Removing the WordPress Hack
Do you know about Removing the WordPress Hack? In this article, we will let you know everything you must know. Read to know more. A hacked WordPress site is nobody’s dream birthday present. The problematic part of resolving WordPress hacks is not just resolving the issue, but also need to make sure that it doesn’t happen again. Before all of this, comes the identification of the hack which is equally ambiguous.
The disadvantage is that WordPress sites are overwhelmingly popular, often making them easy targets of hacking attempts, small or big. The advantage is that the quality and quantity of such hacking attempts have allowed us to study each one in detail and protect ourselves accordingly. Most WordPress infections have a similar step-by-step ‘see-resolve-strengthen’ strategy, so let’s go through a couple of steps.
Table of Contents
Steps to Dealing with Hacks on WordPress
Here are some steps you can roughly follow whenever you suspect that your WordPress site is not functioning normally.
Detecting the Hack
1. The first step, as always, is to find out the hack if you have seen some indicators that point towards the same conclusion. There are free and paid tools that will scan your WordPress site to detect the malware and/or malicious loads placed. Most tools simply require your website URL and wait to see if any warning messages pop up. Efficient tools may also provide the exact location of the malware, which you need to note down for manual removal.
For example, the following image taken from Astra Security depicts WP-VCD malware found in the /wp-includes folder in a hacked WordPress website by the company’s in-built malware scanner.
An example of WP-VCD malware flagged by Astra Security’s malware scanner
2. Look out for any blacklist warnings under the search engine (since this requires an extra set of steps for remediation).
Deceptive site ahead warning message by Google; Source: Astra Security
3. It helps to manually go through further details of the scanning to check for suspicious links or scripts, especially if malware isn’t detected.
4. If you possess multiple sites that are hosted on the same server, make sure to scan through all of them. This is called cross-site contamination and is one of the major causes of reinfection throughout sites. It’s always best to keep your web and hosting accounts separate to prevent this from happening.
5. If possible to do so, employ the services of remote and server-side scanners. Normal scanners only go through the site to identify issues present on them. However, security risks like backdoors, server-based scripts, and phishing attempts pop up on the servers.
6. Go through your WordPress core files and ensure that they have remained untouched. This includes the ‘wp-admin, ‘wp-content, ‘wp-includes, and any root folders. You can simply use the ‘diff’ command by comparing original WordPress files or clean versions recently backed up to check for changes. There’s also an option to check manually with SFTP. You can also use the FTP client to find out the malware present on directories like ‘wp-content – FTPS, SSH, or SFTP is a better option than unencrypted FTP.
7. Check for any files that were recently modified.
8. Peruse through the Google Diagnostic pages and the Google Transparency Report which will give you details on the security status of your site.
Under ‘Safe Browsing Site Status’ > enter site URL
> press ‘Site Safety Details’ for details on malware present on the site, redirects, and spam
> press ‘Testing Details’ for details on the last testing done for the site.
You can also go through any free webmaster tools (Google Webmasters Central) for the security ratings and reports on the site.
Removing the Hack
Now that we’ve some details of the hack present on the WordPress site, we can step into its removal.
1. Cleaning any hacked files and database tables
If you have found the malware in any of the core files, folders, or plugins, you don’t need to completely rewrite the ‘wp-config.php’ file and ‘wp-content folder. You can just take a backup and work on it manually. Any customized files or themes can be replaced with a clean backup. Similarly, get rid of the malicious payloads and other suspicious files as well.
For cleaning any hacked database tables, you will need to log into the admin panel of the database. After finding the suspicious content, you can remove it manually and test the site to ensure it’s operational.
2. Increase the security of all user accounts
Remove all unfamiliar user accounts to prevent hackers from accessing the site again. Ideally, there should only be one admin user and other users can have different levels of access privileges according to their requirements. This includes categories like contributor, editor, author, etc.
3. Clean out all backdoors
Hidden backdoors are the main possibility of reinfection. Sometimes, they are found in files named similarly to the core files, or they can be placed in ‘wp-config.php’, ‘wp-content/themes’, ‘wp-content/uploads, etc. There are some commonly used PHP functions that experienced users can look out for.
4. Resolve malware warnings
This is for those sites that were blacklisted by search engines like Google. Once you’ve successfully cleaned up the malware, you can request a review to restore your site. You will probably need to provide full details on what the malware was and how you resolved it.
The information above covers the basic guidelines for finding and resolving hacks for WordPress sites. With frequent hacking attempts, you can never be too safe, thus having an active security system is necessary. Refer to this guide for more WordPress Security tips.