How to Clean & Recover a Hacked WordPress Site
A couple of days ago, I did something I normally try to avoid; I took to social media to rant. This was after I received a disheartening message via email, which prompted me to contact my web host, but the tech support did everything but help matters, hence the need to air dirty linen on Twitter.
Being who I am, I would have chosen to let this matter slide, but the kind of support I received from my web host when I needed help the most sucked big time. It was both a shocker and an eye opener. Now I’m a dissatisfied customer shopping for a new web host.
I mean, what did they expect after such poor customer support? One of the reps had the audacity to ask me to move my site elsewhere if I was dissatisfied. The nerve. Please recommend a great host in the comments, and put a smile on my face 🙂 But apart from the shoddy customer service, what was the cause of my woes? Here’s the story behind this disheartening email:
Recently, I fell victim to a really determined hacker who gained access to my WordPress site, eventually taking over my entire public_html directory. Or vice versa – I really don’t know how I was hacked as my web host failed to provide this info even after I inquired a couple of times.
Now, I had six WordPress sites living on this account. As a result of the hack, all of them were taken down as a security measure, which is totally understandable. But as the situation went completely out of control, traffic dwindled and I never received a single inquiry in the 72+ hours I was locked out of my businesses.
So I went to Twitter and made a lot of noise, after which a seemingly nice fellow named Matthew (thank you if you’re reading) came to my rescue. After Matt intervened I was able to recover my main site although it had suffered major blows in terms of core functionality. The other five websites weren’t as lucky, they had to bite the dust, leaving me with a bad taste in the mouth.
It was a frustrating and stressing experience especially with the little help I was getting from the support reps at Bluehost. Yes, I just snitched on you Bluehost. Suffice to say, this is the second time I have been hacked on their shared hosting package. I should start learning.
Disclaimer: My experience doesn’t discount the fact that you might been having a great time with the host – this is just my isolated experience.
What did Matt do differently? He made me a malware.txt file containing details of the corrupted files. Cleaning most of these files was easy, but it meant deleting important plugins and replacing core files that left my main site with serious incapacity. It was up though in no time, which was better than nothing.
I deleted the other five completely because they were corrupted and the backups – according to the support reps – were also corrupted. You know, like beyond repair. It’s a shame. Now I have to start work on five different websites, which is really disappointing for a big company such as Bluehost. Either way, I gave Matt a great review, but the other reps weren’t as lucky. But I’m still worried I might be hacked again, and it’s not the kind of mindset you need when running a business.
Ranting aside, getting hacked isn’t something you should ever wish on anyone, even your worst enemy. Even if you end up recovering your site, it will cause you unduly stress and cost you precious time and money. If your web host sucks like mine, you risk being hacked a second time. You will lose traffic and sales, and the bitter memory will take long to die. Your credibility lies on the line too, so yeah, getting hacked is no fun.
So what are you to do when some jerk somewhere hijacks your WordPress site, and destroys all the efforts; time, money and ambition, you’ve put in your project? Is there a number you can call? The internet police maybe? Is there a quick fix-it-all button you can click, and recover your site in minutes, rather than days?
Do you have to go through a harrowing experience like I did, or will your host of choice understand you’re already under stress for losing your digital assets? What is a WordPress user to do? Are hackers to be feared or can you protect yourself? Here are some tips that you can employ to hopefully never have an experience like I did.
They say prevention is better than cure, and I agree. WordPress security is key. At the same time, no matter how hard you try, the bad guys always seem to know exactly where to hit and break into your fortified website. This I say because I was using top-of-the-class security plugins on my websites, but I was still hacked.
Whether you’re a WordPress neophyte or a seasoned webmaster, you should always look into bolstering your WordPress security as opposed to trying to recover your site when it’s already lying in pieces. Before we discuss how you can restore your hacked WordPress website, let’s see what’s available out there in terms of preventative measures. How can you better your chances of remaining unshaken even if/when hackers throw everything they got at your WP-based online business? Here’s the juice.
Invest in a Great Web Host
What makes a great WordPress host? We’ve discussed how to choose the best WordPress host in the past, so I won’t go into the finer details. However, let’s mention a few important considerations to keep in mind when selecting the perfect web host.
Price vs. Value
First of all, you shouldn’t look into “pinching pennies” with your hosting solution. Low cost of hosting is primarily why I chose and stuck with Bluehost. I had no idea this would turn around and bite me in the a**.
I have a simple question for you, mi amigo. Would you rather pay $4 per month and risk getting hacked (+ poor service) , or $29 a month and get stellar and personalized service that’s tailored for your business? How much is your peace of mind worth?
