Recovering a Hacked or Virus Infected WordPress Website
We’ve recently seen a large increase in attacks on WordPress websites with hacked sites being used to send spam email or to host malicious content. If your site has been hacked or infected by a WordPress virus then thankfully there are some simple steps you can take to clean out the malicious files and to prevent your site from being infected again.
Please note that this guide is aimed at web masters and/or technical users so if you are not comfortable using FTP software or editing website files then please seek assistance from someone who can.
Step 1: Update your passwords
Before going any further you need to make sure that your main entry points to the website are secure by updating all passwords. This is especially important if your site has been breached and already contains malicious code files.
Update your FTP username / password
You will need to logon to your hosting dashboard to do this. The dashboard is usually accessed via your hosting provider’s website but if you’re having trouble then try contacting their helpdesk and asking for assistance. Keep a note of these details as you will need to access your FTP in a moment.
Update your WordPress username / password
You can update your WordPress details via your WordPress dashboard under the /wp-admin url. We recommend changing both your password AND username here for added security and try to avoid using “admin” as a username as this is easily guessed by potential attackers.
In both cases make sure you choose a password with a minimum of 8 characters and include both uppercase and lowercase letters and at least one number and one symbol (like £,$,#,!).
Step 2 (A) : Replace your website with a known, clean copy
The easiest way to clean your website of malicious files is simply to delete all current live files and replace them with clean copies. If you have a backup of the site then logon to your FTP (using the new details from above), delete the contents of WordPress site directory and replace all files with copies from your backup.
Step 2 (B): Manually Replacing your website files with clean copies
If you do not have a backup of the site then you are going to have to do things manually. The steps for this are as follows:
Replace your core Website Files
First you should take a backup of your wp-config.php file located in the root of your WordPress installation. Open the file in a text editor and just check that no malicious code has been appended to the top or bottom of the file (you can tell because it will look like a big block of junk code with no discernible English characters). If you encounter malicious code then remove it from your wp-config file.
Next you need to determine which version of WordPress you are using by either looking
- in the wp-admin dashboard.
- in the readme.html file located in the root of your WP installation
- in the version.php located here: /wp-includes/version.php
Once you know which version you have then you need to download the full installation package from the WordPress repository located here (corresponding to your version):
Next you need to unpack the installation archive you downloaded and copy the clean WordPress files over your existing installation. This will overwrite any system files which have been compromised.
Finally, copy back your clean wp-config.php file to restore all of your settings
Replace your plugins
Now that you have cleaned out your system files you will need to clean all of your custom extensions and data. Open your /wp-content/plugins directory in your FTP client and note down a list of all the plug-ins you have installed.
Next visit the WordPress plugin repository here: https://wordpress.org/plugins/ and download the installation files for each of your plugins. Note: if you search by the folder name of the plug-in then it will usually appear as the first result in the search.
Once you have all your plugins downloaded unpack each installation archive and use your FTP client to overwrite the plugins on your site with the clean files.
Replace your theme
Just like with the plugins, you will need to re-download a copy of your theme and replace this in the /wp-content/themes directory. If you are using multiple themes then you should repeat these steps for each theme you have installed (or uninstall/remove the theme if it’s not required).
Be careful with this step because if you have a custom theme or if a web developer has built the theme for you then they might have made customizations to the theme files. If you are unsure then take a backup of the theme first and copy back any customized files if you experience problems.
Clean the rest of your “wp-content” folder
By this point you will have cleaned out the majority of your WordPress installation but unfortunately the final step will require a bit of elbow grease!
In addition to the plugins & themes directories, your /wp-content folder also contains all the custom data, settings and uploads you have deployed as part of your website. There is no way to simply “copy this back” from an installation disk so instead you will have to manually trawl through the remaining files/folders to search for malicious code.
The easiest way to do this is to use your FTP client to find files which have an unusual Modified Date. The majority of your files will have been modified when the site was first created and a handful will have been added over time or when a specific update was made (for example, perhaps in August 2013 you modernised your design).
Look for files – specifically .PHP code files – which have an usual modified date or have been modified recently. Download these files to your computer and use a text editor to check for malicious code blocks at the start or end of the files (you can tell because it will look like a big block of junk code with no discernible English characters).
In General, the following file types are likely to be safe and should not need to be checked:
- CSS Stylesheets
- PNG or JPG Images
- Text documents
- Downloadable documents (PDF,DOC,DOCX)
Step 3: Update your Platform
Once you cleaned out your site you should ensure that you have all the latest patches installed to fix any known vulnerabilities in the platform. Open up your WordPress dashboard and check for updates:
- Update the WordPress platform to the latest version
- Update all plug-ins to the latest versions
- Update your theme/s to the latest versions
Step 4: Update File and Folder Permissions
Most hacks and viruses occur because the FTP file permissions on the WordPress site have not been set correctly. Open your FTP client and update your folder/file permissions as follows:
- All folders should be assigned “755” permissions
- All files should be assigned “644” permissions
For more information on this step please see the following guide:
Once you have done this, check your site for errors as sometimes specific themes or plugins might need additional access to certain files or folders. If you find a problem then follow the on-screen instruction to add additional permissions where required.
Step 5: Harden your WordPress site Security
By this point your WordPress site is already pretty secure but these plugins can also be deployed to help prevent any further exploits.
Install the Sucuri Security Plugin
This plugin allows you to strengthen your WordPress deployment by applying additional configuration settings which help limit potential exploits. Once you have downloaded and installed the plugin, head over to the settings page in the dashboard and follow all the steps to harden your security. There is also a scan option which allows you to check for any malicious files which you might have missed
Install the Brute Force Login Protection Plugin
This plugin protects your site from “brute force” attacks on your WordPress login page (i.e. where a bot attempts to repeatedly guess your password). As the popularity of the WordPress platform grows, hackers are getting more sophisticated at attacking so this plugin is a must for tightening your front-line defences
We hope you found this post helpful. If you have any questions or need help restoring a hacked or compromised WordPress website then don’t hesitate to get in contact with us.