As per a recent blog post on Google webmaster central blog, the number of hacked websites has gone up by 180% in 2015. If you own a WordPress blog or website and think that nothing might affect you then you would be playing with fire. The number of WordPress websites getting hacked is going up day by day. Keeping a tough password and up to date WordPress is not enough these days. Hackers are finding ways to get in to WordPress and recently the success rate for the hackers is going pretty high. Lot of you who are reading this post might be here because their websites have been already hacked. I will try and explain in detail to fix your hacked WordPress blog or site in this post.
First, we need to understand how was the hacker able to get access to your files. There are lot of probabilities and the top 3 of them include:
- The hacker was able to guess your admin username and password.
- You are using a theme that is too old or has vulnerabilities in it.
- You are using a plugin that is too old or has vulnerabilities in it.
Vulnerabilities means that the plugin or theme was not coded properly which allowed the hacker to get access to your website. This is the most common reason why WordPress sites are getting hacked these days. To fix this, we need to understand what the hacker has done to your website. The hacker has:
- Added a code to one or few of your files.
- Added files to your WordPress folder.
Chances are that the hacker has added code to existing files and also added new files to your WordPress folder. The newly added files can very hard to detect because they name the files in such a way that they look like original WordPress files. The only way to check if new code is added to existing files is by manually checking the files or by installing the Sucuri Security WordPress plugin. Sucuri will scan for your existing files and tell you if any of the files has any unwanted code. Even if you find and clean/delete all these files, chances are that the hacker will be able to hack in to your website once again. To fix this, we need to do a clean install.
Note: While checking your php files in your editor make sure that you use wrap text option. I have seen hackers add the code in such a way that the malicious code is not visible under the normal view. Lot of times the added malicious code is encoded and hence easy to find.
Steps to perform a clean WordPress install:
- On your server; outside your WordPress directory, create a new directory called ‘abc’, ‘fresh’ or anything you like. If WordPress is in your root directory then this new directory of yours will be outside public_html or www directory.
- Download your entire WordPress website or directory to your local computer. Lets assume its in C:/MySite.
- Now, we need to know what files do not belong to a fresh WordPress installation and are needed for the website. Most of us have all these files (mostly images) inside the wp-content folder.
- From your computer in C:/MySite, search for php files inside the wp-content folder. If you find any php files, delete them.
- If you have customised code inside your theme, check all your theme files individually for any unwanted code. If you find any unwanted code, just delete it. If you haven’t done any coding inside the theme files, then we will upload a fresh new theme later.
- Download the latest version of WordPress and upload it inside the new directory that we created in step 1.
- Make changes to your wp-config file so that your website will use the right database.
- Upload the wp-content folder from C:/MySite that you had cleaned earlier in Step 4.
- Upload a fresh or your customised theme that we cleaned in Step 5.
- Upload any other files that you think are needed for your website. If any of these files are .php, then make sure you check them manually for any unwanted code.
- Add whatever plugins you need for your WordPress website. Add the plugins from the WordPress admin panel. Do not use any of the plugin files that were downloaded from the original WordPress directory.
- Rename your original public_html folder to something like ‘old’ and rename the folder that we created on step one to public_html or the relevant name.
If all of the above steps are done correctly, you will have a clean WordPress on your server. If everything is working fine, you may now delete the ‘old’ directory or folder.
Now, whatever changes the hacker had made to your website don’t exist anymore. But, you should not leave your website as it is. We need to see to it that the website is not hacked again. To ensure this, these steps might be sufficient:
- Download and activate the WPS Hide Login plugin. Using this plugin, you can change the name of your login directory. So rather than going to yoursite.com/wp-login, you will goto yoursite.com/secretname to login to your website. This will stop hackers from guessing password to your website by accessing the wp-login page.
- Avoid using username ‘admin’ as administrator. Use a unique name which cannot be guessed by anyone.
- Very Important. Install Sucuri Security plugin. The plugin is one stop to find, clean and prevent any hacking to your website.
Why do I recommend Sucuri?
I have used other WordPress plugins which claim to protect the website but most of them failed to detect file changes, brute force attacks and other hacking attempts. I find the Sucuri Security plugin best as of now and I highly recommend it for webmasters who seriously want to protect their websites from hackers.
I will be more than happy to help you with your hacked WordPress website. Just let me know via comments below or contact me using the contact form.