What To Do If Your WordPress Site Gets Hacked

So you head over to your site, and you notice that your WordPress site has been hacked… your first instinct might be to panic. Even if you have no backups whatsoever, there’s still a chance that you can restore your site to it’s former glory, outside of the clutches of the evil hacker, and this is a tutorial for exactly how to do that. So don’t panic. You will need to stay calm to quickly and successfully address the situation at hand.

Take a few deep breaths, and then run a malware scanner/antivirus on your computer just to make sure that you didn’t get keylogged or hacked based on information siphoned from your local computer in some way. (If you don’t have one, Download a reputable free alternative, like Malwarebytes, install, run and scan.)

The next step depends on your answer to the following question: Is your site backed up?

If your site is NOT backed up:

If your site isn’t backed up, you have to jump through a few more hoops to restore your website, but that’s okay. Just follow these steps, and there’s a good chance you’ll get your site back to the way it was.

Scan for malware using a site scanner

You can do this quickly by using a site scanner like Sucuri. If your website shows any results for malware, that means you need to do stay focused and move quickly. You don’t want to get your site flagged by Google, or lose loyal readers or customers.

Optional: Delete index file, admin area

For malware infections where you can’t locate the source quickly, simply delete the index file through ftp. (If you don’t remember your ftp user and password you will have to access your hosting dashboard and head to FTP users.) You might also want to delete the wp admin area through FTP (and optional: upload a custom index file that says your site is undergoing maintenance) if you have a reason to believe that the hacker just gained access to your site and is still messing around trying to implement things.

Even if there is no malware, just a defacing, you don’t want to advertise what the hacker wants to advertise for any longer than absolutely necessary. So access your site through FTP and simply delete the index file.

If you do not have the latest version of WordPress, and do not know which version you have, you need to find that out by checking version.php in the wp-includes folder, and you should see something like this “$wp_version = ‘4.1.1’;”. This is something you need to know for when you’re going to replace your WordPress files. (After all, even if your site is hacked, you don’t want to break your site when you’re trying to set things right.)

Change mysql username and passwords.

You do this to make sure that whoever has somehow been able to access your username and password, possibly through php or sql, won’t be able to do so again after you change it.

Head over to your hosting dashboard, for example a cpanel, and then scroll down and click on MySQL databases.

Then check under the appropriate database if any extra users added, delete if necessary and then change the password of your user by clicking the user listed under Privileged Users, or create a new user altogether with the form below.

Remove the old admin user and create a new one through phpMyAdmin.

Go to phpMyAdmin, and then head to WP_users, then find the offending account (either your old admin account, or possibly a new one if they’ve been able to inject sql).

Now if you want to do this through manually adding fields, this will get a little more complicated, but thankfully, you can use a simple piece of sql to generate all the necessary fields for a new admin user.

INSERT INTO `wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`)
(NULL , ‘username’, MD5(‘password’), ‘User Name’, ’email@domain.ext’, ”, NOW(), ”, ‘0’, ‘User Name’);

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
(NULL, LAST_INSERT_ID(), ‘wp_capabilities’, ‘a:1:{s:13:”administrator”;s:1:”1″;}’),
(NULL, LAST_INSERT_ID(), ‘wp_user_level’, ’10’);

Important: If you have changed the prefix of your database for security reasons, you will need to change the ‘wp_’ prefixes in the sql code to the appropriate prefix, before you execute the code.
(P.S. if you want to use the visual editor you will have to add an extra field, or you could simply uncheck and then recheck the option for using the visual area in the dashboard later.)

Change your WordPress security keys

This is fairly easy, just head on over to the WordPress salt secret key generator.

Then copy those lines and replace the appropriate lines in the wp-config.php file.

Replace core WordPress and plugin/theme files through FTP

You have two options at this point. You can either replace the core and plugin/theme files manually through FTP.

If you choose to do it through FTP make sure that you get the versions right, and that you don’t delete or replace the wp-content folder. If you delete or replace the entire wp-content folder, you will lose all your images and other media files that you’ve uploaded through WordPress.

An out of the box wp-config file will need some configuration, so you can choose to scan the file and leave it, only replacing if it is infected.

Except for the wp-content folder, delete and replace every file and folder with a core files of the appropriate version.

To top it off, there could even be extra files in the wp-content folder, so you have to check for excess files and delete them individually by comparing to the out-of-the-box version.

For plugins and themes, unless you know that they’re recording something useful (like, say a coming soon or landing page plugin that puts the email addresses in a file), simply replace them.

Change your FTP password

Head over to your hosting dashboard, for example a cpanel, and then scroll down and click on the FTP accounts.

Check for any extra users added, delete if necessary and then change the password of your user or create a new user altogether.

Configure your new wp-config.php file.

Head over to phpMyAdmin and go to the appropriate database.

Then you will need to change the values for: DB_NAME, DB_USER, DB_PASSWORD,
$table_prefix to the appropriate ones.

The DB_NAME is the name of the overall database for your WordPress site, if you went with the default name, probably something like wp291. If not, maybe it’s something like SITENAME_WP.

table_prefix is the thing that comes before the name of every sub-table and line. The default is “wp_” but you might have changed this for security reasons. (A good idea.)

The DB_USER and DB_PASSWORD is the mysql username and password you created in the previous step.

Access WordPress and scan for malware.

You can use a plugin like Wordfence to make this a lot easier.

You can follow this guide that shows you exactly how to do it step-by-step, and which settings I recommend for someone who’s cleaning up a hacked website.

Or: Use Sucuri to replace WordPress files.

Another option is to simply access the WordPress dashboard with your new admin user, and then use a plugin like Sucuri to replace all core, theme and plugin files with ones from the repository.

The danger here is that if the hacker could have altered the admin area to try to download malware/trojans/a keylogger onto your computer for good measure. Or if he has been extremely thorough, he might have altered that very security plugin’s files to let the security holes he put in place stay there, though unlikely.

Unless you are properly protected with good, updated antivirus/malware software that runs active protection, you might want to stick to good old FTP and do it manually.

Then follow the steps above to change your passwords and then replace them in the wp-config.php file manually.

Scan for malware.

You can do this with WordFence. This guide shows you exactly how to do that, step by step.

If your site is backed up:

If your site is backed up, you’re in luck. It’s a lot easier

Change the appropriate passwords and if you want also usernames: MySQL, FTP.

Access your hosting dashboard (for example a cPanel), and head over to FTP users and MySQL users. Check if any new ones have been added, delete them if so, and then change the password for the relevant user.

Restore your website from the backup by using the appropriate method.

This depends on how you backed up your site. Most plugins require you to restore the site from within the dashboard, so you might need to create a new admin user at this point to get access if you did it through a plugin(see above). If you’re using a different solution, use their method for restoration.

Change your security keys

This invalidates cookies so the hacker doesn’t stay logged in even after you’ve changed passwords. Check the step for this above.

Scan for malware and backdoors using Wordfence

Go to advanced options and select to scan outside WordPress install, as well as scanning images as executables.

You can check out this guide for more details, and step-by-step instructions, use the settings recommended for the first scan.

If you find any malware or other threats, make sure you change all your passwords again after you delete or replace the files in question, as the hacker might have intercepted the new login information through the code that was in place.

Then follow that all up by improving your WordPress security by following this simple guide to make sure that it doesn’t happen again. And if your site wasn’t backed up and you had to go the long way to recover your it, maybe take a look at how to back it up so you won’t run into similar problems in the future.

Have you ever had your WordPress site hacked? Did you panic, or did you calmly restore your site? Let us know in the comments.