The Ultimate WordPress Hack Cleanup Guide

A sad reality for website owners and webmasters is that their running website could be hacked. We have saved people from getting their website hacked and have helped them clean their hacked WordPress websites. We have come up with another effort by building this comprehensive WordPress hack cleanup. Not to mention how bad it can be for your business and readership but being safe on the internet today from malicious attacks is again a task in itself.

Few Things to Know Before We Start

First and foremost, no matter what platform you use: WordPress, OpenCart, Drupal, Magento or any other CMS – it can be hacked. If hacked, you lose search engine rankings, get blacklisted by Google, expose your readers to malware, loose sensitive information, or rather you lose customers.

If your’s is not just another website then security must be your first priority. You need to have following things correct in place:

These things are good if you aren’t hacked, but chances are. Probably, it’s too late as of now as you’re reading this article.

Let’s dive into our WordPress hack cleanup guide and be considerate enough to follow this guide step by step to super secure your WordPress website.

Diagnose Hack

It’s really important for you to identify and diagnose your hacked website. Locating all such areas where malicious code would sit in your application. It could be in core files, database tables, logs and many other places. Be considerate enough to thoroughly follow WordPress hack cleanup guide.

Check core files

Most of the core WordPress files should never be modified. Understanding WordPress structure is very crucial in order to compare existing core files to the ones present in a fresh install.

A very quick way to do this is by using “diff” command in the terminal in Unix-like systems:

$ diff -r /Desktop/WordPress/wp-includes /public_html/your-site.[com]/wp-includes

Check Recently Modified Files

It is another possibility that recently modified files are the ones that have been hacked. Follow these steps to identify recently modified files:

  1. Log into your server using FTP or SSH terminal.
  2. If using SSH, you can use “find” command to list all files modified in the last 10 days:
    $ find ./ -type f -mtime -10
  3. If using FTP client, you can review last modification to every file.
  4. List the files that have been modified and check those for hack activity.

Check Diagnostic Pages

In case your website has been blacklisted by search engines then you can use their respective diagnostic tools to check the security status of your website. Following are some important tools:

Hack Cleanup

As now you have locations where malware’s located then the best bet now would be to clean the malware. We suggest you take a back-up before you start to clean the malware. Be considerate enough to follow the steps below to completely clean your WordPress website that makes this WordPress hack cleanup guide, a wonderful guide!

Clean hacked files

If the infection is in your core files, you can simply remove the malware manually. Don’t change content in wp-config file and wp-content folder (your application might break down).

Core .php files can be directly replaced with the files that you get in the fresh install. Get all .php core WordPress files. You can download the .zip and get all the files that are there in a fresh install.

Follow these steps to remove malware infected files:

  1. Collect recently changed files and confirm users about the change they made.
  2. Restore infected files against the files in fresh WordPress install.
  3. Even for theme files, you can simply replace malicious code by comparing to the original theme files or contact your theme distributor.

Note: I know it’s sometimes difficult checking all files for malware but “diff” and “grep” commands are handy when comparing files.

Clean hacked database tables

To remove malware/infection from hacked tables you need to be cautious enough so that your application doesn’t go down. Also, don’t forget to take a back-up for your application.

Follow these steps to remove malware/infection from database tables:

  1. Sign into your database admin panel (possibly phpMyAdmin)
  2. Take a back-up from your database (Select table and export your sql database)sql export database - WordPress hack cleanup
  3. Look for suspicious content(javascript code, hash codes etc.) and delete particular rows.
  4. Test if the site is still working fine or not. If yes, congratulations you’ve cleared all malware in your database tables.

Check User Accounts

It is really important to check users who are associated with your application. If you see an unauthorized user logged-in or any person who shouldn’t be using your application then restrict his access and restrict him from using your application. Follow the steps below so as to remove non-authorised users:

  1. In your wp-admin dashboard, go to Users->All Users.
  2. In the window, select the user (who shouldn’t be there) and expand “Bulk Actions” dropdown and select “Delete” and then “Apply” the settings.user changes - WordPress hack cleanup
  3. Do the above steps until all your users are authorized to use your application.

Note: If you allow malicious users to continue to use your application then every effort from this WordPress hack cleanup guide goes waste.

Check Image Files

Next step would be to check your image files. Hackers include malware code in image files and in a way acts as a backdoor. Since the malicious code(php) is kept as meta-data/comments in image files and later application is exploited using the injected code. The worst scenario would be to upload a web shell on your site and the hacker gets access to your server.

All possible images on a WordPress website would be:

  • Favicon icon (favicon.ico attack)
  • /wp-uploads
  • User’s profile picture

Delete Hidden Back-doors

It is very common for hackers to leave a backdoor (script/software on your server) to exploit your application. Back-doors can either be in your theme folder or your plugins folder or anywhere in your server.

There is a list of functions in PHP that come handy when writing backdoors:

  • eval
  • exec
  • strrev
  • assert
  • base64
  • str_rot13
  • gzuncompress
  • stripslashes

Note: These functions are also used by plugins/themes legitimately for their product development. You will need to understand the code and the application itself so as to remove backdoor.

Concurrently, check the application if it’s broken or not. If it’s broken then simply understand that a required function has been changed.

Check for Malware Warnings

You should visit respective search engine’s webmasters to check if you’ve been blacklisted by them or not. Here, are few important links:

Post Hack Precautions

Below are some must do things in this part of WordPress hack cleanup guide for water-tight security. If you think that once the malware is clean then hackers cannot do anything! Sorry, you are mistaken! :)

Check for Updates

Now you’ve cleaned all the malware from your site then it is the time when you super secure your application and check things from ground zero. Here, another must do the thing is to replace /wp-admin folder, /wp-includes from the one you get in a fresh WordPress install.

Next, always make sure that all plugins that you use are up-to-date. For that just log into your WordPress admin and click Dashboard > Updates. Make sure all your plugins are up-to-date.

update plugins - WordPress hack cleanup

WordPress Hardening and Best Security Practices

The very next step is to harden your WordPress website. Listed below are some really important security steps to have water-tight security for your application.

  • Modify database prefix
  • Disable xml-rpc in WordPress
  • Automatically logout idle users
  • Limit login attempts
  • Protect your wp-admin area
  • Check file permissions
  • Implement two factor authentication

You can look at our Comprehensive WordPress security guide.

Use a Web Application Firewall (WAF)

WAF is an application that sits in front of your application to protect it from multiple attacks. These attacks include Stored and Reflected XSS, SQLi, File Upload, Directory traversal to name a few.

One of the best option available at your disposal to prevent your WordPress website is to use a Website Firewall, like Astra. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website. Since you made it so far, we offer you a discount for ASTRA with this WordPress hack cleanup guide.

WordPress Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.