WordPress is one of the most popular content management systems available, and it’s also one of the easiest to hack. If your WordPress site has been hacked or infected with malware, there are a few steps you need to take to remove the problem. It can be difficult at first because many tutorials online will tell you how to remove malware without telling you how to remove a hacked WordPress site. This blog post will walk you through each step so your website has no more problems!
Symptoms of hacked WordPress website
- The website is being redirected to some malicious website
- Search results take users to a different website
- Unable to login to WordPress backend
- Unknown administrator accounts in the WordPress users list
- Search engines display the “website may be hacked” warning
- A sudden drop in website traffic
- Popup ads on website pages
- Website suspended by hosting provider due to malicious activity or too much outgoing email.
- Abnormal behavior of browsers when visiting the website
- Browser blocking websites with warning such as “Deceptive site ahead.”
- Japanese/Chinese keywords in search results
- Unknown links added to website pages
- The website homepage is defaced
- Unknown files and scripts on website directories
- Unknown scheduled tasks
01. Scan your site
First, you may use an external online security scanner to identify if the website is infected quickly and vulnerabilities, check if the domain is blacklisted, JavaScript malware in the HTML source code.
- Visit securewp.net security scanner page
- Enter your website URL
- Click scan website
- Check results with a warning or danger icons
An external scan can only identify the website’s output, not internal files. If an external scanner can’t identify any malicious issue, you may still need to run an internal scan.
02. Check WordPress core file integrity.
You must need to check WordPress’s core integrity. You can quickly check the integrity of core files using the diff command in the terminal or the PHP script below with WordPress API.
Create a PHP integrity.php
file in your WordPress root directory. Then access it yourwebsite.com/integrity.php
to see the WordPress core integrity report.
03. Check recently modified files.
Another way to detect of website hack that is the file modification date. You can quickly locate recently modified files via FTP and sort them by modification date. Modified files will appear at the top. If you see some changes you have not made, it can signal that intruders can access your website's backend.
You can check manually recently modified files in WordPress:
Login to your server using an FTP client or SSH terminal.
If you are using SSH, you can check all modified files listed in the last 15 days using this command:
If you are using SFTP, see the last modified date column for all files on the server.
Note any files that have been recently modified.
Check modified all files using terminal commands on Linux:
If you want to see directory files, type in your terminal:
Unfamiliar modifications in the last 7-30 days may be suspicious.
04. Search for hidden backdoors in your WordPress site.
Attackers always leave a way to get returned to your website. Attempts to use various types of backdoors to return to your website. Attackers inject backdoors into files such as config.php file and directories like /themes, /plugins, and /uploads.
Following these functions are used in the backdoor
- base64
- str_rot13
- gzuncompress
- eval
- exec
- system
- assert
- stripslashes
- preg_replace (with /e/)
- move_uploaded_file
Clean up infected files
Once you have identified and contained the malware infection, it is important to remove the malicious files from your website. This can be done by either using a backup of your website before the infection or by downloading a fresh copy of the WordPress platform and comparing the files. It is important to be thorough and check all of the files and folders on your website, including the WordPress core files, any themes and plugins you have installed, and any custom code you have added to your site. Once you have identified the infected files, you should delete them and replace them with clean versions.
01. Backup your WordPress website
Taking regular backups of the website is a life savior. You should still take a backup before starting a cleanup job in an already hacked case. You can use the backup facility in your cPanel or a plugin such as UpdraftPlus for free to keep a backup of your website.
02. Reinstall WordPress core
Most of the time, attackers exploit malware into core files in root folders. To remove the root of the malware, the best way to reinstall WordPress is in the public_html directory. You must upload a fresh WordPress and install it, except the wp-content folder, wp-config.php file, and .htaccess file. Firstly you will need to download a fresh WordPress file from WordPress.org.
03. Clean hacked database tables
Many hacks involve the database. Advanced hackers choose the database to hide their redirect javascript links. To remove malware from your WordPress database, professional help is required to fix database injection without losing website data.
04. Secure WordPress user accounts
If you observe any unknown WordPress users in your account and the default ‘admin’ account, immediately remove them so that attackers can’t reuse them and there is no extended access. But the administrator account can be hidden using a custom script in the theme function that will not be visible in the user list.
Remove unknown users manually:
- Log in to WordPress as an admin and click Users.
- Find the suspicious new user accounts.
- Hover over the suspicious user and click Delete.
05. Replace themes and plugins
When your WordPress website has been hacked, replacing theme and plugin files with fresh copies is highly recommended.
You won't lose any data or website customization if you leave it in a professional's hands.