What to do if your WordPress site is hacked

Has your WordPress site been hacked, and you don’t know what to do next?

WordPress powers millions of websites worldwide due to its flexibility, scalability, and ease of use. Unfortunately, its popularity also makes it a target for hackers seeking to exploit vulnerabilities. Malicious content, suspicious redirects, or a complete shutdown – these are all signs of a hacked website. 

While the situation might seem overwhelming, taking the right steps will help you minimise damage and restore your site’s integrity.

Hire a security expert

Seeking help from a WordPress security expert is arguably the most practical way to ensure a complete and swift recovery of your website. 

Why? 

A hacked website holds valuable forensic data, just like fingerprints at a crime scene. Hackers hide malicious scripts in various locations on your website, which allows them to come back and hack it again. 

WordPress security specialists have a deep understanding of the platform’s vulnerabilities and the latest hacking tactics. They know how to collect and analyse this forensic data without accidentally destroying it. This information is essential for identifying the culprit and understanding how they infiltrated your site so that you can prevent similar attacks in the future.

Most importantly, a security expert can pinpoint the root cause, assess the damage, and implement the most effective repair strategies suitable for your scenario. They will also diagnose and fix the problem more efficiently and quickly, which will help minimise your website’s downtime.

How to find a WordPress security expert

• Security firms: Many cybersecurity companies specialise in website security. Research reputable and reliable firms, check their online reviews and contact them for consultations.

• Freelance marketplaces: There are several freelance security professionals available on platforms like Upwork or Fiverr. Look for individuals with experience in WordPress security and strong client testimonials.

• Word-of-mouth referrals: Ask your web developer or IT contacts for recommendations. They might have firsthand experience with website security specialists they trust.

The alternative approach: DIY site recovery

If you’d prefer to tackle the challenge yourself, this section will walk you through how to fix a hacked WordPress site yourself.

Consult your web hosting provider

Before proceeding with the DIY steps, it would be a better idea to consult with your web host.

Most hosting providers offer assistance and resources to help resolve security issues affecting your website. Reach out to them and provide as much detail as possible about the hack. This includes any suspicious activity you’ve noticed or changes made to your site.

Sometimes, the hack might require changes on the server side, which you cannot access through your WordPress dashboard. In that case, your hosting provider has the necessary access to make these server-level modifications and get your website back on track.

Restore from a backup (if available)

Restoring from a backup essentially rewinds your site to a point before the hack occurred. This is a secure way to recover your hacked site, as long as you have a recent and clean backup.

Remember that restoring from a backup might mean losing some of the recent content you added. That’s because backups are snapshots of your site at a particular time, so the most recent changes you made might not be saved.

Now, how to restore your site from a backup?

The first step is to find the specific backup file(s) containing the clean version of your website. This could be through your hosting provider’s automatic backups or a reliable WordPress backup plugin like UpdraftPlus. 

After that, follow the specific instructions provided by your backup solution to restore your site. Once your backup is restored, thoroughly inspect your site to ensure everything functions correctly and the hack is removed.

Clean up the hacked site (if no backup is available)

1. Update plugins and themes

Check whether all of your plugins, themes, and other software used on your website are up to date. Every piece of outdated software is a potential entry point for a hacker, so keeping everything updated is essential. 

Log in to your WordPress dashboard and navigate to the Updates section to update everything that’s outdated. Also, make sure to enable automatic updates whenever possible.

2. Change passwords and enable TFA

Remember to change ALL of your passwords. This includes FTP/SFTP logins, your WordPress admin panel, any control panel you use with your hosting provider (like cPanel), and your MySQL database. 

Create complex, lengthy, and unique passwords for each access point. You can also consider implementing a two-factor authentication (TFA) system. This adds an extra layer of security by requiring a second form of verification, such as a PIN code, when logging in to your WordPress site.

Expert tip: If your website has multiple users, you should force a password reset for all of them.