In the recent past, I was so sure I was saving money by paying $4 per month for hosting. Now I know better, and I am contemplating moving to managed WordPress hosting. Unless of course Bluehost is willing to massage my ego with a huge birthday cake, or something. I’m kidding of course, but they should look into their customer care. You should consider managed WordPress hosting as well, if you don’t want to lose your business later on.
The problem with the $4 a month shared hosting plans is your site lives with a million other sites on the same server, which means if one of the other sites is compromised, you’d be lucky to escape the onslaught. If you collect/store customer data on your site, you don’t want this kind of info falling into the wrong hands. If you’ve invested time and money in creating great content, you don’t need some hacker to reduce it all to a Viagra-peddling homepage, or worse, nothingness.
We need to relocate to managed WordPress hosting people. Many of the more affordable hosts are already offering managed hosting plans, and if we ramp up the demand perhaps the prices will come down as a result. Sounds like a plan, right? Moving on…
Do we even need to talk about why your web host should provide great support? Being available at a moment’s notice is great, but I have had to wait more than 20 minutes to have a live chat session with a Bluehost support rep. And when they do show up, they aptly tell you they’re on multiple chats at the same time, as if you’re supposed to make up for their under staffing. Not cool guys, not cool.
So you end up wasting even more time on trivialities, since they are carrying over issues from other chats. Could this be the reason why they have terrible attitudes at times? But instead of pointing fingers, am I expecting too much out of $4 a month? Perhaps I am. Choose your web host carefully, or you could pay with the loss of traffic (or potentially your business).
That aside, do they have secure servers? What other security measures do they have in place? Will you be able to restore your WordPress site in case it’s hacked, or will they tell you your backups are corrupted too? Will they notice the intrusion long before the attacker causes serious damage, or will they shut down your site and notify you when it’s already too late?
Do you really have to stay on that shared hosting package? Is your web host secure, or do they leave you vulnerable to all manner of attacks? The only way to find the answers to these questions nad any others you might have is to read reviews (and this post counts as one) and do the necessary research. I mean it, just do it, and you’ll be surprised just how much you can learn about a company on the big WWW.
Get Clean WordPress Themes + Plugins
The hacker’s favorite playing field, themes and plugins (especially poorly coded types) provide easy access to your site admin. Right this minute, some hacker is probably trying to gain access to your WordPress site/blog using a poorly-coded theme or plugin. If a hacker uses a backdoor hack (hidden in a theme or plugin) to access the admin area, you’re roast goose. They can wreck havoc however they wish.
As such, it’s important to download themes and plugins from trustworthy sites. Are you looking for a clean theme? We recommend WPExplorer professional themes, Elegant Themes, Genesis and Themeforest. Need clean plugins? Check out the WordPress Repo and CodeCanyon. Know of any other trustworthy sites where we can get themes and plugins? Please share in the comments.
Update Themes + Plugins + WordPress
At times, a great theme or plugin might come with a security flaw. Usually, developers release updates to seal these security holes. However, if you don’t update your theme or plugins, you become an easy target for hackers who -in most cases – are aware of the security flaw. After all, info about the security flaw is available in the public domain, so yeah, hit that update button already.
Keep them themes and plugins up to date. Remember to upgrade your WordPress installation as well, or you’ll cry foul when hell breaks loose.
Backup Your WordPress Site
Don’t be the one to rebuild your WordPress site(s) from scratch like yours truly. With full and regular backups, you can restore your WordPress site with ease even if the hacker person tore it from the hinges and flung it all the way across Atlantic Ocean.
And please don’t make the mistake of assuming your web host keeps secure backups of your site, even if they proudly proclaim it in their marketing brochures. The only (and best) way to protect yourself is investing in a professional and reputable back up solution such VaultPress. Other options include BackWPup, blogVault, Sucuri.net and many managed hosts like WPEngine even offer their own backup options with various plans.
If you know your way around your web server, you can even create manual backups at regular intervals (and for added security we recommend taking your own manual backups in addition to one of the plugins mentioned above). Bi-weekly is a great schedule to start with. Just compress your WordPress website, and download it to your local machine. Download also the WordPress database, and save both on a secure folder on your computer. Ensure your computer is clean.
There are many WordPress backup plugins too to do your bidding, so worry not if you can’t find your way around a web server. You can read more about securing your WordPress website, and share your tips as well. Let’s move on, and see how we can recover your hacked WordPress site.
