How to Identify and Fix a Hacked WordPress Website

Hacked WordPress Websites

Is WordPress hack-proof? Never say never, but it is commonly accepted that the WordPress Core has strong security. Professional analysis of hacked WordPress sites typically reveals the point of entry to be the result of a weak administrator or FTP password, a domain or hosting level breach, an insecure plugin or theme, running an outdated version of the WordPress Core, or a point of entry other than the WordPress Core.

The smart techies know that keeping your site free of viruses, hijacked files, and security vulnerabilities is easier said than done, but often a little effort goes a long way. For example, you could follow Tom’s 10 entry-level WordPress security steps and have a more secure WordPress site than many others do.

Compromised Sites Aren’t Always Easy to Identify

The question website owners need to know the answer to is, “How do I know when the threshold has been crossed — when my site has been hacked?”

In March 2012, ZDNet reported:

…over 90 percent [of website owners] didn’t notice any strange activity, despite the fact that their sites were being abused to send spam, host phishing pages, or distribute malware.

– “63% of website owners don’t know how they were hacked” (emphasis added)

In April 2012, Google’s Matt Cutts revealed how common and unaware hacked websites and their owners really are:

Beyond clear-cut blackhat webspam, the second-biggest category of spam that Google deals with is hacked sites with injected links. The most common reaction we hear from webmasters is “The problem is with the Google search. There is nothing wrong with our website.” That’s a real quote from an email one site owner recently sent us. Sadly, it turns out that the site is almost always really hacked.

– “Example email to a hacked site” (emphasis added)

The StopBadware PDF, linked to from the ZDNet article above, answers the question, “What are the compromised websites used for?”

How to Identify a Hacked Website

One of the benefits of using a common website platform, like WordPress, is that security scanners know what to expect. They can tell that WordPress Core files shouldn’t contain certain code or load assets from external domains or contain obfuscated code.

WordPress Phishing Hacking

No matter how your website is built or managed, some common signs of a hacked site include:

Above are telltale signs that you’ll be able to identify just by browsing your own site.

Following are automated methods of identifying compromised sites.

Google Webmaster Tools Email Alerts

Google Webmaster Tools is a great resource for webmasters (here’s how to set it up), which you probably already know. One of the great features is their email notifications when they detect bad activity (i.e. hacked!) on your site. You were verified as the site owner so they email you the notification directly. This notification is what Matt Cutts’ quote above refers to. So now you know that if you receive an email about this, Google’s got a great accuracy rate and you should immediately go into high-alert mode.

Google Scanners

Fetch as Google and Google Safe Browsing diagnostics (google.com/safebrowsing/diagnostic?site=http://YOURDOMAIN ) are two ways you can scan your site to see it how Google sees it.

StopBadware Clearinghouse

The StopBadware Clearinghouse can be searched quickly, but it’s likely to already be included in Google’s Webmaster Tools results. In other words, you’ll probably receive an email from Google Webmaster Tools before checking the StopBadware Clearinghouse. However, it’s good to check during the site recovery process.

Sucuri SiteCheck Scanner

Sucuri’s SiteCheck malware scanner checks against Google Safe Browsing, Norton Safe Web, Phish tank, Opera browser, SiteAdvisor, and several other blacklist databases. It also runs its own searches for malicious or suspicious iframes, scripts, downloads, redirections, and other items. It also provides a list of the scanned URLs and scripts, the website’s software (e.g. WordPress), and the software version information.

In fact, ManageWP integrates Sucuri’s SiteCheck into its Dashboard, and Sucuri is a ManageWP Partner.

ManageWP and Sucuri

Wordpress security check

webcheck.me Scanner

The webcheck.me Scanner checks security, the existence of plain-text email addresses, MX records, SEO quality, and other tests. It’s a visually-appealing, high-level view of your site’s overall health.

Browser Security Scanner

Maybe one you didn’t expect, the Qualys BrowserCheck scans your internet browser for security vulnerabilities, including outdated computer software and browser plugins like Java, Adobe Flash, Adobe Reader, and Microsoft Silverlight. It’s possible that the browser, FTP client, or other access point is to blame for a compromised site.

How to Fix a Hacked WordPress Website

Once you know or suspect your site has been hacked, Google recommends you:

StopBadware lists similar steps:

Insecure WordPress Websites
To supplement the other links found on Matt Cutt’s example email (quoted near the beginning of this article), the following are some WordPress-specific suggestions to get you back on the right track for the long-term.

Backup, Backup, Backup… Restore?

