WordPress sites can be hacked. This is caused by leaving software non-updated for a while, giving away access credentials or just poorly written plugins. One can do some things to prevent blog hacking, however they are not so useful when it happened already.
WordPress sites get hacked both for intelligence purposes, links or as a platform for distributing malware. Additionally, hackers might misuse your account for running PHP based bots or shell access.
So, what to do?
Table of Contents
Take your WordPress site down and backup
Yes, you should save away a copy of infected site including its database, files, and logs. This will be necessary for determining the way infection occurred and restoring files if something wrong happens.
It is highly advisable to turn your hacked WordPress site down. If hackers have access, they will be able to hinder you from cleaning. Additionally, you should stop your site from infecting others and thus avoid being blacklisted.
The prefered way of taking website down is going to the website configuration file and adding following rules to it:
deny from all
allow from [ your ip here ]
These lines CAN be added to your .htaccess file as well, but I recommend doing it from config file and leave .htaccess untouched for a while. On shared hosting, you could ask the support for doing so.
Scan your PC with anti-virus and anti-malware programs
One might ask why he should scan their own PC if the website got infected. Well, there are couple reasons.
First one, you do not know how your site was hacked. There is a possibility of worm gathering FTP passwords from common programs.
The second one is that you got exposed to the hacked code of your own site and it could have infected your PC too.
Hitman Pro is a good choice for second opinion scanner. However, at this point you should make sure your antivirus and firewall is running too.
Assess the damage done and the type of hack
Time to open your site and determine HOW and WHY your site got infected.
There are several possible scenarios, that are covered in a dedicated post about ways WordPress get hacked.
- Server wide attack. All websites on server are defaced or hacked. In such case contact your hosting provider for patches/updates. You will have to restore your site from backups (most likely). In some cases it is advisable to ask for replacement hosting , A less severe case is access to ones FTP/SFTP account that modifies core files or installs new ones.
- Hacked WordPress username and password. The signs of such infection would be modified content of posts and pages, in rare cases – template files modified. Hacked usernames do not provide enough permissions to edit core files, but it is possible to edit template files if they are writable by web server. To fix such problem, restore from backup or older post revisions. In some cases database password is guessed, and the malicious code is written using database management script like phpMyAdmin. In such cases, you should change both database and ALL WordPress user passwords, as they might be broken.
- Exploit in WordPress software that allows installing malicious files. These types of attacks are dangerous, though easy to localize usually. The typical cause – bad plugins, bad custom theme or just unpatched WordPress version. All these cases are quite common, and you will have to track how the infection took place and fix the security issue or you might get reinfected right away. File restoration will not work in all cases.
Prevention: change SSH/FTP password.
If you suspect that the hackers used your shell account (you found additional files outside world-writable folders, core files were modified, change your shell password right away. If it was server-wide attack, the server should be inspected by your hosting provider first to avoid spyware. At this point, do not change WordPress user name or password.
Repair : Restore from backups and/or fix other issues
Although restoring from backups is the preferable way in many cases, this might give false sense of security. One should make sure that the backups are older than the time of attack and that security hole is fixed. In many cases you should reinstall WordPress core files or upgrade them.
If you expect and exploit in WordPress, you should investigate wp-content folder instead.
- Delete all .htaccess files from wp-content and its subfolders.
- Delete all PHP scripts, except in templates or plugins. Doublecheck all templates or plugins for files that do not belong there.
- Consider reinstalling theme and plugin files from fresh source
Change your WordPress password
Malicious plugins could have access to WordPress database, thus steal hashed passwords and even database password itself. You should always change both of them at this step. This is is one of the last steps, as hacked wordpress installation might leak these passwords to the hackers.
Enable site and run security scanners
That is it. You should re-enable site and see if you have fixed everything.
As additional precaution, I recommend 2 things:
First, you should take time and investigate logs to determine the time and way of attack.
Secondly, you should try harden your WordPress installation to avoid such issues in the future.