Want to learn more about how you can improve your WordPress security? Checkout the Sucuri WordPress Security Guide that cover essential steps you should take to keep your website safe.
How to Recover a Hacked WordPress Site
You just woke up, and your site isn’t there. Poof, gone with the wind just like that. You probably just got an email or text message letting you know
the proverbial rainy day is here you’ve lost the reins of control to some masked mongrel out there. What to do?
Your first reaction would be panic, which is alright since it means you’re still alive, and can do something about the hack – or if you’re really lucky – the hacker. But you shouldn’t worry yourself to the point of mental meltdown, we still need you. After all, the damage is often recoverable in no time.
You Can Still Login
With some hacks, you might still have access to your WordPress admin area. If this is you, you can recover your site easily by eliminating the damaged files and sealing the point of entry. Usually, Google and your web host will let you know when you’ve been hacked. They might even show you the hacked files and URLs.
All you have to do is login into your WordPress site, remove the affected files, or change your login details and update your entire WordPress installation. Just reinstall WordPress from your admin area. You might need to replace infected themes and plugins with new fresh copies as well.
Uh-oh, You’re Locked Out
Other times, a hacker may completely lock you out or have you locked out of your WordPress site(s). This happened in my case – I couldn’t login into any of my sites. How did I recover my site? I would love to tell you it’s easy, but I would be lying through the teeth.
First, contact your web host, and even if they aren’t forthcoming with the info, pressure them to provide details of the hack, including a list of the infected files. If the live support guys give you a hard time, give them a ring, and if that isn’t enough, just take the battle to them on social media. Many companies, not just web hosting companies, will think twice about tarnishing brand reputation on social media on the account of one disgruntled customer. Be polite however; don’t go hurling unprintable expletives. This is what I did, and sure enough, Matthew saved a malware.txt file in my server.
With such a file in place, cleaning and eventually recovering your WordPress site is a matter of eliminating and replacing affected files. Nevertheless, it can be a long process, especially if the damage is extensive since you have to find each affected file one by one.
However, with a file showing you where the infected files are, all you have to is login into your cPanel -> File Manager and delete/replace victimized files. Note, this might force you to delete entire plugins, and even themes. If you don’t use a child theme, and your parent theme happens to be infected, you’ll lose your custom design, but hey, at least your site is up! You can always replace plugins, so this shouldn’t be a problem.
Deleting core WordPress files will incapacitate your site in ways you definitely don’t want. The best course of action to take if this is the case is to replace affected files with new ones. Just ensure the replacement files are from the same version of WordPress you’re using. Otherwise, you’ll break your site. See why it’s important to keep your WordPress installation updated all the time?
If you have a reliable backup solution in place, your chances of recovering your hacked WordPress site increase tenfold. All you have to is rollback to a previous version of the site, and relax.
Note that after recovering your site, it might need some rebuilding. After you’ve reinstated your WordPress site (which means you can login to the admin area), check to ensure all core functions are working. Things to look for include widgets, contact forms, social media plugins and anything else tied to any affected plugin or theme.
For instance, after restoring my site, none of my forms were working since I had to delete Contact Form 7, the plugin that drives all my forms. I had to delete Jetpack as well so I lost social sharing, comments and RSS feeds among other features. I deleted All in One Favicon as well, and lost my custom favicon. I recovered all these features simply by reinstalling the affected plugins.
Note, the plugins in their own weren’t the problem, but since the hacker had access to my server, and admin access to my WordPress sites, they could add malicious code wherever they willed. I deleted WordPress SEO by Yoast as well, which means my SEO efforts tanked. I took the hit like a man is supposed to, and I’m still recovering.
Luckily the hacker didn’t seem bothered with my content. They/she/he/it didn’t add fluff and links to some phony sites like it happened in the past. I’m still rebuilding my site, and considering a site/content redesign. See? Getting hacked wasn’t all that bad after all. It opened my eyes to the things I was doing wrong, and gave me the impetus I needed to take action for the better. In fact, if Bluehost support reps hadn’t wasted so much of my time, I would have restored my site in no time, and spared them this detailed review.
Back to hacking, once you’ve cleaned your site, contact your web host to remove you from the blacklist. At the same time, recovering your hacked WordPress site won’t mean jack if you get hacked the second time. If the security holes are left unsealed, all your recovery work is in vain. Contact your web host, and let them advise you on how to seal the breach. At times, the problem could be another site on your shared hosting plan. While this might give you some peace of mind, you should upgrade to a more secure plan or invest in the security options aforementioned.