If you pinpoint the date and time of your site’s hack, the simplest solution is to just restore your website to a backup prior to that time. This is why it’s important to use a reliable backup utility, one that not only backs up but makes it easy to restore.

However, this previous backup is the one that was vulnerable to attacks, unless the point of entry was at the domain, server, or FTP level instead of the software level. Regardless, it’s important to make sure this restored version of your site is free from the same vulnerability(ies).

It’s a good idea to backup your .htaccess and wp-config.php files, your wp-content directory, and your database separately from your full .zip backup file(s) so that you can replace portions of your site, like the WordPress Core files.

Replace WordPress Core Files

Hackers typically go after a high yield hack. For example, if they can hack WordPress Core or a popular plugin or an entire webhost, they hack once and gain access to a multitude of sites. Additionally, they probably don’t care to hack a80yva9a dot com because it’s a site and domain of no value in terms of visitor traffic or perceived reputability.

Because of this high-yield theory, it can be beneficial to replace the web server’s copy of the WordPress Core files. You can always get the latest version of WordPress at http://wordpress.org/latest.zip.

Additionally, you should re-install all your plugins and inspect your themes before re-installing. I also suggest inspecting the rest of the wp-content directory for mysterious files.

Change All Login Credentials and Protect WordPress Logins with SSL

No matter where the security breach seems to have originated from, you never know the entirety of what information might have been acquired.

Create new passwords for all logins — SSH, server management, FTP, Google, ManageWP, and WordPress User accounts — without prejudice (i.e. don’t assume any weren’t compromised). Also, generate a new set of wp-config.php security keys / salts. You can completely change the log in page.

If you don’t already have an SSL certificate to secure WordPress logins, now is the time to implement it. Follow the additional items suggested by WordPress Codex “Hardening WordPress”, including using an SSL certificate.

Resolve Specific Issues

The steps above apply to all sites attempting to recover from a hacking incident. You might also have webhost, web server software, or other issues to address. Using the scanners above should help pinpoint additional security concerns; however, no scanner is fool-proof and the WordPress database could still be compromised.

Sucuri not only provides a free scanner but also offers paid monitoring and cleanup packages. Web hosts like WP Engine scan and fix hacking attempts automatically, and they’ll even fix sites that do get hacked at no additional cost. They contract with Sucuri and SecTheory.

Reminders

Let me assure you; it’s easier, more reliable, and less of a headache to “act as if” — operating a secure site and taking security precautions to the next level on a regular basis — than it is to restore a hacked site and only then pay attention to security.

Getting a web host that focuses on security can be a major improvement over ultra-cheap web hosts. There’s no way a $4/month “unlimited” web host’s features can compare to a $30/month web host that focuses on speed, security, and service. Sometimes we don’t value higher-priced offerings until it is too late — until after the hack already happens or, in the case of site speed and uptime, until after the traffic spike happens (in a good way).

I suggest you perform some of the actions above on a semi-regular basis — taking regular backups and verifying they are able to be fully restored, changing login credentials, etc. — in addition to forcing strong passwordslimiting login attempts, and taking other security precautions.

Adding your site to Google Webmaster Tools provides a number of benefits, one of which is receiving security alerts via email. Make sure to add your site to Google Webmaster Tools.

Make sure you take regular backups. Typically, once or twice per day is sufficient. Others consider every other day, once per week, or once per month adequate. The optimal backup schedule depends on how often your site content changes and how much traffic your site gets.

If you’ve ever had a site hacked or helped someone else resolve their hack issues, please share what worked best for you. Now is the time for “the fish was this big” stories. 😉

Creative Commons images courtesy of GuerryRichzendy, and DaveBleasdale

Clifford Paulick

Clifford Paulick is @TourKick, doing cool things with WordPress, photography, and videography. He provides web and technology consulting services at TourKick.com and is a Tulsa Realtor.

34 Comments

  1. Vincent

    Hi all,
    I don’t have a website. But i think i have been hacked. Because when i go to a website i get redirected. To an other website but it looks mostly excatly the same. Except videos are playing different like someone changed faces with known faces from my friends. I think they use wordpress or something called “apache”.
    Maybe someone knows how to check if i am right? And if so how to find the person or delete the hack?

    I would appreciate any thoughts or help!
    Thank you in advance.

    Regards Vincent

  2. Sid

    I had / have a hacked site. It was an SQL injection by the looks of it. The server was littered with new files and even contained the Hackers usernames. The hackers seem to quite well know… Sdcyber – alsa7r, aka AL.MaX HaCkEr.

