STEPS TO CLEANING A HACKED WORDPRESS SITE

Identify, remove, and harden your site after a hack.

Sucuri has devoted years to helping WordPress administrators identify and fix hacked websites. To continue with this process, we have put together this guide to help website owners walk through the process of identifying and cleaning a WordPress hack. This is not meant to be an all-encompassing guide, but if followed, should help address 70% of the infections we see. A lot of the guidance is built on the use of our free WordPress security plugin.

Washington, DC • US • Home of Sucuri's
Kristen Community & Events Manager

Step 1

IDENTIFY HACK

1.1 Install the Sucuri Plugin

If your WordPress site has been hacked, our free security plugin can help you identify which areas need to be cleaned.

Sucuri actively maintains a free WordPress security plugin with features to enhance security and identify indicators of compromise. This tool will help you perform most of the steps in this guide.

To install the free Sucuri security plugin:

  1. Log into WordPress as an admin and go to Plugins > Add New.

  2. Type Sucuri Scanner into the field.

  3. Click Install Now next to Sucuri Security - Auditing, Malware Scanner and Security Hardening.

  4. Activate the plugin.

1.2 Scan Your Site

You can use the Sucuri plugin to scan your site to find malicious payloads and malware locations.

Common Indicators of a Hacked WordPress Website

  • Blacklist warnings by Google, Bing, McAfee
  • Weird or abnormal browser behaviors
  • Spam in search engine content
  • Notification of site suspension by your website host
  • File modifications or core integrity issues
  • Warnings in Google search results (SEO poisoning)

To scan WordPress for hacks using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Malware Scan.

  2. Click Scan Website.

  3. If the site is infected, you will see a warning like the screenshot below.

If the remote scanner isn’t able to find a payload, continue with other tests in this section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.

If you have multiple websites on the same server we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.

Note

The Malware Scan feature is a remote scanner that browses the site to identify potential security issues. Some issues do not show up in a browser, instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes remote and server-side scanners. Learn more about how remote scanners work.

1.3 Check Core File Integrity

Most core WordPress files should never be modified. Our plugin checks for integrity issues in the wp-admin, wp-includes, and root folders.

To check core file integrity using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Dashboard.

  2. Review the Core Integrity section for the current status.

  3. Any modified, added, or removed files could be part of the hack.

If nothing has been modified, your core files are clean.

Note

You may want to use an FTP client to quickly check for malware in directories like wp-content. We recommend using FTPS/SFTP/SSH rather than unencrypted FTP.

1.4 Check Recently Modified Files

You can identify hacked files by seeing if they were recently modified using the audit logs from the Sucuri plugin.

To check recently modified files using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Dashboard.

  2. Review the Audit Logs section for recent changes.

  3. Unfamiliar modifications in the last 7-30 days may be suspicious.

1.5 Confirm User Logins

You can review the list of recent user logins to check if passwords have been stolen or new malicious users have been created.

To check recent logins using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Last Logins.

  2. Confirm the list of users and the time they logged on.

  3. Unexpected login dates/times could indicate a user account has been hacked.

Step 2

REMOVE HACK

Now that you have information about potentially compromised users and malware locations, you can remove malware from WordPress and restore your website to a clean state.

Pro Tip:

The best way to identify hacked files is by comparing the current state of the site with an old and clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.

Note

Some of these steps require web server and database access. If you are not familiar with manipulating database tables or editing PHP, please seek assistance from a professional Incident Response Team member who can completely remove WordPress malware.

2.1 Clean Hacked Website Files

If the infection is in your core files or plugins, you can easily fix this with our plugin. You can also do this manually, just don’t overwrite your wp-config.php file or wp-content folder.

To repair core files using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Dashboard.

  2. Review warnings under the Core Integrity section.

  3. Select Modified and Removed files and choose the Restore source action.

  4. Check the box to confirm I understand that this operation can not be reverted.

  5. Click Proceed.

  6. Select Added files and choose the Delete file action.

  7. Repeat steps 5-6.

Custom files can be replaced with fresh copies, or a recent backup (if it’s not infected). Here are some additional tips & tricks that you can use with WordPress.

