Our guide to fixing hacked WordPress sites, including all the stages you need to consider when dealing with a compromised website.
This guide is aimed at helping 34SP.com clients who find their WordPress site has been hacked; though can be applied to most software and hosting companies. We will explain what’s happened to your website, what steps we’re going to take to get you back on your feet and also what steps you can take to help us.
First and foremost: don’t panic! Being hacked is a scary and frustrating thing, especially when your site is of critical importance. At 34SP.com we want to both help minimise disruption but also help address the issue so your WordPress site doesn’t keep getting hacked over and over.
We understand the stomach turning sensation of finding out your site has been hacked. Don’t worry, our team are here to help and we will do our very best to get you back up and running as quickly as possible. We will also work to ensure your site is restored in as clean and safe a state as possible - the last thing anyone wants is for the hack to recur.
Most people's understanding of a web site being hacked comes from headlines in the media where data is stolen and then sold or simply dumped online. These targeted hacks can result in huge damage to businesses but on the whole are very rare.
Most hacks that we see on our platforms are automated attacks; rather than targeting a specific site, attackers are exploiting known vulnerabilities in software such as a WordPress plugin. They then try to attack that vulnerability against as many sites as they can. The content on sites infected by these automated attacks are irrelevant to the hackers. Instead they’re looking to extort or abuse the resources of your hosting account.
While each hack is slightly different, the most common types of hacks can be categorised as:
WordPress sites get hacked for a variety of reasons but the number one reason is failing to keep things up to date including WordPress core, plugins and themes. When vulnerabilities are found, most developers patch (fix the exploit) their plugin or theme before the vulnerability is announced to the world. This means if you’re running the latest version, the vulnerability won’t affect you.
There are other ways sites get hacked though, for example having weak passwords for logins such as FTP users. If someone can guess your password they can do anything you can do. Check out our article on password security if you need some help.
Another way that sites are hacked is to trick the an admin user to trigger an action which causes files to be uploaded. In some cases our Web Application Firewall rules can help stop these, but if the firewall doesn’t know the action is malicious it will allow it through.
Finally, if you give site visitors the ability to upload files (intentionally or not) and don’t have adequate safeguards this too can result in those files being used to hack your site.
People attempting to hack sites often use combinations of the above techniques to try to gain entry to your site. Once they have hacked your site they often then create additional ways to gain entry. These "backdoors" on the site ensure they have access even if the first method is discovered and fixed. This is why we say if you’ve been hacked once, you have been hacked numerous times.
Again, don’t panic! Most of these hacks are preventable; once we have cleaned your site, we will help try and prevent it in the future.
For most of our clients, the first time they know they have been hacked is when we contact them directly.
We proactively monitor our network and we look for unusual activity across our hosts constantly. For example a site suddenly starts sending hundreds or thousands of emails. One of our systems team will look in the mail queue and just check to see if the emails being sent are genuine. We don’t need to read the emails in detail, we simply look at the headers and subject. It’s very easy to spot spam email versus a newsletter being sent.
Likewise, we monitor spikes in traffic on our network. Each server and product has it’s own usage agreements but normally we limit the amount of traffic these systems can send (packets per second) and if its exceedingly high a member of the team will investigate. We also regularly run virus scans across our servers to detect this content too.
Additionally our servers run Web Application Firewalls which monitor traffic being directed at them. While this only shows what a remote user is trying to access it can produce information to help spot hacks.
On our WordPress hosting we also proactively check certain plugins and WordPress core files to make sure they haven’t been modified maliciously. Each platform has it’s own specific set of security tools designed for that platform. Of course, it’s possible that we didn’t spot the hack. Often times a hacked site can sit dormant for weeks or months. The site might be off our radar until the hacks payload is deployed.
Sometimes clients will spot files they are sure they didn’t upload, or they might have a plugin that spots hacked files and it flags issues.
However a hacked WordPress site is initially discovered, once alerted the same process is followed, and a member of our team will investigate.
Once something has been flagged as possibly hacked, a member of our team will be tasked with investigating your site.
During the investigation phase we start by confirming if a site is actually hacked. False positives can and do occur and we only begin our hacked site process as a last resort.
Once we have identified one or more hacks, we look at the initial impact of the hack as a starting point and quickly lock that down. Where practical we will make sure any hacked files cannot be accessed except by our team and that any malicious processes or emails being sent are immediately stopped.
