have to update it every day, but doing it once a month seems like a good idea.

2. Change password

Reset your password and recommend it or even require to do it from every user.

3. Remove unused user accounts

Remove all accounts of users who are no longer using the website.

4. Update PHP, MySQL and webservers (Apache, Nginx).

Do not use an unsupported PHP version and update it to a stable one. Check the information on wordpress.org.

5. Set up a firewall

Set up a firewall, if your server does not have one. Do it ASAP!

6. Set up file permissions

The good practice is to prevent users from changing files in root, wp-include, wp-admin directories.

You can also prevent changes in /wp-content/plug-ins and /wp-content/themes to increase security. However, in this case, you’ll be not able to update plug-ins through the admin panel and you’ll have to replace the files manually.

Below are commands to change file and directory permissions:

find /path/to/your/webstie/root/ -type f -exec chmod 644 {} \;
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

Additionally you can add also:

define( 'DISALLOW_FILE_EDIT', true ); 

in the wp-config.php to prevent users from editing themes through admin panel.

7. Disable xmlrpc

Do not use pingbacks and trackbacks, if you are not publishing or accessing your website remotely. So, disable JetPack, if you are not using it.

You can do this with a plug-in or by adding code to the .htaccess file

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

8. Limit the number of login attempts

Install a plug-in to block logins if the password is entered too many times to prevent brute force attacks.

9. Do not forget about backups!

You need to do backups! It’s a must.

Usually, your web hosting provider does it automatically. Check how long the backup is stored (3, 7 or more days). Otherwise, do it yourself with any plug-in (UpDraft, WP-Backup, etc…).

10. Do not use “admin” username

Never use “admin”, domain name, or website name as a username. Most attacks try to use “admin” first!

11. Use two-factor authentication

Two-factor authentication requires the user to use an additional authentication method to log in. You can use some plug-ins like “Two-factor Authentication” to implement this feature.

12. Monitor changes in files and logs

As mentioned earlier, most viruses modify some files. You can use a bash script to find changes in files and receive an email notification when the changes are detected. You can also use a more advanced solution like https://www.ossec.net/

Security plug-ins

There are very popular security plug-ins for WordPress – such as Securi, WordFence, and iThems Security – with a huge community of fans. They offer advanced solutions to improve security and help beginner users to take care of their websites.

However, there is a debate among WordPress developers whether to use them, as security plug-ins can have some drawbacks, such as poor performance or security issues that some of them have had in the past. Moreover, several developers claim that plug-ins are not necessary if your website is well-secured.

Website firewall

The most advanced type of anti-malware and hack protection are Web Application Firewalls (WAF). They are meant to actively detect and stop dangerous activities before they can reach the site code to exploit a vulnerability and inject any malicious code. Some hosting providers include this kind of security in their standard hosting packages. There are also third-party providers like CloudFlare or SiteLock. WAF solutions typically require some additional monthly or yearly fee, but in exchange, they give you peace of mind and should be considered especially on business-critical websites, where any downtime may lead to lost money or dangerous data breach.

Conclusion

As always, prevention is better than cure. This is why it really surprises us how often we still see people neglecting even the very basic measures to protect their websites. The regular site updates and correct initial setup is the absolute minimum that should be done to secure any WordPress based website. In the case of a simple brochure-like website you typically risk just a few days of downtime and a ban from Google. But if you own an e-commerce site, the worst case scenarios may include theft of your clients’ credit card numbers or leaking their private data to hackers. So beware and take the proper action to protect your site and your clients’ data. In case of any doubts – we at White Label Coders are always happy to help!

Łukasz Wilczak WordPress Solution Architect