Cleaning a Hacked WordPress Website

How do WordPress websites get hacked?

WordPress sites get hacked for a variety of reasons but the number one reason is failing to keep things up to date including WordPress core, plugins and themes. When vulnerabilities are found, most developers patch (fix the exploit) their plugin or theme before the vulnerability is announced to the world. This means if you’re running the latest version, the vulnerability won’t affect you.

There are other ways sites get hacked though, for example having weak passwords for logins such as FTP users. If someone can guess your password they can do anything you can do. Check out our article on password security if you need some help.

Another way that sites are hacked is to trick the an admin user to trigger an action which causes files to be uploaded. In some cases our Web Application Firewall rules can help stop these, but if the firewall doesn’t know the action is malicious it will allow it through.

Finally, if you give site visitors the ability to upload files (intentionally or not) and don’t have adequate safeguards this too can result in those files being used to hack your site.

People attempting to hack sites often use combinations of the above techniques to try to gain entry to your site. Once they have hacked your site they often then create additional ways to gain entry. These “backdoors” on the site ensure they have access even if the first method is discovered and fixed. This is why we say if you’ve been hacked once, you have been hacked numerous times.

Again, don’t panic! Most of these hacks are preventable; once we have cleaned your site, we will help try and prevent it in the future.

How do we detect a WordPress hack?

For most of our clients, the first time they know they have been hacked is when we contact them directly.

We proactively monitor our network and we look for unusual activity across our hosts constantly. For example a site suddenly starts sending hundreds or thousands of emails. One of our systems team will look in the mail queue and just check to see if the emails being sent are genuine. We don’t need to read the emails in detail, we simply look at the headers and subject. It’s very easy to spot spam email versus a newsletter being sent.

Likewise, we monitor spikes in traffic on our network. Each server and product has it’s own usage agreements but normally we limit the amount of traffic these systems can send (packets per second) and if its exceedingly high a member of the team will investigate. We also regularly run virus scans across our servers to detect this content too.

Additionally our servers run Web Application Firewalls which monitor traffic being directed at them. While this only shows what a remote user is trying to access it can produce information to help spot hacks.

On our WordPress hosting we also proactively check certain plugins and WordPress core files to make sure they haven’t been modified maliciously. Each platform has it’s own specific set of security tools designed for that platform. Of course, it’s possible that we didn’t spot the hack. Often times a hacked site can sit dormant for weeks or months. The site might be off our radar until the hacks payload is deployed.

Sometimes clients will spot files they are sure they didn’t upload, or they might have a plugin that spots hacked files and it flags issues.

However a hacked WordPress site is initially discovered, once alerted the same process is followed, and a member of our team will investigate.

How we investigate hacked WordPress websites

Once something has been flagged as possibly hacked, a member of our team will be tasked with investigating your site.

During the investigation phase we start by confirming if a site is actually hacked. False positives can and do occur and we only begin our hacked site process as a last resort.

Once we have identified one or more hacks, we look at the initial impact of the hack as a starting point and quickly lock that down. Where practical we will make sure any hacked files cannot be accessed except by our team and that any malicious processes or emails being sent are immediately stopped.

This can result in some immediate loss of features on your site, but your site should still be operating. There are times where this is not practical, if your site index page has been hacked, or in the case of ransomware for example. If keeping your website up and running is a danger to you or anyone visiting the site – we will take steps to take the site offline.

At this point we also take a snapshot of your website using the snapshot feature in your control panel. This means you will always have access to your site content, files and any custom settings.

Communication is key

If we aren’t already in touch at this stage we will also get in touch. While we don’t wish to cause panic, an urgent resolution is best for everyone and we need to get in contact as soon as possible.

Due to the nature of hacked sites our initial contact will always be with the account owner. We will ask you to authenticate a support ticket to allow us to carry out work on your behalf. We will also ask you to nominate a single point of contact for the duration of the case. It’s likely we will need to undertake a lot of work in a very short period of time; it’s important we can speak to someone quickly to let them know what is going on and ask them questions about the site setup if needs be.

Normally this person is the site owner but it can also be a technical contact. If the contact is not already listed on your account, you will need to add them as a technical contact in your control panel.

During this initial contact we will explain what was discovered during the investigation phase and guide you to how to access the snapshot. We will keep this available to you for as long as you need it, and you don’t have to download it straight away. The snapshot is also kept on a remote server from your content.

Commonly asked WordPress hack questions

Understandably, you probably have a lot of questions for us at this point, and please don’t hesitate to ask! Do be aware though that some questions might be hard to answer, here are some of the more common hack queries we’re asked:

How long has my WordPress site been hacked?

While we might be able to see the date a file claims to have been added or edited, this date can be tampered with. It’s not unusual to see a file claim to have been last modified on the 1st Jan 1970 for example. In addition we won’t know if we have found every hacked file and an older hack may exist.

How did my WordPress website get hacked?

Sometimes we will know and can share details with you. For example we might be able to see if someone modified your files via FTP or if a hack relates to a specific plugin folder. But again these might have occurred after the initial hack.

Was my customer data taken?

To a limited extent we can assess if your site data was targeted; that said, if you store confidential data, you should assume this has been compromised regardless.

Cleaning a hacked WordPress website

Once we’ve answered your questions we can start the cleanup of your WordPress site. This is the stage most clients dread as we can’t simply restore from a backup – we just don’t know if that has or hasn’t been hacked.

