It is every single website owner’s worst nightmare to realize that their website has been hacked. Infected sites can wreak havoc for everyone and cause a lot of damage in its wrath. It is a very serious matter that should be tackled as soon as the infiltration has been discovered. However, the first thing to do at this moment, is take a slow, deep breath, and know that your website will be up and running clean once again. Listed below is my step-by-step guide for anyone with an infected WordPress website who is wondering what to do next.
My WordPress Site is Infected – What do I do with it?
After you take a deep breath and assess the situation, the next step (if you do not want to clean the site yourself) is to hire a professional WordPress security service to clean your site. Some of the top in the industry are Sucuri, Site Lock, and 13Core. This is what they do for a living and are trained to get your website back up and running quickly. As with anything, please do your research on the company you choose. Some malware removal companies only run a script to remove a certain type of code and not actually inspect the files to make sure the malicious code is gone. For any malware removal company, there is a limited time guarantee on malware removal. They can guarantee that the infection is removed at the time they say the site is clean, but cannot guarantee that the site will not get infected again, especially due to new vulnerabilities being found every day. There are many factors after the site is clean that can lead to another infection if you do not maintain your site once it is clean. We will go over what to do after your site is clean later in this post.
Can I clean my website by myself?
Yes, you can most definitely clean the website yourself if you feel comfortable reading code and digging into the files of your site. Remember to keep a backup of your website prior to you deleting anything. That way nothing will be permanently lost. If at any time you feel as though this is much worse than you anticipated, you can always call in the professionals to help you as well.
Let’s go through what you will have to do to clean your site
Step 1. Change your passwords, ALL OF THEM!
Change your passwords immediately! This means your cPanel password, all WordPress admin logins, your FTP password, database password, and even your web hosting account’s password. Never use the same password for any of these. The quicker you can block out the hackers, the simpler the clean will be.
Step 2. Scan your computer just to be safe.
Viruses can come from anywhere including your own computer. Make sure your computer isnt infected. This is where I would hope you have an anti-virus software on your computer.
Step 3. Run a Scan on Your Website
Step 4. Make Backups
As mentioned above, make a backup of your database and files. Download these to your computer so that you can always reference your original files.
Step 5. Log into Your File Manager
Go into your file manager via cPanel or your favorite FTP manager like FileZilla for Windows or ForkLift for Mac.
Step 6. Get New files
Get fresh, new copies of the core, plugins, and any themes that are installed on your website. This makes cleaning the site a whole lot simpler because putting on fresh files is always easier than reading all the files to find the malware.
Step 7. Remove the Malware
- Once you are in your public_html directory, delete out all files and directories except the wp-content, the .htaccess file and the wp-config.php file. All the rest will be replaces with new WordPress core files.
- Check the wp-config.php and the .htaccess files for any malware. If it starts out with a (base64) or a long string of random text that cannot be read, delete that code. You can use the wp-config-sample.php to compare with your wp-content.php file. The only thing that should be different is the database login information. Your .htaccess file can have more added code in it due to legitimate plugins, but all that is needed to be in that file while we clean is the WordPress code, which you can compare with the codex. The plugin specific code in the htaccess file can be re-added when we reactivate the plugins.
- Go into your wp-content directory and (depending on your plugins and themes), delete everything except plugins, themes, uploads, and the index.php file.
- Go into your plugins and themes directories and delete all of the plugins and themes listed there that you can get fresh copies of. You can later reinstall fresh copies of those. If you don’t have access to a fresh copy, you will have to manually inspect each file for malware.
- Check every file in your uploads to verify no malware is there.
- Inspect the index.php file that lives in each directory inside the wp-content directory. There will be one in wp-content, plugins, themes, and uploads.
Step 8. Installing the New Files
Install your clean files of all the WordPress core, themes, and plugins that you can find in their correct directories. When using the file manager from cPanel, you may upload the zips and then extract them. If using a FTP manager, you must extract the zips on your machine first, and then upload them. Remember when re-adding back the WordPress core files to delete out the wp-config.php file as to not have duplicates. I typically do this when I unzip the core zip and before I move them all out of the WordPress directory and into the root directory.
Step 9. Testing
Test your site thoroughly. Go to your site and click on the pages to make sure the site is working correctly. Login it to your dashboard and verify that all themes and plugins are back. I’d recommend installing WordFence and do a scan of your site. I do this as a precautionary measure to make sure all malware has been removed.
Step 10. Change Your passwords again, yes again!
Now that we are all confident your site is clean, change all your passwords one more time! This will ensure that they are not able to get in again. Make sure you change your FTP, hosting, and all of the admin account passwords.
Step 11. Have Google to rescan your site.
If Google has blacklisted your website, you will need to go into your Google Webmaster Tools and have the site rescanned so Google will remove the blacklist. You may also want to check your site links to ensure there is not black hat SEO malware happening as well. You will need to have Google to re-index your site if this happens. This can take some time for Google to take care of but it is an essential step in making sure your site is and appears clean.
Now how to make sure this NEVER HAPPENS AGAIN (hopefully)!
Now that your website is clean and back online, now it is time to be as proactive with your website as possible. This means hardening your site to keep out future hackers. Regular maintenance like what we discuss in our recent post can help you to keep the bad guys out.
Always, do your research on your plugins and themes. Also, do a plugin and theme audit on your website periodically. If anything you are using is no longer being updated or have support, look for something comparable. You do not want to keep plugins and themes that are no longer supported on your website. Keep only the themes and plugins on your website that you are using. Only keep your current theme and the most recent WordPress default theme and delete out the rest. If a plugin is installed but not activated, remove it until you need to use it again. If it is on the WordPress Plugin Repository, you can make a list of your favorite plugins to use at a later time. You will be required to make a WordPress.org account to setup your favorite plugins.
Last but definitely not least is to update your site regularly. Always keep your core, plugins, and themes up to date. We suggest weekly updates of your site.All version releases can be classified into three separate sections; feature update, code update, or security update. Most releases are security updates due to the fact that vulnerabilities are found every day. Due to the evolution of code, it means today’s newest features are tomorrow’s vulnerabilities.
If at any time, you feel overwhelmed with WordPress security, talk to the professionals. They are always willing to help you keep your online presence safe.