The most fundamental thing to do after restoring your site it to change all login credentials, admin email included. This will ensure the hacker doesn’t regain access to your website, or even your other online accounts. A word of caution: Even if you change your login details, the hacker might still be logged into your site, which defeats the whole purpose of obtaining new login details. What to do? Firstly, if you have several users on your site, ensure none was the point of entry. You can create new ones for your various users; writers, web designers, editor etc.
Secondly, you need to change security keys in your wp-config.php file to automatically logout all unauthorized users, including the hacker. Generating new security keys is easy peasy work. Just go to creating new security keys, generate new keys, login to your server and update wp-config.php with the new details. The process is rather straightforward we don’t expect you’ll run into any trouble.
What else am I forgetting? Let me see; in a nutshell this how to protect yourself, and recover your WordPress site should the unthinkable happen:
- First, get a better web host preferably managed WordPress hosting e.g. WPEngine
- Invest in WordPress security solutions – Firewalls, backups – the works. We recommend Sucuri.net, VaultPress, blogVault etc
- Create strong login details, and keep them private
- Clean your computer, and keep the software on it updated
- Update WordPress, themes and plugins
- Get themes and plugins from reputable sources
And should the worst happen:
- Don’t lose your mind, there’s always a solution. Rebuilding from scratch too is an opportunity to improve
- Contact your web host, and drive them insane
- Fix the problem or hire a professional (they are readily available)
- Rise from the ashes and soar up in the sky once more
- Be awesome, and perhaps document your experience to help another
Perhaps I left out some areas innocently, or you simply couldn’t recover your site with the tips shared here. Perhaps you just want to learn more. Who am I to stand in your way? After all, we really want you to recover your hacked WordPress site. So here’s a great list of resources to make your work easier:
- Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked
- How to Fix a Hacked WordPress Website
- FAQ My site was hacked
At the end of the day…
Getting hacked is never a pleasant experience, and the world would definitely be a better place without unethical hackers who derive pleasure from malice. I have no problem with ethical hackers, who do their job to protect us.
All the same, you shouldn’t go into panic mode or suffer anxiety attacks when some ungrateful sod drives an iron rod through the heart of your WordPress site. With the right preparation, and by taking the right steps, you can recover a hacked WordPress site in no time.
Have you heard a nasty run-in with the scum of the internet? How did you recover? Share with us, and help us get rid of the menace that’s hackers one comment at a time.
I have about 40 websites on an account at Jiffynet and I’ve been with them since about 2007.
I highly recommend them. In the first few years their support was quick to reply, under an hour and often only20 minutes. In about the last 3 years their support response has slowed down to several hours, sometimes 24 hours but it is good and free support. In the early days before I realised I need to keep backups on my PC as well as onsite, one site was hacked. Jiffynet had a weekly backup which they installed and all was well again. A few years later another site was hacked, but its WordPress was 2 years out of date, so my fault. Now I keep all sites updated via MainWP plugin and important sites are backed up to Rackspace which for storage is incredibly cheap, like a few cents per GB.
Hey Stingraynut. I once had one of my sites hacked because I hadn’t updated the same for a long, long time. I hear you on keeping your WordPress installation updated, because a small security vulnerability can have devastating impact if the bad guys exploit it. Back ups too are great. Thanks for passing by, and sharing this great piece of advice. I will check out Jiffynet, they sound like a great hosting company!
The same happened to me with a hacker and Hostgator just deactiveted my account with no help at all. Now I am very happy with SiteGround and it excellent support.
It’s also a good idea to go through your entire installation directory-by-directory, looking for files that don’t belong or don’t seem right. Use your host’s file manager, or an FTP client that lets you view by date. And go all the way up to the server root, not just your public_html directory.
You’ll be looking for files with strange names, directories with timestamps that don’t make sense, php files in your uploads directories, images with executable privileges. If you find something, open it in a text editor and you’ll see all kinds of bad things.
Great is your contribution McGee, but only if you know your way around a typical web server. For any beginner, this might be a bit confusing, as they risk deleting core files if they’ve never tinkered with web servers before. Beginners can get help from the support rep (a great guy like Matt) who will point out the files that need to go. Thanks for passing by, and adding your thoughts to the discussion. You are highly appreciated!
Sorry to hear you were hacked. That’s a stressful situation and I have been through an experience like yours once.
What I suggest is having a remote backup solution. I use BackWP Up and I save the backups through FTP on a desktop I own. I keep 10 versions of the backups, so that I don’t end up with a damaged one.
Regarding hosting, I suggest SiteGround. I use them for over an year and they have the best support ever. Search the net for reviews to them, you will be amazed. Their business offer is good as well, with highly performant servers and security.
