How to fix a hacked site.

Fixed a hacked sitePosted 04th October, 2018Millions of WordPress websites get hacked every year. Hacking is a very general term which implies that a third party has gained access to a website for a malicious reason (we list some here). It may manifest itself in different ways on your website. We will assume that you know or think that your website is hacked.Save yourself time and let us clean up your website for you. We will do this for a one time-fee, or on our subscription plan - with no minimum commitment. We'll also put steps in place to protect your website in future.Let us clean up your websiteThe Ultimate WordPress Cleanup GuideThese are the steps our team members follow when cleaning up a WordPress website that has been hacked. It covers preparation, cleaning, and future protection. Note that every infection is different.1. Take a copy of the site and databaseWe will be making substantial changes to the WordPress files and databases over the next few hours, including replacing core files and making edits to the database. It is therefore extremely important that we take a copy of the site as it is at the moment so that we can roll back.Obviously this copy we are taking is infected, so this backup is a worst case option. If any one of the steps below is complicated or takes a long time, we should take another backup afterwards. Backups should be taken of both the files and database.The Fixed.net backup tool is free of charge for sites up to 1GB, and will keep backups for 7 days.Back Up Site with Fixed.net2. Check for older backupsHave any other backups of the website been taken prior to the hack? If so, it may be possible to roll back the site to a previous version. Even if a backup is restored, following each step of this guide to ensure the site is fully clean.3. Take the website offlineIt is advisable for us to take the website offline. This achieves three things:It stops visitors being infected by malicious content on the website.It prevents further exploits, especially as we clean the site.It prevents a broken or hacked site being further indexed by search engines.The website is taken offline most quickly though a .htaccess file with the following content (replace 1.1.1.1 with your IP address):Order deny,allow

Deny from all

Allow from 1.1.1.1

This will show all other website visitors a 403 Forbidden message.Alternatively, a plugin such as Easy Coming Soon can be installed, which will show visitors a loading page.4. Clear out Website CachesWordpress supports various caching applications, which speed up a site by showing a cached version of the website rather than a live version. To ensure that our fixes are taking effect, and also that no infections are present in the cache files themselves, we need to clear these caches.These caches can be cleared in the WordPress Admin Area, but we can comprehensively empty these folders using FTP, SFTP or SSH.Cache locations are as follows:SoftwareLocationWPSuperCacheW3TotalCachewp-content/cacheWPRocketYou should check the WordPress configuration file for any custom cache locations.These caching applications can also be fully removed from the wp-content/plugins directory, and re-added later.5. Replace the WordPress CoreThe WordPress Core includes all WordPress files with the exception of the wp-content directory and the wp-config.php file.Often attackers place malicious files within the WordPress core files. These can be disguised in the form of a system file (for example, wp-includ.php ; wp-authentication.php; wp-I-am-not-a-hacked-file.php; etc).The WordPress command line interface can be used with the command wp core verify-checksums. This will verify the WordPress default files against WordPress.org checksums. Alternatively, the core can just be fully replaced as follows.Download the latest stable version of WordPress from Wordpress.org.Ensuring that a backup has successfully been taken, every other folder (including wp-admin, wp-includes) and file can be deleted.Upload the latest version of WordPress, with the exception of the wp-content folder. A wp-config.php file should not be included with the download.Navigate to the WordPress site to ensure that it loads.6. Manually check the wp-config.php fileThe WordPress configuration file provides the key WordPress configuration, such as linking the site to the database. This should be manually checked through for any anomalies. It can be compared to the wp-config-sample.php file in the WordPress download.If in any doubt, replace the wp-config.php file, updating the database credentials as required.7. Manually check the .htaccess fileSome of the sneakiest WordPress hacks are directed at specific visitors only - for example those coming from Google. These often edit the .htaccess file.The .htaccess can be cut down to include only the following code:# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# END WordPress