3. Verify user accounts

Don’t assume a single compromised account is the only one. Hackers are often sneaky and create multiple accounts so they can keep coming back. That’s why you must review all user accounts and permissions. 

Head to the ‘Users‘ section in your WordPress dashboard. Here, you’ll see a list of all registered users and their assigned roles. Look for any usernames you don’t recognise or unexpected permission levels – these could be major red flags.

If you find a suspicious account, delete it immediately. Hover over the suspicious account name and click Delete.

Note: Deleting a user is permanent, so always double-check with other website administrators before taking action.

4. Run a malware scan to help identify changed files

5. Deactivate problematic plugins

To identify if a plugin is the culprit, temporarily deactivate it. Remember that disabling everything at once might break your site’s functionality. So it’s always a better idea to disable them one by one.

To disable plugins, open your WordPress dashboard and go to Plugin > Installed Plugins. Click the Deactivate option under each plugin’s name.

Warning: Removing certain plugins without proper knowledge can lead to data loss or site malfunction. It’s recommended to consult with a professional or take a backup before making any changes.

6. Clean your WordPress database

To clean your WordPress database after a hack, you can use a WordPress plugin, or you can manually access and edit your database using a tool like phpMyAdmin. For the latter, look for unusual tables or prefixes you don’t recognise. This might include:

• Strange characters or gibberish
• Injections of URLs or code
• Unexpected user accounts

After identifying the malicious tables or entries, delete them entirely. If you are unsure, edit the content to remove harmful code.

Remember to create a backup of your site before cleaning your database.

Note: Only remove entries you’re confident are malicious. Editing the wrong data can break your site.

7. Make use of an audit log

Look for entries with usernames or IP addresses you don’t recognise. These could be signs of unauthorised access attempts.

If you find a suspicious entry, note down its username, IP address, and timestamp. You can use online tools like IP Geolocation API to see the approximate location of the suspicious IP.

You can also block them via your host or security plugin. 

8. Reinstall WordPress (as a last resort)

For this, avoid using the ‘reinstall’ option in your WordPress admin. It often misses hidden malicious files. Instead, use an FTP/SFTP application to upload the correct version of the files directly. This way, you overwrite everything while making sure no infected files are left behind.

Summary

Regaining control of your hacked WordPress site can be stressful. However, by following the right approach, you can restore your site and protect it from future attacks. 

To keep your site safe and secure in the long run, use a trusted WordPress security plugin like All-in-One Security (AIOS). 

AIOS implements the latest recommended WordPress security practices and techniques to give your WordPress site the protection it needs. It scans your site for malware and notifies you of any issues within 24 hours. 

Here are some additional (free and premium) advanced security features AIOS offers:

• Firewall and file protection
• Password strength tool
• Login lockout
• Malware scanning
• Flexible two-factor authentication
• Smart 404 and country blocking

So, if you want a simple way to boost your digital safety, try All-in-One Security (AIOS)!

FAQs (Frequently Asked Questions)

Has my WordPress site been hacked?

• You can’t log in to your WordPress admin dashboard.
• Your site redirects visitors to a different website.
• You notice new and unfamiliar user accounts.
• Your site’s content or layout has changed unexpectedly.
• Your visitors receive security warnings when trying to access your site.
• Your site is unavailable or experiencing slow loading times.
• Your security plugin or hosting provider notified you of suspicious activity.

If you experience any of these issues, it’s best to investigate further.

Can a hacked website be recovered?

1. Update plugins and themes
2. Change passwords and enable TFA
3. Verify user accounts
4. Run a malware scan to help identify changed files
5. Deactivate problematic plugins
6. Clean your WordPress database
7. Make use of an audit log
8. Replace specific core files

Remember, the process depends on the severity of the hack. So, instead of doing things yourself, it’s always recommended to hire a professional to resolve the issue for you.

How do I secure my WordPress site?

• Use two-factor authentication
• Use strong passwords
• Keep your software updated
• Choose a secure web hosting
• Utilise a reliable security plugin

How do I check for malware on my WordPress site?