A hacked WordPress Website is always alarming. Once you are notified that your website has been hacked, you need to move quickly to prevent additional issues but you need to make sure the hack is effectively stopped, and you need to take steps to prevent future hacks.
WordPress websites can be hacked from various sources:
- Poor passwords used for Admin Accounts, or Accounts that have WordPress dashboard access.
- Using the same password for WordPress as other online accounts.
- Old & Outdated WordPress Plugins & WordPress Themes,
- Outdated PHP version running on your server.
- Default or poor password on your Cpanel / Hosting Panel.
- No additional security on default WordPress Install.
A hacked WordPress website can take many forms, and it may not always be noticeable. WordPress hacks can include injecting harmful code into your website to gather personal data, it can also be used to inject articles or URLs into your website to spam SEO results.
WordPress hacks can be found in theme files, plugin files, databases and WordPress core files. It’s important to follow the below steps to make sure all the needed files have been replaced.
In this article, we will talk about our preferred method for cleaning up a hacked WordPress website and how to prevent future hacks.
How to cleanup your website (the best method):
- Before starting, it’s always recommended to do a full backup of your site (files & database). Backups should be taken on a regular basis of your website to prevent large scale loss of data. If you do not have a backup available, your website host or Web Developer may have one available.
- Rename the webroot folder for your site. This is typically public_html. You want to change it to public_html-old, or something along those lines. Please note, this will take your website offline.
- Create a new public_html folder or webroot folder (where your WordPress website sits).
- Do a complete fresh install of WordPress in the new public_html folder. Depending on your host, you can easily do this via softaculous. If not, you can do the famous 5-minute install. (https://WordPress.org/support/article/how-to-install-WordPress/)
- Delete everything in the new wp_content/uploads folder (leave the folder). We will replace this content with files from your old website.
- Go to your website backup (public_html-old) and copy everything from the themes & uploads. Leave the plugin folder.
- Make a list of all plugins in your website backup (public_html-old)
- Re-Download fresh copies of all your plugins from the previous list in the last step and install them into the NEW WordPress Website.
- Make sure your theme we copied over earlier is up to date. Manually check any theme files. If using a child theme, completely delete the parent theme and reinstall. For child themes, check each file & folder for unusual code or dates. You are looking to base64 or eval() code in themes.
- Use PHPMyAdmin (or similar) to delete the tables from the NEW database, then import the backup of your database from step 2.
- Reset all WordPress admin passwords, reset your Cpanel / Hosting passwords, reset your FTP/SFTP passwords and anything else related to your WordPress Website.
- Once your WordPress website is all setup again, install Wordfence and do a scan. This will help detect any portions of the hack that may be missed.
How to prevent future hacks:
Hundreds of security plugins exist that can quickly prevent future WordPress hacks. Wordfence is the most popular as it scans your website for threats and sends you regular emails highlighting any potential issues.
Our preferred plugin is All In One Security and Firewall. It allows you to set various restrictions on your WordPress website to prevent hacking. It also includes a scanner to scan various files for any changes. The scanner can also notify you via email.
Keeping a good backup is always a way to prevent issues with restoring Websites. A good secure backup can quickly restore a hacked website.
Google search console is a great tool for detecting unusual activity on your website. Google search console will alert you when it detects hacked content or unusual content on your website along with links to help cleanup those affected changes.