The steps we take to fix your website are as follows:

1. We get a list of the plugins and themes you have installed, so we can use this later to restore those plugins.
2. We export your posts/pages/custom post types and we use the built in WordPress exporter rather than SQL dumps – as this will help limit potential issues with hacks within the database.
3. We isolate your files and we remove them from your httpdocs folder. Your site will briefly go offline as this happens. The files will still be on the server at this stage, but only accessible by our team.
4. We install a clean copy of WordPress on your site. As we are doing this your site will briefly show a default WordPress install. Normally this is there for a matter of minutes at most.
5. We will then move your media back to your wp-content/uploads folder after having checked for anything that looks suspicious and having used a virus scanner to check for issues. In some cases we may not move every file; for example where your site has .zip files in the uploads folder. We will always warn you of content we haven’t moved and why so you can review.
6. Next we import your WordPress posts and any other content. This also generates user accounts based on those pages. Each user account will be set to the author role by default. We will also set a single user as administrator, allowing you to login and make any changes to user settings.
7. Finally we install and activate your themes and plugins. We can only do this for publically accessible themes and plugins.

My WordPress site is still broken

After these first few steps to fix your website, your site might not look the same – don’t panic! We can only access themes and plugins found on the wordpress.org website. If you bought your theme from somewhere else we won’t have access and we need your help.

If you don’t have a copy of the theme files to hand, you will need to go to the company or website you purchased the theme from and re-download the theme. Once you have the zip file of the theme, within WordPress go to Appearance -> Themes -> Add New -> Upload New and upload and activate the theme. Your theme should now be added.

You may also need to repeat this step for any premium plugins your site uses. Again, we can’t access any premium themes or plugins and we can’t simply restore from a backup – to prevent hack recurrences, we have to assume your backups are also infected. It’s critical your site is restored from known clean sources such as wordpress.org or the theme/plugin developer.

With your theme and plugins back in place our team can help get your site looking more like it was before. If you made custom changes to files to alter your site appearance we won’t be able to help you put those back. Likewise some plugin settings may be lost. While you can refer to your snapshot to get back online, we strongly discourage from copying directly from the snapshot files – or you may simply reinstate the hack all over.

At the end of this restoration process it’s important to understand what might be lost:

• If you directly modified themes or plugin code, those modifications won’t be restored
• If you modified WordPress Core those changes won’t be present
• If your plugin or theme used content outside of wp-content/uploads or its own folder these items will be lost
• Some settings won’t have been remembered and will need to be reapplied

It may take some time to spot all the little differences, so it’s worth thoroughly going through your site and checking everything.

During this process our team is on hand to help. We want to get you back up and running as quickly as possible with minimal disruption but we also have a responsibility to make sure we are confident we are not restoring hacked content. As such do note, that we won’t restore specific files from the snapshot – we can’t underscore how important it is to proceed under the assumption that all files are infected.

Preventing WordPress hacks moving forward

After a site is cleaned and you feel you’re getting back to normality it’s a good time to take stock and review. Again our team is on hand to help where possible and you can speak to one of our WordPress specialists about improving security on your site.

Here are some important points to consider when securing a WordPress website:

• Reviewing old plugins and themes. If you are not using a theme or plugin you should remove it. Even deactivated plugins and themes can be used to hack your site.
• If a plugin is not receiving active updates from the author or is abandoned, consider looking for alternatives.
• If you want to create changes to a theme, consider doing so as a child theme. This will allow you to make changes and still be able to update the parent theme.
• Activate auto-updates for WordPress Core, plugins and themes or look at plans such as our WordPress hosting where we handle more of this for you.
• Make sure WordPress folders and files have the correct permissions (we can help here).
• Go through your site and check each and every user. Make sure only people who NEED to be administrators are. Most users can be set authors or editors.
• Only have user accounts for people who need access and audit everyone who has other access to your site.
• Make sure administrators use secure passphrases or password managers. Again see our password advice earlier in the document or ask for our help.
• Consider enabling two factor authentication for your WordPress website.
• Don’t use the same password for your FTP as your site, or indeed any site.

If you using our Professional Hosting or Business Hosting platoforms for your WordPress site, talk to our team about moving to our WordPress Hosting. This platform is designed from the ground up specifically for WordPress and has several more advanced security features in its core design.

Communication is key remember

Depending on your business there are some organisations you may need to contact following a hack of your site:

Information Commissioner’s Office (ICO)

If you are registered with the ICO you may need to formally declare a hack to them. If in doubt they can offer advice if this is needed. For most automated attacks this might not be needed.

Payment providers

If you take payments and have undergone PCI Compliance you may be required to notify your payment provider.

Police

In extreme cases contacting law enforcement might be needed. This is exceedingly rare but if data was stolen deliberately this might be required.

Your clients

In most cases you are not legally required to inform customers of a hack, though there are exceptions to this. Weighing up the reputational damage of explaining a hack versus the potential of this being discovered and not being disclosed is a hard balancing act.

Google

It’s important to understand that multiple hacks can be deployed at once. Just because your site was defaced, doesn’t mean it’s also not spamming or joined a bot network. Indeed it is very rare to see just one type of hack on a site unless it’s been caught early.

If Google is displaying your site with a red screen and malware warning you will need to let them know the site has been cleaned.

Don’t panic!

While we don’t want to downplay the seriousness of a WordPress site being hacked, it is sadly a reflection of everyday life on the web. It’s upsetting and the feeling of violation is normal. If you have read through this guide we hope we have removed some fears and given a clear outline of the steps to clean up a hacked WordPress site.

While the ramifications of hacks can take time to go away they do normally have no long term negative effects if dealt with correctly. Our goal is to get you back up and running as soon as possible and to remove as much of the stress from this situation as we can.