You can use any malicious payloads or suspicious files found in the first step to remove the hack.

To manually remove a malware infection from your website files:

  1. Log into your server via SFTP or SSH.

  2. Create a backup of the site before making changes.

  3. Identify recently changed files.

  4. Confirm the date of changes with the user who changed them.

  5. Restore suspicious files with copies from the official WordPress repository.

  6. Open any custom or premium files (not in the official repository) with a text editor.

  7. Remove any suspicious code from the custom files.

  8. Test to verify the site is still operational after changes.

Caution

Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

2.2 Clean Hacked Database Tables

To remove a malware infection from your website database, use your database admin panel to connect to the database. You can also use tools like Search-Replace-DB or Adminer.

To manually remove a malware infection from your database tables:

  1. Log into your database admin panel.

  2. Make a backup of the database before making changes.

  3. Search for suspicious content (i.e., spammy keywords, links).

  4. Open the table that contains suspicious content.

  5. Manually remove any suspicious content.

  6. Test to verify the site is still operational after changes.

  7. Remove any database access tools you may have uploaded.

Beginners can use the payload information provided by the malware scanner. Intermediate users can also manually look for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by plugins for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.

Caution

Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

2.3 Secure User Accounts

If you noticed any unfamiliar WordPress users, remove them so the hackers no longer have access. We recommend having only one admin user and setting other user roles to the least amount of privileges needed (ie. contributor, author, editor).

To manually remove suspicious users from WordPress:

  1. Backup your site and database before proceeding.

  2. Log into WordPress as an admin and click Users.

  3. Find the suspicious new user accounts.

  4. Hover over the suspicious user and click Delete.

If you believe any of your user accounts were compromised you can reset their passwords.

To reset user passwords using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Post-Hack.

  2. Click the Reset User’s Password tab.

  3. Check the box next to the user account that you believe was compromised.

  4. Check the box to confirm I understand that this operation can not be reverted.

  5. Click Reset User Password.

The user will receive an email with a strong temporary password.

2.4 Remove Hidden Backdoors

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in in hacked WordPress sites.

Often backdoors are embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like /themes, /plugins, and /uploads.

Backdoors commonly include the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • create_function
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions.

The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it's very rare to see encoding in the official WordPress repository.

It is critical that all backdoors are closed to successfully clean a WordPress hack, otherwise your site will be reinfected quickly.

2.5 Remove Malware Warnings

If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed.

To remove malware warnings on your site:

  1. Call your hosting company and ask them to remove the suspension.

    • You may need to provide details about how you removed the malware.
  2. Fill in a review request form for each blacklisting authority.

    • ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.
    • The review process can take several days.

Note

With the Sucuri Website AntiVirus plans, we submit blacklist review requests on your behalf. This helps ensure your site is absolutely ready for review. Some reviews however, such as web spam hacks as a result of manual actions, can take up to two weeks.

Step 3

POST - HACK

In this final step, you will learn how to fix the issues that caused WordPress to be hacked in the first place. You will also perform essential steps to enhance the security of your WordPress site.

3.1 Update and Reset Configuration Settings

Out-of-date software is one of the leading causes of infections. This includes your CMS version, plugins, themes, and any other extension type. Potentially compromised credentials should also be reset to ensure you are not reinfected.

Update WordPress Software

To manually apply updates in WordPress:

  1. Log into your server via SFTP or SSH.

  2. Backup your website and database (especially customized content).

  3. Manually remove the wp-admin and wp-includes directories.

  4. Replace wp-admin and wp-includes using copies from the official WordPress repository.

  5. Manually remove and replace plugins and themes with copies from official sources.

  6. Log into WordPress as an admin and click Dashboard > Updates.

  7. Apply any missing updates.

  8. Open your website to verify it is operational.

If the Sucuri plugin identified other outdated software on your server (i.e., Apache, cPanel, PHP) you should update this as well to ensure that there are no security patches missing.