    I know pretty much nothing about hacking and security, yet I found this exploit just by looking at the root directory in File Manager via cPanel.

    So the question is… Why did the ManageWP security scan say my site was Status: Verified Clean?

    I would have thought that any security scan would be checking files for usernames of known hacking groups to identify hacks, or noticed the strange but obvious files in the root dir? A kid could have found this one. I could write a simple app in about 5 minutes that would scan files looking for known hacker usernames in a predefined list.

    So now I am left wondering if I am getting a working product with ManageWP? My version is via BlueHost. I’m guessing that is the full version?

    I still love ManageWP, but feel like the security tool is pretty much pointless and might lead people into a false sense of security. And now looking for other security tools to replace ManagerWP security, if you can call it that.

    I would love to see an industry leading security scanning tool included with ManageWP. Teaming up with BitDefender and Malwarebytes would be good. These are the best for finding exoilts.

    As an example. On another one of my sites, my WP password area wasn’t working. So I opened up Chrome developer tools and inspected the password field. As soon as I did this, my PC’s BitDefender gave me an alert saying trojan detected. That site was compromised, despite the cPanel virus scan saying nothing was found.

    I’m left wondering why internet based security like cPanel and ManagerWP aren’t offering the protection I get from very cheap and often free apps like BitDefender and Malwarebytes? And if cPanel and ManagerWP aren’t finding the most obvious hacks from well know hacking groups, using things like TimThumb exploit, then what’s the point?

    1. Clifford Paulick

      Hi Sid. Sorry you experienced this with your site. You’ll need to ask your various service providers via their official support channels (including ManageWP’s) to get answers to those questions.

      I hope things improve for your site!

  3. RANJIT KUMAR

    Hello sir my website is hacked please help me… how to fix ,, please reply

  4. Logic InfoTech

    This is tips is working our many sites thanks for sharing

  5. Christopher Nankervis

    I’ve had a load of traffic and attempted hacks. Bandwidth usage pushed up, but manageable on my package.

    I’ve written a report that can be found at http://www.weatherlogistics.com/WordPressAttack.pdf

    Hope this helps,

    Dr Nankervis

  6. Hacker Ninja

    Very helpful content. I would like to draw your attention at hackerninja.com, it is free online scan tool for wordpress and joomla.

  7. Stephen

    the link in the webcheck.me Scanner section is broken … you have https//webcheck.me (no colon after the “https”) … it should be https://webcheck.me

    1. Clifford Paulick

      Thanks for the heads up. Sorry about that. Fixed now. Kudos! :-)

  8. John

    This information is really helpful. I found another articles which talks about fixing the worpdress hacking issue.

    http://wordpressapi.com/2013/05/22/if-wordpress-site-is-hacked-then-how-to-fix-issue/

    1. Clifford Paulick

      Glad it helped, John. The link you provided seems to focus on banning specific IPs, which is never a winning long-term strategy in my experience.

  9. Sean

    No one tool can catch everything, so make sure to use multiple tools. When building http://isithacked.com I came across some sites that Sucuri gave a green light but had 500+ embedded spam links. And some hacks were done so well they didn’t trigger the Google warnings in the SERPs.

    1. Clifford Paulick

      Thanks for sharing.

  10. Yusul Yesil

    We were using Godaddy shared hosting and we got similar problems. Even the not-writable .htaccess file kept being hacked and redirecting scripts added. We don’t have any problems right now, we switched our hosting to ovh, it is a dedicated server, we have the full control and everything is working smooth. We even use chown sometimes so apache cannot even upload files.

    1. Clifford Paulick

      It always feels good to get rid of nasty problems like that. Way to stick with it.

  11. Sukalyan Das

    Thanks for the info.I really think this is useful. I have a small IT business in India and had faced the issues of our sites being hacked a number of times.

    I got the link of failsafe.us while browsing for automated backup solutions. It is a great tool that enables Uptime Monitoring along with Daily automated backups for files and DB and I must say that their Failsafe system is just great. It reverts any unauthorized modifications done on the site.

    I shall suggest guys to have a look at it.

    Thanks

    1. Srikanta Kumar Jena

      You are right my friend. I am also using this “failsafe.us” as my website protector.
      It is working nicely, I am also advising every one to go for a view of this software.

      Thanks a lot.

    2. Clifford Paulick

      Thanks for sharing your tip.

  12. linaka

    Securi really is awesome, I used it the other day. Thanks for posting the rest of the article, its interesting.

    1. Tom Ewer

      No problem :-)

    2. Clifford Paulick

      Did you use it directly from ManageWP Dashboard or on their site directly?

