How to Remove WordPress Website Defacement

Updated on: March 29, 2020

How to Remove WordPress Website Defacement

Article Summary

Imagine, one morning, you wake up to find the look of your website all disfigured and vandalised. This is how you should deal with the situation.

Imagine, one morning, you wake up to find the look of your website all disfigured and vandalized. You are a victim of website defacement. Before jumping to conclusions lets first get to know what you are dealing with. And then we will move to the question “How to remove WordPress website defacement?”

What is Website Defacement?

Website defacement is an attack on a website that changes the visual appearance or content of a website. It is a virtual form of vandalism.

Websites get defaced by political or religious groups who want to make their presence felt. Hackers might also deface a site just for fun. Some hackers also deface a site to bring a backdoor or vulnerability to notice since defacement attacks are easily visible and are quickly acted upon. But such attacks also have bad consequences for site owners.

Also check out: WordPress vulnerabilities that could get your website hacked

How does website defacement affect your business?

Website defacement would cause your users to lose trust in your brand. Further, these attacks could repel visitors by offending them. This, invariably, will result in a loss of traffic and revenue.

When your site is defaced, customers see and report it. Google acts very seriously on these reports and after crawling it, it blacklists your site. Your site, then, ends up with big signs “This site might be hacked ” or “This site is potentially unsafe”. This could prove to be disastrous for e-commerce websites as the potential customers are lost forever.

Check out: How to remove Google blacklist?

How often are WordPress websites defaced?

Website defacing is simple and does not require a high level of technical knowledge. Every year, defaced websites make up more than 10% of the hacked sites.

February 2017 saw over 1,500,000 WordPress websites defaced. Hackers exploited a critical privilege injection vulnerability that allowed unauthorized users to modify page content. This mass defacement resulted in SEO poisoning and websites were blacklisted by Google.

Check out: Is WordPress secure?

example of defaced website
Utah Tourism Industry site defaced by a hacker

How to remove WordPress website defacement?

As a website owner, looking at your defaced website, you’ll be under a lot of pressure and blowing your head off looking for a solution. The first step to secure your website is to CALM DOWN!

You are not the first to experience this and you won’t be the last but you can avoid this shock in the future and gain whatever is lost. Let’s see how.

Removing Defacement Page

Sometimes, removal of a defacement page can be as simple as deleting the offending files or posts. Other times, attackers overwrite important files or content. If an important file is overwritten from the CMS core files, or plugin files then removing them is not an option. Instead, they have to be replaced by originals.

Restoration is easy when you make regular backups of your code. In case, restoration is not an option it is recommended that you consult an expert before deleting any page or content.

Search for Infection Text

Most defacers add a text of their own and as a show-off also leave their name (individual or organization). This can be used to search the infected files For example, if the defaced page shows a text “hacked by”, go to the root directory of the website and run the following command:

grep –ril “hacked by”

This command will return a list of files that include the keyword “hacked by”. Once you have the list of infected files you can analyze the code and remove the infection.

Check Recently Modified Files

New or recently modified files may be part of the hack. You can identify hacked files by seeing if there were any recent modifications in them.

If you have SSH access to your server, you can list all files modified by navigating to the directory where your WordPress website is and using the find command:

find ./ -mtime -15 -ls

The above command lists (-ls) all the files which have the modified time (.mtime) in the last fifteen days (-15).

Recently updated plugins, logs, and debug files can also show up in your list. It is important to analyze before making any changes

Remove Hidden Backdoor

Hackers will often leave behind backdoor. So, it is important to identify and remove all such backdoor. Further, backdoor commonly includes the following PHP functions:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • system
  • assert
  • stripslashes

These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions.

Check out: How to find and remove hidden backdoor from websites?

Scan Your WordPress for Infections

Once the cleaning is done, run a quick scan to look for infections and malware that the hackers might have left. The scan helps point the backdoors and vulnerabilities that the hackers have left behind.

There are many free options like Google Scan available but these run a basic surface scan and do not provide a detailed report. It is advised to run a thorough, in-depth scan that provides vulnerability assessment, malware removal, blacklist monitoring, WordPress hardening, etc like Astra Malware Scanner.

Preparing for a better future

Once the hack is removed, follow these steps to make sure the hackers do not get another chance to meddle with your website.

  1. Reset all Access. Once you identify a hack, one of the first steps you will want to do is lock things down so that you can minimize any additional changes. And, you can do this by forcing a global password reset for all users, especially administrators.
  2. Enable web application firewall to block malicious traffic from getting to your website. Astra firewall is known to block XSS, SQLi, CSRF and 100+ other attacks in real-time.
  3. Keep your WordPress core up-to-date. WordPress has an expert security team working day and night to keep WordPress safe.
  4. Define keys in the configuration file. The keys improve encryption of the data that users provide on your site.
  5. Filter your website extensions. Use only important plugins and update them regularly. More the number of extensions, more the potential gateways for hackers
  6. Remove unused/rarely used files such as old WordPress installations, not used WordPress plugins etc
  7. Update your password. Use strong passwords.
  8. Regularly backup your code.
  9. Scan your computer and local hosting environment.
  10. Install a WordPress activity log plugin to keep track of everything that is happening on your WordPress website.

Check out: Step-wise guide to maintaining a WordPress website

While running a business is difficult, keeping it secure from malicious actors is even more difficult. Allow us to lighten your burden. Buy the Astra 360° website protection suite and forget your worries. Or Get an Astra demo now!

Was this post helpful?

Tags: ,

Mahima Maheshwari

She is an Embedded Systems Engineer and a cybersecurity enthusiast. She spends most of her free time researching & reading. And loves to spread knowledge through blogs.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany