What to do if your WordPress site has been hacked?

These days, WordPress infections are very common. In 2021, internetlivestats.com counted more than 81 million hacked websites. If you’re one of those millions, you need to take steps to fix and protect your site. Of course, a hacked site will put any site owner into panic mode. This article will tell you what to do if your website is hacked and how to move forward. WordPress sites can be hacked for a variety of reasons, which we cover in Why are WordPress sites targeted by hackers?

First, confirm that your WordPress site has been hacked. You can do this by scanning the site using a tool like our SiteCheck scanner or our free WordPress plugin. This will also help confirm if your site is on any blocklists. Next, look for recently modified files (or any major files) and confirm the date of those changes with the user who modified them.

Once you have confirmed that your WordPress site is indeed infected, you should remove all malicious content.

Cleaning infected files and database tables

In order to manually remove an infection from your site’s files, connect to your server via SFTP or SSH. If you don’t know what these login details are, ask your hosting provider for further assistance. Once connected, make a first backup of the site before any modification. During the cleanup process, the site will likely appear broken or offline, so some site owners will enable “maintenance mode” either with a splash page plugin or a theme in the meantime. Additionally, if previous stored backups appear clean, they may be useful to compare against the current site to identify malicious code.

Once a backup and maintenance mode is in place, you can proceed with manually removing the malicious code and replacing all infected core files. Make sure all hidden backdoors are removed. Hackers usually leave a way back to the site. Most of the time, malicious code uses some form of encryption, so it is essential that it is removed entirely to avoid reinfections. Some commonly found backdoors include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • rating
  • executive
  • system
  • to assert
  • lashes strips
  • preg_replace (with /e/)
  • move_uploaded_file

Pro tip: Any other website residing in the same hosting environment could also be contaminated. Make sure they are either cleaned or completely removed if no longer in use.

To remove malware from a website database, you must first login to your database’s administration panel. You must back up the database before making any changes.

Then find any unwanted keywords or links in the tables and remove them. Use tools such as Find-Replace-DB Where Administrator will also be useful, but be sure to delete them when you’re done.

Malicious PHP functions like eval, base64_decode, gzinflate, preg_replace, str_replace etc. commonly found in the database. Sometimes the payload itself is a piece of base64-encoded content, or obfuscated using the fromCharCode( function. Once they’re all removed, make sure your site is still up and running.

Once the site files and database are thoroughly cleaned, it is important to remove any unknown users in case these accounts have been created by a hacker. A good practice is to assign administrator privileges to only one user and set the other user roles to the least privileges necessary (IE The principle of least privilege).

If all else fails and you’re still not sure about the malware removal process or you don’t have enough time to manually remove it yourself, ask a Sucuri analyst clean it for you is another option to consider.

Removal of malware warnings

If your site is on a block list, you can manually request that your website be removed from it once the infection is cleared. If you are suspended from your hosting provider, contact them first providing details on how you removed the malware. For each blacklisted authority, complete a review request form. Depending on where the site is blocked, the response time can vary from 24 to 72 hours. Once all the applications have been submitted, it’s just a waiting game. Until then, it is important to put in place post-hacking preventive measures so that the site is not reinfected.

How to Protect WordPress Sites Going Forward

Protecting WordPress sites is crucial in today’s modern web environment. As automated attacks continue to target vulnerable plugins, themes, and versions, site owners must remain vigilant to keep security risks low and update anything outdated. Once your site has been successfully cleaned, ensure that all passwords are updated using strong characters. As mentioned earlier, using the principle of least privilege with user accounts is a simple and effective security precaution for websites.

Using a Web Application Firewall also reduces entry points for attackers. Since attackers exploit vulnerabilities with plugins and themes, this will patch flaws in your website’s software, even if you haven’t applied the latest security updates. A web application firewall will also protect against brute force attacks, mitigate Distributed Denial of Service (DDoS) attacks, and provide performance optimization.

In conclusion

Manual cleanings can be an exhausting process, especially for someone who is not tech-savvy. If you’re tearing your hair out because your site has been hacked, and you don’t know what to do, don’t hesitate to turn to a professional. These infections may take time to be completely cleared up, but once they are, you will feel a lifted weight. More importantly, you will learn a lesson in the importance of website security. Do yourself a favor and try to outrun a website infection by employing some hardening metrics to your website.

If you are a site owner who has experienced or is currently experiencing a WordPress hack, I hope this information has helped you determine what to look for in your malware removal process.

Amanda J. Marsh