Steps to fix Hacked Wordpress Website

Published by Abhilash on August 18, 2019

Things to know before we start

No website is 100% secured. Every day hundreds of vulnerabilities are found which gives the hacker a chance to exploit it and hack the site. The problem may not always be with the WordPress core files. The issue may also be with the PHP version that you are using in your server. It can be anything. So, it is recommended to use the latest version of the CMS as well as PHP.

Google and some browsers warn visitors not to visit the website if it is hacked or infected. The warning impacts the reputation of the website. I have seen that most of the websites which get hacked mainly contains links to porn websites or is being pointed to some bad sites. So, website security must be your top priority if you are an online business owner.

It is essential to choose an excellent hosting company for your website. A good hosting company keeps their server updated and scan all the sites hosted in it regularly. We have been using LiquidWeb for a few years now, and our website has not been compromised in the last few years. It is also important to backup your website regularly. You can ask your host to enable auto backup for you.

You can use one of the essential online website scanners called Sucuri to scan your website and check if it has been hacked. We have been using the site to scan our clients’ websites if we suspect any malicious code being injected into the site.

About 40% of websites get hacked through server vulnerabilities. Choosing a good host, taking backup of the website regularly and scanning the website are some of the precautionary measures a website owner should take to keep the website secured.

However, if you are reading this post, it means either your site is already hacked or you want to secure your WordPress website.

How to identify if a WordPress website is Hacked?

Using View Source

Open your website in a browser, right-click and “View Page Source”. Check the source and search for any other website links which you haven’t added to your pages. You may also find HTML iframe codes or words like viagra or Cialis on the pages. You may not see these words or links in the front-end of the website as the hackers set the CSS property of these tags to ‘hidden’ or ‘none’. It loads in the page which won’t be visible to the users but when google crawls the pages of your website, it marks the site as spam or hacked.

Redirections

If you see that your website gets redirected to any different pharma, porn or weird websites, then it is a confirmation that the site has been hacked.

Keyword Autolink

Some hackers insert scripts into the WordPress site which auto links the words in your website to some other websites.

Crashing and Freezing

Upon visiting, the site loads slowly, crash and freezes. The reason behind this is the script that has been added to the site by the hacker.

Unnecessary Popups and Windows

Popups, alerts and new windows to different porn or objectionable URLs open when the site is visited.

Notices and Alert from Hosting Provider

Most of the hosting providers send you emails and alerts if any files get infected by malicious code or scripts. If you are using shared hosting, then other sites in the host generally get affected in such situations.

So, these are some of the techniques to find out if a website is hacked. Now let me tell you how you can fix the hacked WordPress website.

If you want your things to get done quickly without wasting a single minute, then you can hire a professional to fix the site for you.

Hire website security Professional

If you are a skilled web security professional, then you can quickly deal with it. If you are not a coder or you are not comfortable dealing with servers, then I would recommend you to Hire a WordPress Security Expert immediately who can investigate the cause, find the infected files, remove the malicious code and restore the website to its original state.

Hackers generally inject the malicious code into as many files as they can.

Every file in the server must be scanned and checked precisely. Even a single hacked or infectious file ruins the site again.

As said, we have been fixing and cleaning up Malware from WordPress websites for years; so you may consider us to help you with securing your WordPress website. We charge between $99-$199 depending upon the severity.

Well, this is a secondary option. Let me first guide you the steps to remove Malware and clean up your hacked WordPress website.

Okay, let’s begin.

Step 1: Scan the computer which connects to the server

Before you start any fixes to the website, the first and foremost thing is to scan your computer, which gets connected to the server via FTP. If your computer is affected by Malware, virus and Trojans, the FTP details get stolen by the hackers. I would recommend you to use a reputed anti-virus and then connect to the server.

Step 2: Change all the passwords

After scanning your website, you should change the usernames and passwords of FTP, WordPress Admin area login details and hosting details. Use a strong password for all the three. You can also use a strong password generator and keep the password safe.

Step 3: Contact the Hosting Provider

If you are using a shared server, then ask your host to check if other sites in the host are affected. Most of the hosting providers are helpful and scan the entire server to remove the Malware and update the security settings of your files.

We had a horrible experience with our last hosting provider which hosted our site on a shared server and didn’t bother to update the server or remove Malware, so we moved our site to a VPS after cleaning the site. You may change your host or your hosting plan. Now follow the next step if your host isn’t helpful.

Step 4: Restore from Backup

If you regularly backup your WordPress website, then you won’t have any issues in deleting all the hacked files and replacing those with the backup files. Don’t delete the database as you might lose the changes you have done to the posts or pages. If you don’t have a backup, then follow the next step.

Step 5: Download WordPress from Official Website

If you don’t have a backup, then the last thing to do is downloading the version of WordPress that your website is using from the official website and UNZIP it to a folder.

Step 6: Remove Infected files

Now that you have cleaned your computer and extracted the WordPress files from the official site, you can now login to your website using FTP or web-based file manager and go to the folder where you have installed your WordPress and delete all the files except wp-config.php and the wp-content folder.

Check the wp-config.php file and other files inside the wp-content folder properly and make sure that the file doesn’t contain any malicious code. Remove additional files with weird names. You can search for a PHP function base64(); which is used by the hackers to encrypt the data. Try to remove those codes. You can also use an online base64 decoder to check and verify the encrypted infected codes.

For example, you see some data like this PGEgaHJlZj0iaHR0cHM6Ly93d3cuaW5meXdheXMuY29tIj5JbmZ5d2F5czwvYT4 . Copy the encoded contents and decode it. The decoding code shows you the following:

<a href="https://www.infyways.com/new">Infyways</a>

Check all the folders inside the wp-content thoroughly. You can also remove the WordPress plugins folder and the themes which you aren’t using. If you have a clean backup of your active theme, then you can delete all the themes. Plugins can be installed later once you complete the process.

Step 7: Re-Upload Core WordPress Files

If you have checked all the files which are there in the server, the next step is uploading the extracted WordPress files (Step 5) into the server through FTP.

Step 8: Update the site and files

Once you re-upload the core files, you can now login to the backend and install all the missing plugins and themes. Activate the theme and plugins. Your site is ready now, but it is still not secured. Follow the next step and make the site secured.

Step 9: Securing a WordPress Website

Download all the plugins from the official repository of WordPress.
Don’t’ use nulled theme or plugins. All nulled files have malicious or infected codes inside them.
Set the folder permission to 755 and files to 644. Avoid chmod permission 777
Check the list of users and see if it contains any new user with admin access. An admin has access to change the theme files directly in the wp-admin or WordPress Dashboard.
You can set up a firewall monitoring system by installing plugins such as Acunetix or Sucuri. These security plugins enhance security and block the attack on the website.
Disable file edits in the backend.
Limit the login attempts in the backed. This can be done by installing a plugin called Limit Login Attempts

Step 10: Remove Google Malware Warning

Site Harmful Browser Screenshot

Removing Malware warning is the last step which has to be done once your site is free from malware infection. You can submit the website to Google for review once again in order to remove the warning “This site may harm your computer”. The warning can be removed using the Google Webmaster Tools.

Conclusion

Never use nulled WordPress themes or plugins and keep your WordPress, themes and plugins updated. If you don’t, the website may get hacked and ultimately lose rank on SERPs. The recent Google algorithm impacts the hacked or spam website. So, keeping your website secured should be your utmost priority.

I hope the guide must have helped you to fix hacked WordPress website. If you are still facing issues, then feel free to contact us. We are happy to help you any time.

Steps to fix hacked WordPress website