Whoa! What great tips and recommendations you have Muad_Dib. I have heard great things about Siteground. Thanks for the comment 🙂
As the owner of a high traffic blog i hate to be busy with these kind of things, although very important. What people seem to forget is that a managed hosting provider can safe you a lot of time!
Nicely comprehensive summary. Backups being the most important aspect of a good website security plan.
Expect the worst. With a good backup plan in place you’ll be ready for “the worst.”
Great comment Jim Walker. Thanks for sharing!
Many backups. I manage quite a few sites and have BackupBuddy make automatic, weekly backups (files and database) that are stored on Dropbox. I keep 3 months of weekly backups and before that 3 months one backup a month for another 3 months. I have had two sites hacked because of easy passwords and had to go back 4 and 3 weeks respectively to get a ‘healthy’ backup.
Also I change user names and passwords when something like this happens. And, as Freddy says, update, update and update.
Great security tips! Thank you for sharing 🙂
Really an useful post, even I’ve faced same problem.
If my site is hacked,and afterwards I’m using the back-up,I lose my shares and likes,g+1’s and so on?
Nope! That information isn’t stored on your WordPress installation, it’s stored on Facebook, Twitter, Google etc.
Thank you very much.
You’re welcome George. Comment much appreciated!
I am not a fan of Blue host… but a bit of clarity here is that it was probably not your host to blame for this but you. WordPress users in my 20 years of experience on the web are notorious for goin out of the box, ignoring hardening recommendations and leaving plugins installed but disabled if they aren’t using them (you are still at risk). Not having regular checked backups, live firewall /malware alerts, maintaining site up to date code are all symptoms of bad administration not bad hosting. Having said that you host seemed entirely unhelpful which is not surprising when you pay for cheap hosting.
Couldn’t agree more Shmeg333, thanks for your valuable input. AS you put it, we all need to be proactive in matters of security as opposed to leaving the whole job to the web host. Check out WordPress Security: Is Your WordPress Site Really Secure? and WordPress Security Tips for more security tips. Once again, thank you for contributing!
Wowsa a huge thank you for ALL the useful info. My website was hacked and I was using Bluehost. my experience with them is the same as yours…I would NEVER ever recommend them. I am not a techy person so a friend is helping me reload my website etc. When this is done I have a new hosting company in mind and have asked the questions you mentioned. Bluehost are the pits. They have caused me many sleepless nights due to worry.
Excellent article. The experience of being hacked is really a bad one, considering the fact that the website takes time to build. The effort and money invested in the website makes the hacking experience much worse.
Thanks for the great article!
Helpful article. Its really painful to got website hacked. Few month ago one of hacker email and ask me to improve my site security. But I cannot fix the security issues due to my busyness. After few days hey/they hacked my site and I face lots of problem. I am a web designer and developer, therefore I need to show my website with portfolio to clients to get job. When my website is hacked, how can I do that. My income gone down. The I have taken some time and fix the issues. But its taken a long time.
Thanks for sharing this article. It will be helpful to lots of people.
Hello, friend my question is that, please tell how to secure wordpress blog /site from hackers? Is this responsibility of hosting providers or my-self. Kindly tell some plugins for wordpress.
I would say it is the responsibility of both of you, but it depends. For example if you are using a managed hosting plan then your host should be in charge of helping you secure your site and also help with any issues you have. However, it’s your responsibility to keep backups of your site, make sure your passwords are secure and make sure you aren’t installing any themes/plugins from untrusted sources. If you have any doubts though be sure to ask your host. Some hosting providers will help keep your site safe while others may put all the responsibility on the user.
Great article! Thank you for sharing this great experience and advice to recover website from hacking. Yes, We have to always keep up the separate backup of site.
i visit your blog daily and found new things and this is all tips are
great but i want to know can i apply this tips on custom php website
or just for wordpress only?
Waiting to your reply
This tips are for WordPress only for a custom PHP website the steps are going to depend 100% on how the site has been created.
Great tips and definitely worth sharing. Thank You for the info!
Very nice post. Really i like it. thanks for sharing with all of us. Have a great day.
Good read, but I think we shouldn’t over complicate the solution. I highly recommend changing passwords frequently and hardening your wordpress logins. If you don’t there is a good chance your site will get hacked. I run a web design agency in Sydney and I come across hacked sites all the time. I use these guys (siteguard.com) to clean hacked sites and to prevent sites from being hacked. They’re top class. There are plenty of options around, just make sure you go with someone who knows what they are doing.