How to fix a hacked WordPress site

Here at OpalSupport we have repaired broken sites and maintained and secured websites for over 20 years. WordPress is a very popular platform and with that popularity comes the risk of attack. Vulnerabilities in outdated themes and plug-ins, or lax security will eventually lead to your site becoming compromised. We can fix it for you, but you may want to know how to fix a site for yourself, so here’s where we explain what we do to fix a hacked WordPress site.

How to tell if my website has been hacked?

Do your site’s Google search results look strange, with unexpected content? Are friends reporting odd behaviour when they visit your site? Does your site seem slower than previously, or are some pages giving unexpected errors?

You may have been hacked

Many people expect a hack to be obvious but that’s often not the case. A modern website hack can be invisible to you as the site owners, of course there are still the classic obvious attacks which proclaim “you’ve been hacked by the X army”, or similar – but most modern hacks are not immediately noticeable.

Why is that? Well what the hackers want to do is use your resources, your bandwidth, your CPU and possibly all the data of members and people who have signed up to your website. They want to take that and make money with it, and if you realise they are in your site then you will stop them, so they stay very quiet.

How do hackers get into my site?

If you have an old version of WordPress, or an outdated WordPress theme, or you are using plug-ins which have not been recently vetted then these are all easy entry points for an intruder. Many WordPress bugs and security holes are patched each year, so if you have not updated your “core” in a while then your site is at risk. Themes, Plug-ins and other code also becomes vulnerable as intruders have time to scrutinise it for weaknesses to exploit.

Of course updating your WordPress might actually cause problems. Updating WordPress core can cause plug-ins and themes to stop working. Sometimes updating a plug-in will stop WordPress from showing anything but a white page. This is why we have maintenance packages where we take care of all that for you. Maintaining a business site requires care, and doing it incorrectly can cost you a lot of money.

How to detect a hack?

Often a website owner will find out about problems on a site, mysterious glitches or text which is displayed to visitors. Perhaps you notice that your google listings are showing unexpected text advertising spammy products which are nothing to do with your business. These are all common indicators that you have been hacked and you need to lock down and clean your site.

Usually the first hack is very stealthy, then over time other hackers use that hack to install their own backdoors onto your site. After 6 months you may have 5 different hacks running, and each one is usually less elegant than the last. It is often only when the site is overun with competing hacks that the issues become evident.

So … lets repair your website.

Check the points of entry

The first step is to prevent hackers and scripts working against your repair efforts and making further changes. You need to access your main website control panel, not the WordPress admin, but the place where you administrate your entire website. For many web site owners or website administrators this control panel will be cPanel. It’s possible that the intruders have access to your cPanel password, or even changed your access so we need to lock them out of this level.

Secure your web control panel

Our first action is to attempt to log into your control panel (this might be cPanel or something similar). If you can’t get in then you’ll need to contact your hosting supplier and ask them to reset the password on that account. If you are running your own server and you do not have a website maintenance package which covers your server then you’ll need somebody capable of editing that account to reset the cPanel users and passwords.

If you can access cPanel it may still be the case that the account is compromised, so we advise changing the password. But before you do that you should make sure that the administrative e-mail is not compromised. So re-set your email password (the email account which is linked to the cPanel administration account)

So, with your email secured, it’s time to reset the cPanel password and log back in with the new password.

Next we need to start securing the FTP and SQL passwords.

Secure your important data

I’m sorry to have to say this but your database, and your files will not be in a good state and will be very corrupted. The situation will probably be worse than you initially thought because a hack only shows itself to the owner if the infection has run rampant.

We need to take an offline backup of the site as it stands for forensic purposes

Backup everything

The next step is to backup all your files and data as it currently exists and take that file offline for analysis. If you are using cPanel you can use the search to type “backup” and you should see a utility or choice of backup utilities (depending on what your hosting company provides). Take a backup of your site and download it somewhere safe locally.

Check this backup before the next step. This is important.

  • Check you have the corrupted database, open the file on your local machine in a text editor capable of handling large text files and ensure it actually contains data.
  • Check the archive of files is not corrupted, that you can open it, and that you can extract it without errors

If these checks pass then take additional copies of the backups and place the copies on removable media (EG a thumb drive)

Change all the passwords on your live website

Before the next step we’ll need to change all of the remaining passwords. Take a look at the databases, the database users, the FTP users and the e-mail accounts on the server.

You need to change the passwords for each of these accounts, as they may be compromised. There’s no use cleaning your house if the intruders can simply cut themselves new keys.

Choosing good new passwords

Passwords, we suggest, should be both long and also memorable. A good password has a high “entropy” number and if you follow our advice will look something like these examples (please don’t use these exact passwords!):

  • Frangible-Oblique-Ironic-Otter-12
  • Grift-Lazer-Octopus-58-Barbecue
  • 2-Potency-Advocated-Subliminal-Desk-44

Those are examples. We suggest you use this website to create your own unique complex passwords. to create something similar.