This can result in some immediate loss of features on your site, but your site should still be operating. There are times where this is not practical, if your site index page has been hacked, or in the case of ransomware for example. If keeping your website up and running is a danger to you or anyone visiting the site - we will take steps to take the site offline.
At this point we also take a snapshot of your website using the snapshot feature in your control panel. This means you will always have access to your site content, files and any custom settings.
If we aren’t already in touch at this stage we will also get in touch. While we don’t wish to cause panic, an urgent resolution is best for everyone and we need to get in contact as soon as possible.
Due to the nature of hacked sites our initial contact will always be with the account owner. We will ask you to authenticate a support ticket to allow us to carry out work on your behalf. We will also ask you to nominate a single point of contact for the duration of the case. It’s likely we will need to undertake a lot of work in a very short period of time; it’s important we can speak to someone quickly to let them know what is going on and ask them questions about the site setup if needs be.
Normally this person is the site owner but it can also be a technical contact. If the contact is not already listed on your account, you will need to add them as a technical contact in your control panel.
During this initial contact we will explain what was discovered during the investigation phase and guide you to how to access the snapshot. We will keep this available to you for as long as you need it, and you don’t have to download it straight away. The snapshot is also kept on a remote server from your content.
Understandably, you probably have a lot of questions for us at this point, and please don’t hesitate to ask! Do be aware though that some questions might be hard to answer, here are some of the more common hack queries we’re asked:
To a limited extent we can assess if your site data was targeted; that said, if you store confidential data, you should assume this has been compromised regardless.
Once we’ve answered your questions we can start the cleanup of your WordPress site. This is the stage most clients dread as we can’t simply restore from a backup - we just don’t know if that has or hasn’t been hacked.
The steps we take to fix your website are as follows:
After these first few steps to fix your website, your site might not look the same - don’t panic! We can only access themes and plugins found on the wordpress.org website. If you bought your theme from somewhere else we won’t have access and we need your help.
If you don’t have a copy of the theme files to hand, you will need to go to the company or website you purchased the theme from and re-download the theme. Once you have the zip file of the theme, within WordPress go to Appearance -> Themes -> Add New -> Upload New and upload and activate the theme. Your theme should now be added.
You may also need to repeat this step for any premium plugins your site uses. Again, we can’t access any premium themes or plugins and we can’t simply restore from a backup - to prevent hack recurrences, we have to assume your backups are also infected. It’s critical your site is restored from known clean sources such as wordpress.org or the theme/plugin developer.
With your theme and plugins back in place our team can help get your site looking more like it was before. If you made custom changes to files to alter your site appearance we won’t be able to help you put those back. Likewise some plugin settings may be lost. While you can refer to your snapshot to get back online, we strongly discourage from copying directly from the snapshot files - or you may simply reinstate the hack all over.
At the end of this restoration process it’s important to understand what might be lost:
It may take some time to spot all the little differences, so it’s worth thoroughly going through your site and checking everything.
During this process our team is on hand to help. We want to get you back up and running as quickly as possible with minimal disruption but we also have a responsibility to make sure we are confident we are not restoring hacked content. As such do note, that we won’t restore specific files from the snapshot - we can’t underscore how important it is to proceed under the assumption that all files are infected.
After a site is cleaned and you feel you’re getting back to normality it’s a good time to take stock and review. Again our team is on hand to help where possible and you can speak to one of our WordPress specialists about improving security on your site.
Here are some important points to consider when securing a WordPress website:
If you using our Professional Hosting or Business Hosting platoforms for your WordPress site, talk to our team about moving to our WordPress Hosting. This platform is designed from the ground up specifically for WordPress and has several more advanced security features in its core design.
Depending on your business there are some organisations you may need to contact following a hack of your site:
If Google is displaying your site with a red screen and malware warning you will need to let them know the site has been cleaned.
While we don’t want to downplay the seriousness of a WordPress site being hacked, it is sadly a reflection of everyday life on the web. It’s upsetting and the feeling of violation is normal. If you have read through this guide we hope we have removed some fears and given a clear outline of the steps to clean up a hacked WordPress site.
While the ramifications of hacks can take time to go away they do normally have no long term negative effects if dealt with correctly. Our goal is to get you back up and running as soon as possible and to remove as much of the stress from this situation as we can.