How to Clean a Hacked WordPress Website (In 7 Steps)

Now that you know some of the main causes of WordPress hacks, here are seven easy steps to clean a hacked WordPress site.

Step 1: Review New or Recently Modified Files

The first step to cleaning a hacked WordPress site is to look for any new files that weren’t there before the hack. You can use a security plugin such as Wordfence, which will scan your website for you:

Wordfence is a useful security tool that also provides two-factor authentication and a firewall to strengthen protection for your site.

It’s important to verify that there aren’t any new or modified files in your wp-admin, wp-includes, or root folders. You can do this by accessing your File Manager or using Secure File Transfer Protocol (SFTP).

Find your public_html folder and open it:

Now, look at the Last modified date column on each of your files/folders to quickly determine whether anything has recently been changed. If something new has been added since the hack, we recommend investigating and deleting it.

Step 2: Check Diagnostic Pages

If your site has been hacked, Google will generally blocklist it to prevent it from appearing in search engine rankings. You can check to see whether Google has issued a warning for your site using the Safe Browsing Status Tool:

This tool will give you information about your site related to malicious redirects, spam, and harmful downloads.

Google Search Console is also a useful tool in this scenario. It’s completely free to create an account, and you can use it to view data and reports about your site’s security and performance. If Search Console detects any problems, you will find them in your Security Issues report.

Step 3: Remove or Clean Hacked Files

If there is malicious code in your core WordPress files or plugins, you can find and clean malware in WordPress manually. However, be careful not to overwrite the wp-config.php file or your wp-content folder, since this can break your site. 

If you have a saved version of your clean site, you can replace the infected files and folders with those from your backup. Backing up your website is essential for this very situation.

Furthermore, your website can become unresponsive or break completely, even when running typical updates or installing a new plugin. Therefore, backups make recovery quick and easy.

It’s also a good idea to store your backups on a different web server from your website. That way, your backup will remain safe even if the server is attacked.

If you don’t have a backup, you can replace your infected files and folders with fresh copies from a new WordPress installation. For custom files (that aren’t in the official WordPress repository), open them with a text editor like Sublime or Notepad++. Then, remove any suspicious code that you find there.

Suspicious code can be difficult to spot. Hackers will try to hide the functionality of a script by using unintelligible language. Another way to keep the code hidden is by turning off any error reporting.

You’ll want to look out for snippets that look like this:

error_reporting(0); or error_reporting(E_ERROR | E_WARNING | E_PARSE); or ini_set(‘display_errors’, “0”);

Once you remove lines of malicious code like these, test your website to see if it’s still functional and if there are still signs of a hack.

Step 4: Clean Hacked Database Tables

If your database has been hacked, it will also need cleaning. You should already know if your database has been compromised if you use a WordPress security plugin or service like Sucuri. Usually, the plugin will notify you about the hacked site via email.

Otherwise, you can use specialized plugins like NinjaScanner to scan your entire database and check for malicious files, links or content:

However, if you’d prefer to carry out these checks yourself, you can clean hacked database tables by searching for suspicious content in your database. It may come in the form of spammy keywords or unfamiliar links.

Once you’ve identified possible sources, open the table that contains the content and manually remove it. Then, test your site to see if it’s working correctly.

Step 5: Secure User Accounts

If your website has been hacked, you won’t know which passwords have been compromised. Therefore, it’s a good idea to change all of your passwords and ask all users with access to your site to change their login credentials too.

It’s important to cover all bases, so consider changing your WordPress password, SFTP credentials, database password, and the details you use to access your hosting account. Additionally, it’s useful to remove any WordPress admin account that you don’t recognize on your site.

You can do this by heading to Users > All Users and switching to the Administrators tab:

To keep your site as secure as possible, we recommend only having one administrator. If you ever need to grant administrator access to other users, it’s best to revoke this privilege once the task(s) is complete.

You can revise user roles by heading to Users > All Users. Then, click on the user account and scroll down to the Role dropdown box:

Here, you can determine how much control you want WordPress users to have over your website. For instance, Administrators and Editors have more privileges in your WordPress dashboard than Contributors do.

Step 6: Remove Hidden Backdoors

Backdoors are malware left behind by hackers that enable them to gain access to your site without using the standard login procedure. These backdoors are often embedded in files with similar names to WordPress core files, but are in the wrong directories. They can also be injected into files such as wp-config.php.

Some of the suspicious PHP functions (backdoors) to look out for include:

• Base64
• Str_rot13
• Gzuncompress
• Eval
• Exec
• System
• Assert
• Stripslashes
• preg_replace (with/e/)
• move_uploaded_file

However, these functions may be used legitimately by some official WordPress plugins. Therefore, it’s a good idea to make a fresh backup of your site and check to ensure that it works properly after removing potential backdoors.

