The right way to clean a hacked WordPress site (with tutorial)
Your website got hacked and you don't have any (recent) backups. Sucks, right? Don't panic; most sites can easily be recovered in a couple hours.
By now you're probably scouring the web for 'virus scanners' or 'WordPress malware scanners' in a futile effort to save your infected site. Just go ahead and STOP.
In my experience, most of these plugins and scanners do more harm than good. They miss a ton of malicious code and often wrongly quarantine good code, all the while slowing down your site.
Why security scanners suck
Here's the deal- it's pretty much impossible for any scanner to pick up every single line of malicious code. Most of them have common patterns or strings that they search for in your site. And in my opinion, if you were a decent hacker, you just wouldn't use these strings to avoid detection. I could write an entire article about how terrible these plugins are, but instead I'll leave you with a post from a guy who ran some tests on the most popular WordPress security plugins.
The only real way to clean a site is to go through each file, read every line of code (and comprehend it) to make sure it hasn't been infected. And in case this isn't painfully obvious, this takes A LOT OF TIME. Just for reference, a WordPress site I currently have open in my editor has 5,456 files in it.
Can't I just try a security plugin first?
Sure, but if the scanner is not completely successful (chances are it won't be) and you're unaware that your site is still infected (chances are you won't be), your site is still vulnerable to backdoor hacks that allow the hacker to instantly regain access to the backend of your site. This leaves time for the malicious code to reach other parts of your site and create an even bigger mess.
Unless your site is your hobby blog on fixing up muscle cars (good on you- cool hobby) and not your business, don't mess around with this. Get that site cleaned properly.
How to clean a hacked WordPress site
I'm going to tell you why you should delete your entire site, start from scratch, and how this will actually be faster than trying to clean your existing hacked WordPress site.
Starting with a fresh WordPress install is the only way to be absolutely positive that your site is clean. And if you've done things mostly correct in building your site so far, with the exception of forgetting to make backups, this is a pretty quick and painless process.
Cleaning a hacked site
- Backup your current site
- Setup a new WordPress install in a safe space
- Restore official plugins and themes
- Restore custom plugins and themes
- Salvage clean content
- Site launch and security
1. Backup your current site
Better late than never right? Backing up your site gives you a point to return back to, even if it's not the best point. Plus you may be able to use a couple uninfected items from the backup (we'll touch on those later).
You need 2 things for a backup, the files (only wp-content/ is necessary for this backup) and the database.
DO NOT MOVE ANY OF THESE FILES TO THE NEW SITE YET.
2. Setup a new WordPress install in a safe space
You need somewhere to work on your new site while keeping the old one in tact. If you're a developer, this is probably on your local machine, otherwise you may want to do this on a separate domain until you've finished your new site.
Here's the important part: I do not recommend working on this site on the same server your site was hacked on. There's always a chance that your server was compromised and the hack was not isolated to the WordPress install. If this is the case, your new site may be hacked again the moment you upload it.
If you choose to work on the same server despite my advice, make sure that you:
1. Remove all the files you can safely remove on your server prior to upload. At a minimum this should be your entire previous WordPress folder.
2. Change all credentials you have prior to uploading anything from your new site. (See Step 7)
Ready? Setup your new WordPress site and move on to the next step.
3. Restore official plugins and themes
WordPress plugins and themes can easily be found on the WordPress plugin repository. Download them from the official repository means that you now they're free from any malicious code and the latest versions of each plugin should provide the most security.
Similarly if you have any ThemeForest or CodeCanyon plugins, download the latest versions from their respective places and avoid using any code from your hacked backup.
4. Restore custom plugins and themes
If you've made any custom plugins or themes, hopefully you're using version control on them and they're safely stored in a repository somewhere.
If not, go through these files one by one saying to yourself "I will use version control in the future" as you finish reading each line of code.
5. Salvage clean content
Content is the trickiest part because there are types of hacks that are stored within your database (where your content is kept). Copying and pasting the database over may put you back into the same position you were at the beginning if your database was compromised.
There are a couple options here depending on the type of site and amount of content you have. It's always preferable to go with option A, but there may be cases where you need to go with option B.
A. Manually grab text and images from your site
If you have a site that's under 15 pages and you don't have 100+ blog posts, this is a very safe option. Simply visit your site in a browser and copy and paste the content that you need. Because of browser security, there's little risk that you'll be able to get any virus by copying text or right clicking and saving images.
B. Clean the database tables needed and import
If you have a larger site and going through each post, portfolio item, or page just isn't an option, we need to clean the database. Again, this should be a last resort for massive sites and Option A is a superior chioce.
The idea here is to take as little as possible from the old database to avoid potential re-infection.
1. Start by installing a plugin capable of cleaning the database on your OLD SITE. This one isn't too bad and can be used to help you scan the database for commonly used hacks.
2. Next you need to export the posts you need. Still in your old site, go to Tools->Export and select the data you need.
3. Import this data under Tools->Import in the NEW SITE. You may be prompted to install the WordPress Importer plugin in order to do this.
6. Site launch and security
Before doing anything else, make a backup of your new site! If for some reason hackers do get in again, you should now have a clean version to revert back to. Don't forget to also back up your new database as this is equally important.
The first thing you should do prior to launching your new site is change every credential you have. You'll want to change:
- WordPress database name
- Database logins
- WordPress logins
- cPanel logins
- FTP logins
- And if you're super paranoid and your site was on a shared host, move to a different host entirely
After you've done all these, you can upload your newly created site safely to your server.
Getting hacked again
In the unlikely event that you get hacked again, you can use the backup we made in Step 6 and start again at Step 4 in this process. Your next job is to begin narrowing down sources of the attack.
Did you have any custom code you added back in?
Triple check any custom code you added in to make sure no exploits were left here.
Did you use Step 5b?
There may be backdoor that was left in the database. Scan your database with different tools or use Step5a instead.
Did you change all your credentials or switch hosts?
If a hacker still has access to login information, no amount of cleaning is going to resolve the issue; use more secure credentials. If you've been using the same password for 20 years, you may want to look into generating a new, stronger password.
Likewise, if your host has been compromised (this does happen to the big ones as well), you may be fighting a losing battle until you move to a more secure hosting platform.
Are the plugins you're using secure?
Sometimes a plugin has a known exploit that allows hackers to easily bypass your security. Googling the plugin's name + 'security loophole' may reveal problematic plugins that you should disable until the author is able to resolve them.
This can happen to even the most official and upstanding plugins; always double check.
It's never fun getting hacked, but it does happen. Fixing your hacked site properly is important to insure against future attacks, risking breach of sensitive information, losing your site's content, and even spreading a hack to other sites on your server.
Getting hacked also highlights the reasons that regular site backups (preferably with a cronjob), keeping your site's code under version control, and beefing up server security are all so important.
Have any tips or tricks you'd like to add? Let us know in the comments below!