Being the victim of a WordPress hack can be a really frustrating situation.
But, like most things in life, taking a step back, breathe and focus on one step at a time can make it all easier for you to get through and make the hack have as little impact as possible.
The term hack itself isn’t a very specific term, which doesn’t really help much in knowing exactly what happened to your website.
So lets go through a little bit about the symptoms that can mean your site is hacked, which in turn will make it easier to get help via forums or the webhost support.
These symptoms are otherwise known as Indicators of Compromise (IoC).
Indicators that your wordpress site is hacked
These are a couple of indicators of IoC’s that makes it likely that your website is hacked:
- Website is disabled by host.
- Search engines like Google, DuckDuckGo, Bing, etc. have blacklisted your site.
- Your site has been flagged for being full of malware.
- You are being contacted about your site being used to attack other sites.
- Your visitors are telling you that their antivirus programs are flagging your website.
- Sudden creation of unauthorized new users on your site etc.
- Defacing of your website, so you can see that your site is hacked, when opening it in the browser.
There’s a lot of ways your site can be hacked, so it’s good to at least have a overview of what has happened, when getting help to fix it.Below you will find a series of steps that are designed to help you start working through the post-hack process.
They are not all encompassing as it would be impractical to account for every scenario, but they are designed to help you think through the process.
Some steps to take
Stay calm, this will be ok in the end.When addressing a security issue, as a website owner, you’re likely experiencing an undue amount of stress.
It’s often the most vulnerable you have found yourself since being on line and it’s contrary to what every one told you, “Hey, WordPress is Easy!!”The good news is that all is not lost! Yes, you might lose some money. Yes, you might take a hit against your brand. Yes, you will recover from this.So, yes, take a step back and compose yourself. Doing so will allow you to more effectively take control of the situation and allow you to recover your online presence.
Here’s another good resource for when your wordpress site is hacked: WordPress.org
Documenting the process
The first actionable step you should take post-compromise is documentation. Take a moment to document what you’re experiencing, and if possible times.
A couple of things you want to keep in mind:
- What are you seeing that leads you to believe you are hacked?
- What time did you notice this issue?
- What timezone?
- What actions have you taken recently?
- Was a new plugin installed?
- Did you make a change to a theme?
- Modify a widget?
You are creating the baseline for what is recognized as an incident report. Whether you are planning to perform the incident response yourself, or engage a professional organization, this document will prove invaluable over time.We recommend taking a moment to annotate details of your host environment as well. It will be required at some point during the incident response process.
Scan your website
When scanning your website you have a few different ways to do this, you can use external remote scanners or application level scanners.
Each are designed to look and report on different things. No one solution is the best approach, but together you improve your odds greatly.
There are also a number of other related security plugins available in the WP repo. The ones annotated above have been around a long time and have strong communities behind each of them.
Application Based Scanners (Plugins):
- WordFence
- GOTMLS
- Quettera
- Sucuri
Remote Based Scanners (Crawlers):
- VirusTotal
- Sitecheck
There are also a number of other related security plugins available in the WP repo. The ones annotated above have been around a long time and have strong communities behind each of them.
Scan your local environment
In addition to scanning your website, you should start scanning your local environment.
In many instances, the source of the attack / infection begins on your local box (i.e., notebook, desktop, etc…).
Attackers are running trojans locally that allow them to sniff login access information to things like FTP and /wp-admin that allow them to log in as the site owner.Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them.
So maybe try a different one. This advice extends to both Windows, OS X and Linux machines.
Check with your hosting provider
The hack may have affected more than just your site, especially if you are using shared hosting.
It is worth checking with your hosting provider in case they are taking steps or need to. Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service, for example.One very serious implication of a hack these days is around Email blacklisting. This seems to be happening more and more.
As websites are abused to send out SPAM emails, Email Blacklist authorities are flagging the website IP’s and those IP’s are often associated with the same server being used for email.
The best thing you can do is look at Email providers like Google Apps when it comes to your business needs.
Be Mindful of Website Blacklists
Google Blacklist issues can be detrimental to your brand. They currently blacklist somewhere in the neighborhood of 9,500 to 10,000 websites a day.
This number grows daily.
There are various forms of warnings, from large splash pages warning users to stay away, to more subtle warnings that pop up in your Search Engine Result Pages (SERPs).Although Google is one of the more prominent ones, there are a number of other blacklist entities like Bing, Yahoo and a wide range of Desktop AntiVirus applications.
Understand that your clients / website visitors may leverage any number of tools and any one of them could be causing the issue.
It’s recommended that you register your site with the various online webmaster consoles like:
- Google Search Console
- Bing Webmaster
- Yandex Webmaster
- Norton Webmaster
Improve your Access Controls
You will often hear folks talking about updating things like Passwords.
Yes, this is a very important piece, but it’s one small piece in a much larger problem.
We need improve our overall posture when it comes to access control.
