Fix if Your WordPress Site is Hacked

In the recent months there has been increasing numbers of website being hacked. WordPress sites are also being hacked. Getting your website hacked in very painful and it takes lot of time to fix it and also it affects your site ranking, cause your visitors to be exposed to virus and torjan attacks. So, it is better to make your site more secure and prevent it from hacking. Please read the article WordPress Security Tips to make your wordpress site secure.

But what to do if your WordPress site has already been hacked. Most of the souses in the internet tell us to Upgrade the WordPress to the latest version. It somehow fix the issues in many cases but it will not work in the following condition:

  • If the hacker have left a back door files hidden in a directory where it wouldn’t get overwritten with an upgrade.
  • If the hacker have inserted code into your theme.
  • If the hacker have created user account with admin privileges.
  • If the hacker have added script in your database.

Under any of the above listed condition the update of WordPress to the latest version will not solve the issue. The hacker will hack again with the use of back door. So, I would like to list out the steps that you should take to clean the hacks and restore your WordPress site.

  1. Backup the Files and Database: First thing is to backup the files. In wordpress site, you need to backup your current theme, upload folder and database. All the custom plugin you have developed or modified. Make the list of the plugins you used. For more information on Backup please visit WordPress Backup by WordPress.org
  2. Scan the Files and Your Computer: You need to completely scan your computer and the files you have backup for any virus or malware. I use Kaspersky Internet Security 2010 to scan for the virus and malware. You can use any of the top antivirus program. Also don’t forget to scan your wordpress theme. I have recently found the script added in the theme such as iframes, no script tags and display:none style attributes. Check it and delete such codes. For this you need to know detail about the theme or your can hire any wordpress expert.
  3. Delete all of the files and folders: After you make sure that all your files, folders, database are backed up from the live server. Now you need to delete all the files and folders in the WP directory from the live server.
  4. Change the FTP and Control Panel Password: You need to change all the FTP access and control access. As it might have been hacked by the hacked. So, you need to change the password to make sure they don’t have any access.
  5. Upload the Fresh WordPress Installation: Now upload the fresh latest version of the WordPress to your live server. Don’t forget to edit the wp-config.php file. Refer to my article WordPress Security Tips point no 2 for more details about editing wp-config.php file.
  6. Run the database upgrade: Now you need to run the databse upgrade. You can do this by just pointing your browser at /wp-admin/upgrade.php (For example: http://www.yoursitename.com/wp-admin/upgrade.php)
  7. Change the default admin user and password: Once you have installed a fresh copy and your site is running. Now you need to change the default user admin to some other name you can remember and also change the password. Refer to my article WordPress Security Tips point no 4 and 5 fro more details.
  8. Check the Users and change the password: Now you need to check if the hacker have created any users. So, you need to check the list of the user and delete the user which you don’t recognize. After you have list of safe users. Change the password of all the safe users and send them email about the changes and ask them to change again.
  9. Now you need to check your Database for any back door: I have seen in wordpress site that has been hacked recently have the scripts such as iframes, no script tags and display:none style attributes. The following query run against the database can help you find out the database file for infection:
    SELECT * FROM wp_posts WHERE post_content LIKE ‘% UNION
    SELECT * FROM wp_posts WHERE post_content LIKE '%
    UNION
    SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
    For more please refer to the article How To Completely Clean Your Hacked WordPress Installation by Smackdown point no 8.
  10. Check the file permission :There might be file permission 777 which hacker can used it to hack it again. So, you should check the file permission and then give the correct file permission as follows:
            All folder permissions should be set to 755
            All files permissions should be set to 644
            Files that you want to edit in the WordPress Theme editors permissions should be set to 666
            Never ever use 777 for WordPress permissions
  11. The following plugins will be very helpful: