Clean a hacked WordPress site or remove malware quickly
There are many reasons for a website to get hacked, malware injected, blacklisted, or DDoSed in the current Internet world. The latest security report by SUCURI shows that over 95% CMS infections affect WordPress-powered websites.
How to tell if your WordPress site has been hacked?
A hack can be as subtle or telltale, based on the hacker’s motive.
For instance, one of my friends who has a tech blog discovered the hack with thousands of random posts. Afterward, he noticed many unauthorized user accounts.
Besides, a sudden drop in organic traffic signaled something wrong. And mind you, it took a good six months to recover to the pre-hack levels.
But while it’s not always this easy to spot a hack, here are a few signs that might indicate a compromised WordPress website.
You can’t log in
This is an outright attack on your web property. You may notice WP-admin isn’t working for you anymore.
The hacker might have changed the credentials or deleted your account. In this case, you will observe that ‘Lost your password?’ isn’t useful either.
It’s not loading
While a website can run into such errors because of many reasons, a cyberattack is one of them. In particular, the target could be a very high-stakes website where a few minutes of downtime could result in huge losses.
But if it isn’t that big a project, then a skilled hacker usually doesn’t resort to such basic tactics because it (in addition to the first) makes you suspicious and pushes you to work towards the solution.
Hacks can also send your audience to parody websites to defraud them of their hard-earned money or valuable personal information.
This is accomplished with hyperlinks planted smartly within your well-performing posts or most visited pages. Consequently, it becomes extremely tough to realize the situation and clean up afterward.
Suspicious Ads & Popups
Almost all websites use advertisements to boost their revenue. So, it’s common for hackers to exploit this fact and place their ads to illegally monetize your traffic. These fake ads can also be used to redirect website visitors, as discussed in the previous section.
Likewise, a bad actor can use pop-ups since they have a high chance of getting clicks by highjacking a user’s screen.
So, when you see something uncommon or an ad that’s out of place, maybe it’s time to investigate a little deeper.
As happened with my blogger friend, this is a common symptom of a hacked WordPress website.
You might have tens to thousands of random posts published in a small amount of time. And they don’t necessarily resolve to anything and can land at 404 error pages.
Still, these posts are enough to ruin your reputation or convince search engines to downrank your web property.
Sometimes the hackers try to make a statement by completely changing the homepage (and others) such that it tells you and your visitors that the website has been hacked.
These acts can also signal a revenge hack, including an attempt to push the website owner toward paying a ransom to get the access back.
Search Engine Warnings
Modern search engines are smart enough to flag an average internet user about a malicious website. Consequently, anyone visiting a hacked website can see such warning signs:
So if a hacker hosts harmful content for website visitors, it gets flagged, resulting in downranking in search results.
This is another obvious sign indicating unauthorized access to your WordPress website. You can check this in the WordPress dashboard users section, which may mention random users not added by the webmaster.
The purpose behind this is to hide the hack from the website admin and stealthily do illicit activities (redirections, posts, etc.) for as long as possible.
A scammer may change the WordPress source code or inject malicious scripts into your web server. In addition, you may notice unnecessary files on your web server.
These changes are used to create backdoors, steal sensitive information from users, or send spam.
So these are a few signs indicating a hack, which brings us to our next section.
How to clean a WordPress hack?
WordPress hack can be a serious mess, and the clean-up afterward needs to be thorough and quick. However, there are two phases to normalcy; let’s call them post-hack do’s and hack cleanup.
Post Hack Dos
Remember how a virus functions? It spreads, copying itself and infecting other files on your computer.
In the same fashion, once your website gets hacked, chances are it can also affect other websites on the same web server. And once your web host knows about the fack, the first thing they can do is DELETE YOUR ENTIRE SITE.
You ask how they can do it when you’re still paying the invoices on time. The thing is, it can be a clause in the terms that most of us never read while signing up.
Playing safe and intelligent, BACKUP YOUR WORDPRESS SITE IMMEDIATELY. While you may have backup plugins like Jetpack (Vault Press) or Blogvault, I suggest making a copy on your local computer via something like FileZilla for additional security.
Next, change passwords–all of them. This may include the most important wp-admin, hosting account, FTP account, database credentials, etc.
This makes sure the hacker isn’t actively controlling your website, and the restoration goes unhindered.
Here comes the not-so-easy part.
Straightaway, asking for a WordPress site cleanup process is like wishing for a cure-all pill, which doesn’t exist.
Every hack is different in the sense of the level and location of corruption. And no matter whether WordPress seems so user-friendly and you can practically do everything without writing a single line of code, cleaning a hack needs more skills than that.
So ideally, you should leave that up to the experts, such as people at Sucuri.
However, you can check the following steps and have a general idea about the hack removal. To this point, I’m assuming you’ve implemented the tips mentioned in the previous section.
Adding to that, delete (or change passwords of) all the user accounts except the one (you, in this case) who is trying to repair them. This might be an extreme measure, but it ensures no one is actively undoing your work.
Step 1: Download a fresh WordPress core copy.
Step 2: Now log in to your server, and delete everything in the public_html folder except wp-content, wp-config.php, and .htaccess.
Please note you might have a few more files like I have this wp-salt.php. Most probably, these are added by your hosting provider or web developer. You can keep them or delete them and see if the website comes back to normal since we already have the backup.
Step 3: Replace the deleted ones with the extracted files from the WordPress copy you downloaded in the first step.
With this step, your website should be back live again if it wasn’t before.
Step 4: Next is .htaccess file cleanup.
Normally, this file isn’t absolutely necessary, and it isn’t included in the WordPress core.
So, You can check the original htaccess text as linked and replace the server ones with it. If you can’t edit it, right-click and change the file permissions in the file manager (like FileZilla).
And if you see any abnormalities, please ask the hosting provider or the developer to re-edit the .htaccess as intended.
Step 5: Download a security plugin like Wordfence and run a scan to check for further infections.
Please note this can also be the first step of the hack cleanup. But sometimes, the bad actors modify the files in a way that these security plugins can’t perform optimally.
Tips to prevent a WordPress site from being hacked
I won’t keep this long; instead, I have prepared this non-exhaustive checklist for keeping your WordPress safe.
- Always set strong passwords
- Activate multifactor authentication
- Keep your plugins and WordPress core updated
- Use a minimum number of plugins
- Change login URL
- Restrict the number of unsuccessful logins
- Deploy WordPress CAPTCHAs
- Invest in a 3rd-party backup
- Use a reputed hosting provider
- Install a security plugin
While most of the above steps are obvious, some of them ask for further discussion.
This means a user can’t just login with a password but will also need a code sent to their registered phone number or from an authenticator app like Zoho OneAuth.
It isn’t something that comes with WordPress natively. Your hosting provider might have provided this utility, but chances are your WordPress installation doesn’t have one.
And there are many plugins to activate this. Personally, I have experience with mini-Orange WordPress 2FA, and I have nothing but good things to say about them.
Delete unwanted plugins and themes
According to this iThemes WordPress vulnerability report, only 1.29% of security issues arise from WordPress core. The rest (over 98%) belong to plugins and themes.
So the learning here is to keep them to a minimum number. Delete all plugins and themes which you can survive without.
And whatever you keep, make sure they are regularly updated (or put them on auto-updates) and are created by a well-known developer.
Most brute force attempts target www.domainname.com/wp-admin. The idea here is to get creative with the slug.
For instance, you can go with this: www.domainname.com/not-hacked@xyz.
And, if you don’t know how to code, you’ll need plugins. Here again, you have a lot of options, including WP-hide-login.
In addition to this, you should limit the number of unsuccessful login attempts to stop brute-force attacks. Most good hosting providers already have this security.
However, try this Limit Logins Attempts plugin if your’s lack this.
It might feel counterintuitive to install these plugins, especially since I have given you the “use fewer plugins” warning. Still, these are the only savior for someone who does not know how to code themselves.
WordPress security is multipronged. Now either you can code or install a plugin for each or use a robust plugin that can cover many aspects single-handedly.
A few top-notch WordPress security solutions we normally recommend are iThemes Security Pro, Wordfence, SUCURI, etc.