  13. Canton

    @Chris – Definitely it’s possible to have a secure WP environment on a budget shared host, but it’s tricker. My main point is that folks using a budget shared host are even more obligated than most to keep their security up-to-date because they’re more likely to be tested for vulnerabilities. On a budget shared host, you’re hanging with a crowd of people who are less likely to be secure, so your defenses get poked at just by association. However I should also mention that the most recent site I un-hacked was on a shared host — cPanel with fairly good virtualization — but it looks like the hacker had gained access to the entire server and was able to change database passwords at will. It didn’t matter how good my client’s WP security was, the hacker just walked right in because s/he had full MySQL access for the entire host.

    1. Clifford Paulick

      Good summary reply. Do you have any suggestions for how to tell if the server one is on has server-level security vulnerabilities?
      Personally, I haven’t seen any hosting provider say “we’re NOT secure”, so I would say there’s value in finding out for yourself if your site has a gaping hole at the server level.

      1. Canton

        Hi Clifford,

        Here’s how I’ve suspected/detected server-level vulnerabilities:

        When investigating a hack, the first thing I do is dig into the raw Apache log files to find the IP address of the attacker. In a couple of cases what I’ve seen is that the attacker first visited the site resulting from a referral on Bing where they were searching for all the sites hosted on a particular IP address.

        If you see that the other sites on the same IP address were also hacked, it’s a pretty good indication that the hacker either (1) found a server-wide vulnerability, or (2) figured this looked like a host with a bunch of potentially out-of-date WP installations.

        In a recent case, the log files looked like this:
        1) hacker finds site via IP address
        2) hacker just logs right into wordpress. No exploit of old plugins, etc.

        Since the admin password had changed what we figured out was that somehow the hacker was able to directly manipulate the database to change the admin password and log right in. No wordpress vulnerability required.

      2. Canton

        Hi Clifford, re-reading your question, I’m thinking that a post-triage analysis of a hack isn’t what you were asking about. You’re wondering how to vett the security of a server *before* a hack happens.

        I can’t think of any way of doing this, short of running a security scanner (which would certainly get your IP blacklisted by any decent host.)

    2. Chris Walker

      Probably, MySQL access was gained through the remote protocol. Port 3306 or a custom one.

      On my shared servers remote MySQL is completely disabled, for just such an occasion. That not saying a MySQL injection is completely impossible, but much more difficult for a hacker to obtain the root account. Also with tools such as a properly configured mod_sec rules list, and mal detect to snuff out webshells, it’s also much more difficult for a hacker to inject code, as well.

      Unfortunately, there alot of “kiddie” host’s out there, selling budget services, with no experience in server security, or much in running a server in general.

  14. Chris Walker

    I meant to add:
    This prevents a hacker of one site, being able to move down the list of accounts hosted on the server. Some years we had just such a case occur, through a hacked (and outdated) WP site, where the hacker used an injection attack to gain access. The hacker then moved through many other accounts and installed phishing sites. Since we have implemented chrooted environments, such a massive issue has never occured again.

  15. Chris Walker

    @Canton,
    There is no reason why a shared host cannot be secured enough for WP or other sites. Particularly now-adays with the the use of systems like hive and cloudlinux which isolate each user account into a chroot like environment.

  16. Canton

    Hi there,

    All good points here. Something I would add to the discussion re: staying away from budget hosts is that being on a shared budget host exposes you to a higher risk of being targeted for a hack:

    Many of the hacks I see begin with the hacker searching Bing or Google for all the sites hosted on a particular IP address. Why? Because the hacker knows that on a budget host, more of the wordpress installs are likely to be out of date. So being in the company of these sites means your site is more likely to be tested for vulnerabilities.

    Since I do a fair amount of work “unhacking” wordpress sites, I’ve written up a 7 step guide on how to find and remove hacks and especially *backdoors* that let hackers re-hack your site once it’s been repaired:

    http://cantonbecker.com/work/musings/2009/how-to-search-for-backdoors-in-a-hacked-wordpress-site/

    1. ManageWP

      Great tips, thanks for posting it Canton

  17. Scottsdale Computing

    Great article! I too have fixed a couple WordPress installations for people that have been hacked. It is always something different. I never used any tools. Will definitely bookmark this for future use, might save me some time. Keep up the great informational posts.

    1. Clifford Paulick

      I’m glad you liked it. If you stumble along other resources, feel free to share in the future.

  18. Paul

    One more tip…when using ftp always remember to connect with sftp.

    1. Clifford Paulick

      Very true. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>