
We’re excited to hear your project.
Let’s collaborate!
“Mysterious” pop-ups that you did not initiate, inexplicable auto-linking keywords, frequent freezing of your website... These are all but clear signs that your WordPress site has been hacked! Now what? Where should you look for the “infection”? Here's a step-by-step guide on how to fix a hacked WordPress site.
And it goes without saying that the very first step to take is to:
Keep calm!
Next, you'll need to figure out how precisely that malicious individual has found his/her way into your site. What security vulnerability has he detected and exploited?
Once you've determined how your WordPress website's got hacked, figuring out how to remove the malware is already a half-solved problem.
So, let's dig in before this hypothetical infection has spread out throughout your entire website:
Remember what we've already agreed upon, that the very first step to take is precisely not to panic?
So, while keeping your cool, start your “investigations” by asking yourself 3 key questions — this, of course, after you've already asked yourself “How to remove malware from my WordPress site?”:
At this point, I also strongly recommend that you changed your password, as well. And this before you jump to the next step of your investigation.
Note: remember to change it again after you've cleaned up your website, as well.
And I do think that it never gets redundant for me to stress out:
Turning on a powerful WordPress security plugin on your website is one of the best shields that you could activate around it.
In case of an emergency situation, like this one here, you'd simply enable it to scan your site remotely and track down malware locations and malicious payloads and, most of all:
A good security plugin would identify and alert you, in real-time, of all the changes made to your website.
Note: everyone knows it, yet most website owners stubbornly ignore the importance of keeping their loads of WordPress themes and plugins updated regularly. They just overlook the fact that out-of-date files are by far hackers' “top favorite” security vulnerabilities.
And since they're by far the most valuable files on your site, it's only normal to check their integrity first things first:
Most of these core files should never ever be modified.
And there are 2 ways of checking them:
If they're unchanged and therefore clean, move on to the next step of this “how to fix a hacked WordPress site” guide:
It may also be that precisely the recently modified files on your WordPress site are the “corrupted” ones.
To know for sure, identify the files that have been recently modified.
And again, you have 2 options at hand for this type of “investigation”:
For manually identifying these newly changed files that might have been hacked just go through these steps here:
Now for tracking down these possibly “infected” recently modified files using the terminal, just follow these 2 simple steps:
Are there any unexplainable changes made to those files in the last 7-30 days?
A conveniently handy way to remove a virus from your WordPress website is to “track it down” using Google's or another website security authority's tool to give your site a deep scan with.
Has yours already been blacklisted by one of these authorities?
Then simply run the Google Transparency Report:
It's a quick and easy way to collect valuable information about any suspicious downloads, redirects, and spams on your site, as well as priceless data about Google's recent scan that ended in malware being detected.
Note: another way of identifying malware that's within your reach is by using a free webmaster tool — Google Webmasters Central, Norton SafeWeb, Bing Webmaster Tools etc.
After all your preliminary investigations, you should put together your battle plan for actually removing the identified hack from your WordPress site. And for restoring it to its pre-hack clean state, too, obviously.
For this, here are the most effective measures at hand for you to apply:
Is there any need for me to stress out that:
You should back up your website on a daily basis!
And the very situation that you're in now is by far one of the strongest reasons to do that:
“How to fix a hacked WordPress site” will get reduced to: “simply comparing a clean backup to the current hacked version of your site!"
Identify the files that have been modified and get them removed.
It goes without saying that you risk losing some of your files — those added/updated after the last backup — but you do want a clean website now, don't you?
Once you've restored your WordPress backup, you can easily remove any suspicious plugin, theme or other types of file.
Note: do handle core files with utmost caution, though! Mind you don't accidentally overwrite your wp-content folder or your wp-config.php file.
When it comes to infected custom files, you could replace them with a clean recent backup or with fresh new copies.
“But how do I remove “malicious” code manually?” you might ask yourself.
Let me go briefly through all the key steps required:
Word of caution: manually removing a malware infection from your WordPress site does call for special safety measures. Never remove corrupted code without first backing everything up!
Now, you do agree that a “how to fix a hacked WordPress site” tutorial couldn't possibly skip the step where database tables get cleaned up of any malware infection.
Here's how you do it:
My advice to you, when it comes to user accounts, to user roles and permissions on your WordPress site is to:
Keep just one single admin user and stick to the essential user roles (and granted permissions):
This is one of the most effective prevention measures that you could take so you don't end up asking yourself “How to clean up a hacked WordPress site?”
Now, coming back to our investigation here, here's how you remove all the unfamiliar WordPress user accounts from your website:
Note: another wise thing to do is to re-check each user's roles and permissions. If you feel like updating them, simply use the users' role editor plugin.
And you want to treat this aspect with maximum seriousness. Otherwise, following each and every step indicated to you in this “how to fix a hacked WordPress site” tutorial becomes... pointless.
For the attackers would always have this “secret passage” to infiltrate themselves into your website over and over again.
“But what are backdoors more precisely?” you might ask yourself.
They're files similar to your site's core files — wp-config.php and key directories such as /uploads, /themes, /plugins — yet strategically placed in the wrong directories.
Here are some PHP functions that you could recognize them by:
Word of caution: keep in mind that there are plugins on your WordPress website that could be legitimately be using these PHP functions; therefore, make sure you test all those "apparently suspicious changes" before rushing to remove the so-called "malicious" functions. Otherwise, by removing benign functions, you might just break your website.
Now, once you've repaired all the damage caused on your Wordpress site, it's only but logical to... let the blacklisting authorities know that your site's clean now.
For this, you can just request a review of your recovered website.
The very last step to take in this “How to fix a hacked WordPress site” process is to change the security keys from your wp-config.php file:
This way, even if a potential attacker stole your password, he would get automatically auto-logged out once you've changed your WordPress salt keys.
Next, you can just change your password, as well as the ones of other users on your site.
Which means adopting a WordPress maintenance and support plan tailored just for you and your specific security feature needs.
This way, not only that you'd save the time (and spare your nerves) that you'd otherwise invest in carrying out all the steps included in a tedious “how to fix a hacked WordPress site” process, but:
From running regular updates to on-going maintenance of your website's core components to regular security audits, you wouldn't need to... move a single finger. Our WordPress maintenance and support team would handle it for you.
“Prevention is better than cure” is so much more than just a saying...
We’re excited to hear your project.
Let’s collaborate!