This means using Complex, Long and Unique passwords for starters.
The best recommendation is to use a Password Generator like those found in apps like 1Password and LastPass.Remember that this includes changing all access points.
When we say access points we mean things like FTP / SFTP, WP-ADMIN, CPANEL (or any other administrator panel you use with your host) and MYSQL.This also extends beyond your user, and must include all users that have access to the environment.It is also recommended to consider using some form of Two Factor / Multi-Factor authentication system.
In it’s most basic form, it introduces, and requires, a second form of authentication when logging into your WordPress instance.
Some of the plugins available to assist you with this include:
- Rublon
- Duo
Reset all Access
Once you identify a hack, one of the first steps you will want to do is lock things down so that you can minimize any additional changes.
The first place to start is with your users. You can do this by forcing a global password reset for all users, especially administrators.
Here is a plugin that can assist with this step:
- iThemes Security
You also want to clear any users that might be actively logged into WordPress.
You do this by updating the secret keys in wp-config. You will need to create a new set here: the WordPress key generator.
Take those values then overwrite the values in your wp-config.php file with the new ones.
This will force anyone that might still be logged in, off.
Create a Backup
You hopefully have a backup of your website, but if you don’t, this will be a good time to create one.
Backups are a critical piece of your continuation of operations, and should be something you actively plan for moving forward.
You should also ask your host what their policy is as it pertains to backups.
If you do have a backup, you should be able to perform a restore and skill right into the forensics work.Side note: It’s important you keep regular backups of your database and files. If this ever happens again.Regardless, before you move into the next phase of cleaning, it is recommended you take one more snapshot of the environment.
Even if it’s infected, depending on the type of hack, the impacts can cause a lot of issues and in the event of catastrophic failure you’ll at least have that bad copy to reference.
Find and remove the hack
This will be the most daunting part of the entire process: Finding and removing the hack.
The exact steps you take will be dictated by a number of factors, including, but not limited to, the symptoms provided above.
How you approach the problem will be determined by your own technical aptitude working with websites and web servers.
It might be tempting to purge everything and start over. In some cases that’s possible, but in many instances it’s just not possible.
What you can do however is reinstall certain elements of the site with little regard to impacting the core of your website.
You always want to make sure you reinstall the same version of software your website is using, if you choose an older or newer one you’re likely to kill your website.
When reinstalling, be sure not to use the reinstall options in your WP-ADMIN.
Use your FTP / SFTP application to drag and drop the versions. This will prove much more effective in the long run as those installers often only overwrite existing files, and hacks often introduce new files…
You can replace the following directories safely:
- /wp-admin
- /wp-includes
From there, it’s recommended that you be more diligent in updating and replacing files as you move through wp-content as it contains your theme and plugin files.The one file you will definitely want to look at is your .htaccess file.
It’s one of the more common files, regardless of the type of infection, that is most often updated and used for nefarious activities.
This file is often located at the root of your installation folder, but can also be embedded within several other directories on the same installation.Regardless of the type of infection, there are will be some common files you will want to keep an eye on during your remediation process.
Common files to keep an eye on:
index.phpheader.phpfooter.phpfunction.php
If modified, these files can usually adversely affect all page requests, making them high targets for bad actors.
Leverage the Community
We often forget but we’re a community based platform, this means that if you’re in trouble someone in the community is likely to give a lending hand.
A very good place to start if you’re strapped for cash or just looking for a helping hand is the WordPress.org Hacked or Malware forum.
Update everything!
Once you are clean, you should update your WordPress installation to the latest software. Older versions are more prone to hacks than newer versions.
Change the passwords again!
Remember, you need to change the passwords for your site after making sure your site is clean.
So if you only changed them when you discovered the hack, change them again now. Again remembering to use Complex, Long and Unique passwords.You may consider to change the database user account and password.
When you changed them, do not forget enhancing them to wp-config.php file.
Website forensics
Forensics is the process of understanding what happened.
How did the attackers get in?
The goal is to understand the attack vector a bad actor used to ensure they’re unable to abuse it again.
In many instances, it’s very difficult for website owners to perform this type of analysis due to lack of technical knowledge and / or available data.
If you do have the metadata required, then there are tools like like OSSEC and splunk that can help you synthesize the data.
Secure your site
Now that you have successfully recovered your site, secure it by implementing some (if not all) of the recommended security measures.
If you can’t Log Into WordPress Admin Panel
Enter your text here…
There are times that a bad actor will hijack your administrator account[s]. This is not a reason to panic, there are a few different things you can do to regain control of your account.
You can follow these steps to reset your passwordTools like phpMyAdmin and Adminer are often made available via your hosting provider.
They allow you to log into your database directly, bypassing your Administration Screen and resetting your user in the users table wp_users.If you don’t want to mess with password hashes or can’t figure it out, simply update your email and go back to Login Screen, click forgot password, and wait for the email.