Now, delete your old databases and FTP account and create new ones with passwords which satisfy the strength requirements. Your control panel should tell you that your password is now “very strong”. Please put the passwords in a secure location.

Take your broken web site offline

Now, it’s time to take your site offline. Use a file manager in your control panel, or an FTP application to delete the index.php or index.htm files in the /public_html/ folder of your hosting package.

Create (or obtain) a nice looking holding page which says “Our site is undergoing maintenance, back soon” and upload that as index.html Take a look at your website in a web browser and ensure that the site looks as you expect and the maintenance page is being displayed. You may need to empty your cache to see it.

Now it’s time to delete everything but your holding page in your website /public_html/ root. Leave that holding page there but delete everything else.

Do some analysis

You may not need to do this, but it’s what we do next. Go and visit your logging page on your cPanel and take a look at the real-time analysis of what’s happening. You’ll see people trying to connect to things on your server which are indications of the tools they are using and the areas you’ll want to watch in future. For example

Create a local copy of your corrupted site

You now need to examine your broken site now, the one you backed up earlier – and we’ll try to extract everything you can salvage, all the posts, content, images and data.

You are going to need the program : Local by Flywheel , this free software lets you run WordPress on your own computer. Download and install that.

New Site – Blank Slate

Now, create a blank install of WordPress in Local by FlyWheel, this is going to be your new site. Press the Plus button and choose the latest version of wordpress, and it will create it and present you with some option. There are good tutorials on how to use Local and if you run into issues these resources will help.

Press the Plus button in the bottom left of Local and name the new site “[NAME OF YOUR SITE] fixed” and make sure you can view it. Of course this will simply be a blank WordPress site with the basic theme.

Log into this new clean website’s wordpress admin and install the WordFence security plugin.

Create a local copy of your corrupted website

You’ll also need to install your old corrupted website to take stock of the damage and rescue your posts and pages. How to do this: get the downloaded archive which you obtained from your hacked webserver. Unzip this archive and extract the folder called “Content” and set it to one side. Now find the corrupted database and place that alongside your corrupted content folder and zip them up into a new archive. Now drag this archive into Local by Flywheel. This should start an import and site creation process.

Name this site “Corrupted Live site”. If you have problems here then refer to the Flywheel documentation.

If all goes well you’ll have a local clone of your site as it was. Hacked and corrupted, but this is what we will investigate.

Forensic Analysis

You’ll see your “Corrupted Live site” in Local, and you’ll see a button marked “Start Site”, click that button and the site will become active. You should also see some tabs marked “Overview”, “Database”, “SSL” and “Utilities”. Choose the Database tab and beneath that title click the button titled “ADMINER” and if your site is running this button will open up the corrupt database for your site ready for analysis.

You’ll have a lot of tables here, wp-coment-meta, wp-comments, wp-options, wp_postmeta, wp_posts … and often many more.

There are some tables which are very important and those we will focus on: wp_posts and wp_postmeta contain all of your pages and the connections to the images and files. These are important but unfortunately the tables are also likely to be corrupted so we will take a look and see if we can spot anything suspicious in here.

Click on wp-posts and then “select data”. This will display all the posts in your system. Where you see the box titled “limit” change the limit to 500 (items per page). Now scroll down looking at the entries. In “post content” you’ll see the html for each post and while the earlier entries may be innocuous it is very likely that you’ll see some suspicious entries with links to pharmaceutical websites or porn websites. Put a checkmark next to each of these and delete them with the bulk delete.

Hopefully you don’t have too many entries and it should take around 30 minutes for you to be sure that your posts are clean. Take a look at wp-postmeta and do the same cleaning process.

Now, select “Export” and you will be asked to choose which tables to export. Choose wp-posts and wp-postmeta and export those to somewhere safe. A folder marked “cleaned files” for example.

Now the next most important table is often Options. This table contains settings for your theme, and it can be complex to search through as options are often cryptic. We’ll address Options a little differently.

Exporting theme options

If you can do so – log into your Local copy of your Corrupted website. wp-admin.

If you cannot log in then follow these instructions for creating a rebuilt admin login for WordPress.

If you can log into your old wordpress then the first thing you need to do is install and activate the Customize Export/Import plugin on both sites where you want to export/import.

You need to go to the Themes » Customize page on the site you want to export from. Next, you need to click on the ‘Export/Import’ panel to view its settings and then click on the ‘Export’ button.

The plugin will now export your customizer settings and send them to your browser in a .dat file. It will export all your theme options that are defined as theme mods or stored as options in WordPress database. This means you can export things like color settings, layout directions, header media, etc.

Importing into the new site

Now, it’s time to rebuild your website.

If a hacker has access to your server root, and they are logging in via a console, then you will need more intensive help than this tutorial can give and we recommend you contact us for methods of solving this issue.