Tools to help you Recover from attacks
Things go wrong, but how do you recover from them quickly?
There are two ways.
- If you are a skilled security professional, then you may investigate and clean the infected files and malicious codes to recover the site.
- If you are not sure or don’t have time, you can hire professional services to put your site in business.
Let’s explore all the online services you can hire to fix your WordPress Security site.
SUCURI, one of the leading cloud-based security providers, also offers immediate help to repair the hacked site.
There are three plans you can choose from.
- Business – response within 4 hours
- Pro – 6 hours
- Basic – 12 hours
Based on the priority and budget, you can select the plan.
SUCURI not just fixes your site one time but offers continuous security and monitoring. Some of the features are:
- Stop future attacks
- Remove security warnings, blacklist, and malicious codes
- Layer 3,4 & 7 DDoS protection
- Fast & friendly support
- 30-days money-back guarantee
SUCURI works on any website platform, including WordPress, Joomla, Magento, Drupal, etc.
A WordPress-specialized security plugin to scan, protect, and monitor the site.
Malcare lets you clean the site from their dashboard. However, if you need urgent help, you can go to an emergency cleanup service.
Is your website suspended by your web host, blacklisted by a search engine, or attacked by malware?
SiteLock can fix these issues with immediate alerts of malware detection and solve them with all ongoing protections 24*7 with emergency hack repair.
You can get benefitted from three products of SiteLock:
- SiteLock SMART™: Used to remove malware automatically from your website.
- SiteLock INFINITY™: Provides non-stop scanning service to keep your site safer & faster.
- SiteLock TrueShield™: Works as a web application firewall to increase customers’ trust and their conversion ratio on the website.
If your website is currently infected, then you can choose One Time Website Clean to remove an infection from backlinks and resolution suspension for just $199.99 per Domain. Or you can go with the Repair and Ongoing Protection plan to clean your site from malware for $41.67 Per month/Domain.
SiteLock also offers scanner & remediation, web application firewall support, website backup, and other expert services according to various plans, like SecureAlert, SecureStarter, and SecureSpeed.
Wordfence helps to clean unlimited pages on a single site for $179.
Wordfence is not just clean but also lets you know how the attack took control of your site, an in-depth investigation report, and action items to protect from future attacks.
When you engage them to clean, they provide you with a one-year premium subscription (worth $99) to monitor and protect your site.
One Hour Site Fix
As you can guess from the name. OneHourSiteFix helps to clean infected sites in one hour.
There are two options.
Either you can hire them to repair the site for $69 or go for continuous security protection for $13.95 per month.
Jim Walker helps you to fix the hacked site quickly. Jim is available on a phone call for consulting.
Hack Repair also helps you implement an SSL certificate to make your site accessible over HTTPS at a one-time low cost.
If you are ok to wait for up to 24 hours, then you can opt for a regular malware removal service; however, if you need to clean urgently, then go for emergency service.
SiteGuarding works with WordPress and Joomla CMS.
SiteGuarding is also known for providing complete site security solutions, including backup.
Does your hacked WordPress website require a quick solution?
Then, WP Hacked Help will come as the 1st choice for complete Website Security and quick malware removal & website clean-up.
WP Hacked Help offers a 360-degree scan of your WordPress website with a full analysis of blacklist possibilities and infection signs.
This tool is featured malware & infection removal, website hack repairs, google blacklist & warnings removal, malware analysis & research, website protection from future hacks, secure hosting, and daily automatic backup with online 24*7 customer support.
Its WordPress website protection plans start with $99.99 for malware and virus cleanup. And its Premium Protection adds more value by providing Secure Hosting with malware and virus cleanup at $99.99 Plus $10/month.
WordPress hacks aren’t uncommon. We explained how to identify a hack, it’s cleanup, and a few services to help you with it.
However, it shouldn’t come to that and it’ll help if you would work on the tips we discussed earlier.
In addition, keep a security plugin installed. This will ensure round the clock monitoring and alert you of any emergency.
If you are using Joomla, here are some services that can help you recover your Joomla website.