Step 7: Remove Malware Warnings

If Google has blocked your site due to a hack, you’ll need to request a review once you’ve cleaned the malware in WordPress. You can register your website with Google by creating a Google Search Console account.

The method for requesting a review differs based on the type of attack that your site suffered, such as phishing or hacking. We recommend following the steps in this article to find tailored advice for your solution. You might also need to request similar reviews for other search engines if your site was blocklisted elsewhere.

How to Increase WordPress Security Following a Hack (6 Tips)

Website security has probably never felt more important following a hack. That’s why it’s important to put protective measures in place to prevent an attack from happening again. Here are six tips to help you safeguard your WordPress website.

1. Strengthen Your Login Procedures

The best place to start is with a fresh password. As we mentioned earlier, it’s a good idea to cover all the bases, including your hosting account, SFTP credentials, and WordPress login credentials.

You can also prevent unauthorized access to your website by using two-factor authentication. WP 2FA is an excellent tool that enables this functionality:

Users must enter two keys to access your WordPress site. The first key is usually a password. Then, the second key is generated in real-time and sent to an email account, app, or mobile device. Since bots and hackers cannot access the second key, two-factor authentication is a great way to enhance web security.

2. Update and Reset Configuration Settings

A hacker may have changed your WordPress configuration settings during an attack. Therefore, it’s worth resetting your configuration settings to the WordPress defaults.

Fortunately, this process is easy with a WordPress reset plugin. For instance, WP Reset can return your WordPress database to its original settings by deleting customizations and added content:

Once you’ve installed and activated the WordPress plugin, it’s simply a matter of navigating to Tools > WP Reset > Reset. You’ll be prompted to decide which software you’d like to reactivate after the process completes. Then, you’ll need to confirm the procedure by typing “reset” into the box and clicking on Reset WordPress:

It’s also worth updating your website to prevent vulnerabilities in the WordPress software. You can do this by heading to Dashboard > Updates:

Here, you can enable auto-updates and view a list of WordPress plugins or themes that have updates available. For extra peace of mind, we’d recommend removing and replacing potentially suspicious themes and plugins with ones from official sources.

It’s important to create a fresh backup of your website before running any updates. Additionally, it’s helpful to test updates in a staging environment first. That way, if anything goes wrong, your live site will remain unaffected.

To be on the safe side, you might even remove wp-admin and wp-includes using your File Manager or SFTP. Then, you can replace them with new copies from the WordPress repository.

The latest version of WordPress can be found here. However, if you’re purposely running an older version of WordPress, you can see past versions here.

3. Generate New WordPress Keys

If a hacker has a session cookie, they can retain access to your hacked website even when you change your passwords. Therefore, it’s best to reset secret keys. Doing so will force all active users to log out of your site.

You can get new values for your WordPress keys and salts using a secret key generator. Then, update your keys by accessing your wp-config.php file and scrolling down to this section:

Simply replace the WordPress keys and salts with your new values. Remember to save and re-upload the file to complete the changes.

4. Create Backups of Your Website

Backups are extremely handy following an attack on your site, because you can directly swap website files or folders to recover your content more quickly. Plenty of great backup plugins like UpdraftPlus take care of this process for you:

As we discussed earlier, it’s better to store your backups in a different location than your server, since that hardware is also vulnerable to hacks. In fact, using an off-site location is usually the best way to ensure that your backup is stored securely.

It’s also a good idea to test the restoration process to ensure that it works properly. Additionally, if you’re using a plugin to automate backups, make sure you can create backups as frequently as you need them, whether that’s weekly or daily.

5. Scan Your Computer

Since a hacker only needs to infect one of your users’ computers to access your site, it’s important to ask all team members to run scans on their operating systems. We recommend using a reputable anti-virus program such as Malwarebytes or Avast:

Malwarebytes offers a full threat detection service and excels in malware removal. Meanwhile, Avast detects viruses and picks up on other common threats like phishing and ransomware. Plus, many antivirus programs offer free trials to try out the premium features before you commit.

6. Install a Web Application Firewall (WAF)

A web application firewall provides an extra barrier when hackers try to access your site. Additionally, it strengthens your pages against DDoS attacks. It monitors all HTTP traffic to and from your website, automatically filtering and blocking suspicious requests:

Cloudflare and Sucuri are high-quality plugins that enable you to set up a WAF quickly. A WAF is a great preventative measure, since it stops malicious traffic from ever reaching your pages. Meanwhile, it blocks access to your wp-admin folder and your login page. Moreover, some WAF providers also offer caching to help speed up your site.