Caution

We recommend manually removing and replacing core files instead of using the Update feature in the wp-admin dashboard. This ensures any malicious files added to core directories are all accounted. You can remove existing core directories (wp-admin, wp-includes), then manually add those same core directories.

Be careful not to touch wp-config or wp-content as this will break your site!

Reset Passwords

It is critical that you change passwords for all access points. This includes WordPress user accounts, FTP/SFTP, SSH, cPanel, and your database.

To reset user passwords using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Post-Hack.

  2. Go to the Reset User’s Password tab.

  3. Check the box next to the user account that you believe was compromised.

  4. Check the box to confirm I understand that this operation can not be reverted.

  5. Click Reset User Password.

  6. The user will receive an email with a strong temporary password.

You should reduce the number of admin accounts for all of your systems. Practice the concept of least privileged. Only give people the access they require to do the job they need.

Note

All accounts should use strong passwords. A good password is built around three components – complexity, length, and uniqueness. Some say it’s too difficult to remember multiple passwords. This is true. That's why password managers were created!

Generate New Secret Keys

Once the passwords are reset, you can force all users to log off using our plugin. WordPress uses browser cookies to keep user sessions active for two weeks. If an attacker has a session cookie, they will retain access to the website even after a password is reset. To fix this, we recommend forcing active users off by resetting WordPress secret keys.

To generate new secret keys using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Post-Hack.

  2. Click on Security Keys.

  3. Click Generate New Security Keys.

  4. This will force all users out of the WordPress dashboard.

It is advisable to reinstall all plugins after a hack to ensure they are functional and free of residual malware. If you have deactivated plugins we recommend you remove them from your web server.

  1. Log into WordPress as an admin and go to Sucuri Security > Post-Hack.

  2. Go to the Reset Plugins tab.

  3. Select the plugins you want to reset (it is recommended to select them all).

  4. Click Process selected items.

Note that premium plugins will need to be reinstalled manually as their code is not available on the official WordPress repository.

Note

Premium plugins will need to be reinstalled manually as their code is not available on the official WordPress repository.

3.2 Harden WordPress

To harden a server or application means that you take steps to reduce the attack surface, or entry points for attackers. WordPress and its plugins can be harder to hack when you take these steps.

To harden WordPress using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Security > Hardening.

  2. Review the options to understand what they do.

  3. Click the Harden button to apply recommendations.

There are countless ways to harden WordPress depending on your needs. We recommend reviewing the WordPress Codex if you want to research additional hardening methods. See the Website Firewall section below for more information about how we offer virtual patching and hardening.

3.3 Set Backups

Backups function as a safety net. Now that your site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture.

Here are some tips to help you with website backups:

  • Location

    Store WordPress backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.

  • Automatic

    Ideally your backup solution should run automatically at a frequency that suits the needs of your website.

  • Redundancy

    Store your backups in multiple locations (cloud storage, your computer, external hard drives).

  • Testing

    Try the restore process to confirm your website functions correctly.

  • File Types

    Some backup solutions exclude certain file types such as videos and archives.

Did You Know?

Sucuri offers its customers an affordable system for secure website backups.

3.4 Scan Your Computer

Have all WordPress users run a scan with a reputable antivirus program on their operating systems.

WordPress can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.

Here are some antivirus programs we recommend:

Note

You should have only one antivirus actively protecting your system to avoid conflicts.

If your WordPress Dashboard user’s computers are not clean, your site can get reinfected easily.

3.5 Website Firewall

The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your website.

Benefits to using a website firewall:

  1. Prevent a Future Hack

    By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.

  2. Virtual Security Update

    Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.

  3. Block Brute Force Attack

    A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren't supposed to be there, making sure they can’t use brute force automation to guess your password.

  4. Mitigate DDoS Attack

    Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.

  5. Performance Optimization

    Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

We offer all of these features with the Sucuri Firewall. You can connect it to our WordPress plugin using the Firewall (WAF) tab of the Sucuri plugin.