How to Clean a WordPress Hack
Last updated on October 28th, 2019
Sucuri has devoted years to helping WordPress administrators identify and fix hacked websites. To continue with this process, we have put together this guide to help WordPress owners walk through the process of identifying and cleaning a WordPress hack. This is not meant to be an all-encompassing guide, but if followed, should help address 70% of the infections we see.
You can use tools that scan your site remotely to find malicious payloads and malware locations. Sucuri has a free WordPress plugin that you can find in the WordPress official repository.
If the remote scanner isn’t able to find a payload, continue with other tests in this section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.
If you have multiple WP sites on the same server we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.
Most core WordPress files should never be modified. You need to check for integrity issues in the wp-admin, wp-includes, and root folders.
The quickest way to confirm the integrity of your WordPress core files is by using the diff command in terminal. If you are not comfortable using the command line, you can manually check your files via SFTP.
If nothing has been modified, your core files are clean.
New or recently modified files may be part of the hack.
You can identify hacked files by seeing if they were recently modified.
$ find ./ -type f -mtime -15
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
If your WordPress site has been blacklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your website.
If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website. If you do not already have accounts for these free monitoring tools, we highly recommend that you sign up as they are free to use:
Now that you have information about malware locations, you can remove malware from WordPress and restore your website to a clean state.
If the infection is in your core files or plugins, you can fix it manually, just don’t overwrite your wp-config.php file or wp-content folder.
Custom files can be replaced with fresh copies, or a recent backup (if it’s not infected). Here are some additional tips & tricks that you can use with WordPress.
You can use any malicious payloads or suspicious files found in the first step to remove the hack.
To remove a malware infection from your WordPress database, use your database admin panel to connect to the database. You can also use tools like Search-Replace-DB or Adminer.
Beginners can use the payload information provided by the malware scanner. Intermediate users can also manually look for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.
If you noticed any unfamiliar WordPress users, remove them so the hackers no longer have access. We recommend having only one admin user and setting other user roles to the least amount of privileges needed (ie. contributor, author, editor).
If you believe any of your user accounts were compromised you can reset their passwords. One of the ways to do that is using the Sucuri plugin.
Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked WordPress sites.
Often backdoors are embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like /themes, /plugins, and /uploads.
These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions.
The majority of malicious code we see uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official WordPress repository.
It is critical that all backdoors are closed to successfully clean a WordPress hack, otherwise your site will be reinfected quickly.
If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed.
In this final step, you will learn how to fix the issues that caused WordPress to be hacked in the first place. You will also perform essential steps to enhance the security of your WordPress site.
Out-of-date software is one of the leading causes of infections. This includes your CMS version, plugins, themes, and any other extension type. Potentially compromised credentials should also be reset to ensure you are not reinfected.
It is critical that you change passwords for all access points. This includes WordPress user accounts, FTP/SFTP, SSH, cPanel, and your database.
You should reduce the number of admin accounts for all of your systems. Practice the concept of least privileged. Only give people the access they require to do the job they need.
Once the passwords are reset, you can force all users to log off using our plugin. WordPress uses browser cookies to keep user sessions active for two weeks. If an attacker has a session cookie, they will retain access to the website even after a password is reset. To fix this, we recommend forcing active users off by resetting WordPress secret keys.
It is advisable to reinstall all plugins after a hack to ensure they are functional and free of residual malware. If you have deactivated plugins we recommend you remove them from your web server.
To harden a server or application means that you take steps to reduce the attack surface or entry points for attackers. WordPress and its plugins can be harder to hack when you take these steps.
There are countless ways to harden WordPress depending on your needs. We recommend reviewing the WordPress Codex if you want to research additional hardening methods. See the Website Firewall section below for more information about how we offer virtual patching and hardening.
Backups function as a safety net. Now that your site is clean and you’ve taken some important post-hack steps, make a backup! Having a good backup strategy is at the core of a good security posture.
Store WordPress backups in an off-site location. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.
Ideally, your backup solution should run automatically at a frequency that suits the needs of your website.
This means that your backup strategy has to include redundancy, or in other words, backups of your backups.
Try the restore process to confirm your website functions correctly.
Some backup solutions exclude certain file types such as videos and archives.
Have all WordPress users run a scan with a reputable antivirus program on their operating systems.
WordPress can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.
The number of vulnerabilities exploited by attackers grows every day. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your WordPress site.
By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.
Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.
A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your password.
Distributed Denial of Service attacks attempt to overload your server or application resources. By detecting and blocking all types of DDoS attacks, a website firewall makes sure your site is available if you are being attacked with a high volume of fake visits.
Most WAFs will offer to cache for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.
How do WordPress sites get hacked?
Malicious users crawl the internet looking for vulnerable WordPress sites to hack. If your website is not protected with a WordPress firewall and if you do not follow WordPress security best practices, your website can become a victim.
How do I scan WordPress plugins for malware?
You can use SiteCheck to scan your WordPress site for malware for free. We highly recommend updating all WP plugins regularly and that you remove all plugins that are not being actively used. Sucuri also offers a complete website security platform in which you will find website monitoring, protection, and response.
How do I find malicious code in WordPress?
You can use SiteCheck to scan your WordPress site for malicious code for free. We recommend reinstalling your core files with a fresh copy if you suspect there is malware in your WordPress website. If you want to be sure that your website is clean, you can sign up to Sucuri and submit a malware removal request.
How do I protect my WordPress site from malware?
You can secure your WordPress site by following website security best practices, such as having a WordPress firewall; using the latest version of WordPress, plugins, themes and third-party services; enforcing strong password requirements; only granting the type of access that someone needs to accomplish a task.
Learn how to identify issues if you suspect your WordPress site has been hacked.Watch Now
Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.Sign Up
Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.Read Now
Learn security best practices for WordPress websites to improve website posture and reduce the risk of a compromise.See Now