The RewriteBase and RewriteRule sections may need updating based on the website structure.8. Clean Plugins and ThemesThere are a few ways we can clean themes and plugins.Quick FixThe simplest is to remove and reinstall them.Log in to the web server using FTP or SSHDelete all of the themes and plugins, taking a note of their name. It is important to do this from the file system and not the WordPress admin area; removing them from the latter will clear any configuration from the database.Log in to the WordPress Admin area.Re-install the themes and plugins from scratch. Of course, there's no need to reinstall plugins and themes that aren't activated or being used.This will reset your themes and plugins.Detailed ScanIf these themes and plugins are custom, or not available in the WordPress repository, then the files need to be searched for any exploits.Maldet should be run against the whole wp-content folder.Files can be searched for base64, exec, eval, preg_replace. False positives may be found, but any instances can be investigated.Sort files by last modified date, and see the latest file uploads.9. Clean the Uploads FolderThe Uploads file is where WordPress places uploaded media. There should be no .php or executable files here. An uploaded .php file here could be run to give a third party access to your files and make changes to the website.Connect over ssh, navigate to wp-content/uploads/ and run the following command:find . -type f -name "*.php"

Alternatively use an FTP client to search for .php files. They can be removed.As a further preventative step, a .htaccess can be added to the wp-content/uploads folder with the following content:

deny from all

10. Clean up users and permissionsSome hacks can add additional users and permissions to the WordPress database. Sanity check the wp-users table in the database, and review the admin users in the WordPress Admin dashboard.If required, these can be fully reset to the WordPress default using the Extreme database technique below.All user passwords should be changed.11. Ensure Themes and Plugins are still supportedThird party themes are built by developers. If they go out of business or disappear, then those themes will not be updated and vulnerabilities no longer fixed. Check that the plugins the site is using are still maintained. If not, replace them with alternatives.12. Check and Clean the DatabaseSometimes code can be placed in the database which, when loaded, runs an exploit. Similiar php excution language is used to script exploits. Databases can be searched for the following terms:base64_encode, exec, base64_decode, preg_replace, evalThese references should be investigated and removed if required.Extreme Database FixSimiliar to files, WordPress has core tables and additional features. For most websites, the database stores Pages and Posts.An extreme fix is therefore for us to install a brand new WordPress database, and retrofit the content of the wp_posts table into the database.Note that this will require creating new users, reconfiguring themes, re-adding pages and more. However, it essentially creates a new version of a WordPress website with a clean database.13. Update EverythingNow that the infection has been removed we need to close the hole. We should do the following.Update WordPress (this should be up to date as we have replaced the core, but we can ensure this in the WordPress Admin Area).Update all themes and pluginsRemove any unused themes and plugins14. Run a security scanRun a scan against the website to find any known vulnerabilities. Fixed.net includes a free vulnerability scanner for all websites.15. Change all passwordsThis includeshosting passwordsftp passwordsdatabase passwords (update the wp-config.php file)Wordpress admin passwords16. Bring the site back onlineIf your host has taken your site offline, you can now ask them to unblock it.You should also remove the lines you added to your .htaccess file.17. Remove Site BlacklistingsIf third party scanning sites have marked a site as containing malware, they will still be blocking access as this is not real time.Site re-scans can now be requested in some cases; in some others the scan may take a few days.18. Take a Back UpTake a back up now and set up regular backups. This can be done with Fixed.net.

No startup costs, no upfront investment.

Looking for web design Liverpool? Need a agency who love creating websites?

No locked in contracts with the right to cancel anytime. You will be safe in our hands as we build a long relationship.

100% Google safe.

Every website we build is fully optimised with Google's best practice guidelines.

Our websites are designed

and built

right here in the UK by our in-house design team. With fast lead times.

Over 10 years experience in bespoke web design.

We create great quality designs, tailored to your individual business.

All payments are safely processed with Gocardless. If we were unable to resolve your issue or if we

didn't meet your expectations, we maintain a 30-day refund policy!

Got some ideas for a project?

Drop us a line will be glad to here from you.