Website Defacement Cleanup: You’re Doing It Wrong!

Sep 6, 2020

Website Defacement Cleanup: You’re Doing It Wrong!

Sep 6, 2020

Getting hit by a Website defacement attack is just the worst.

Not only did you get hacked, but the hacker also put up a neon sign for the world to see that no one should visit your site.

The worst part?

Hackers who wreck your Website don’t expect you to be able to do anything about it.

You’re probably here because:

  1. The hack is really visible. The hacker is a real jerk who completely wrecked your Website.
  2. Your security plugin is flagging a potential website defacement threat.

Either way, you need a quick solution. The good news is that if you have a WordPress site, we do have a solution to your problem.

Let’s simplify.

Of course, if the hack is really visible and then all you need is a quick fix.

Don’t worry. We’ll show you how to get back to growing your business instead of watching a Website defacement attack destroy it.

If you’re sure that you have been hit by a Website defacement malware, let’s get you back to focusing on making money instead of worrying about site security and hackers.

In this article, we’ll:

  • Help you clean your site once and for all;
  • Walk you through how your site got infected in the first place;
  • And how to prevent your WordPress site from getting hacked again.

The best part?

We’re going to do it without breaking a sweat.

Let’s dive in!

Is Your Site Really Hit By a WebSite Defacement Malware?

If your security plugin flagged a potential threat that looks something like this:

Severity:	enPotentiallySuspiciousThreatType
File:	wp-content/plugins/jetpack/changelog.txt
File signature:	211c7b5d2292dcd474aaeef3bd2255f4
Threat signature:	65b0f2becffb61cb9f5fba232f7b9987
Threat name:	Heur.HTML.Defacement.gen.F4248
Threat:	Fatal Error...
Details:	Website Potentially Defaced”

You need to take this with a pinch of salt.

Chances are that this is a false positive. That error message was generated by Quterra, but even Wordfence and Sucuri can raise false alarms.

The best thing to do now is to be sure if it’s even a threat.

Install MalCare and get a FREE scan of your site. If there’s a real threat to worry about, you’ll know right off the bat. MalCare’s learning algorithm sends out an alert if and only if there’s something to worry about. The way it operates goes way deeper than other malware scanners.

Then, come back to this article and we’ll show you what to do if you’re really infected.

If you’re sure that Website defacement really is the problem, then just keep reading.

What Exactly Is the Website Defacement Malware?

In reality, there is no ONE malware that causes site defacement.

Site defacement attacks are usually the outcome of another attack. Your site might have been hit with:

There’s a lot of different ways in which you could have been infected.

One thing’s for certain – it’s wrecking your site.

Now, there are a lot of variations of site defacement malware.

We’ll go over some of the most common symptoms of a Website defacement attack next.

Symptoms of a Website Defacement Attack

The most obvious symptom is a ‘hacked notice’ like this one:

Website defacement attack

This sort of Website defacement is pretty obvious.

If this is what you are currently struggling with, you should skip to the section where we talk about cleaning your WordPress site.

But this is not the only kind of Website defacement you expect.

You can also get unauthorized pop-ups, content, and redirects on your site of:

  • Pornography
  • Illegal drugs and steroids
  • Religious hate ads
  • Political hate messages

Another really popular version is when you start seeing content on your site in another language like this one:

Content on your site in another language

These are usually some form of SQL injection or the other. It could also be hacked redirect malware. In any case, the fixes that we have lined up for you will work either way!

How to Clean a Site Defacement Attack

There are two ways to fix your site defacement issue:

  • Clean up using MalCare in < 60 seconds
  • Clean up manually in 2 hours (MAY NOT WORK)

It’s time to defeat the hacker and take control of your life. After this section, one way or the other – you can focus on your business and not Website security.

How to Clean Site Defacement Using MalCare in < 60 seconds

MalCare is a comprehensive security suite that includes:

  • Malware Scanning
  • Instant 1-Click Malware Removal
  • WordPress Site Protection

And a bunch of other nifty features that protect your site from hackers and malware.

MalCare’s advanced learning algorithm pinpoints the source of the attack and removes it quickly without wrecking your site.

With other WordPress security plugins, you run a risk of wrecking your site completely. Some premium plugins do offer a better service, but that’s exactly what they are – a service.

In simple terms: Other plugins assign a human engineer to clean your site manually. This can take a while and you’ll probably be paying through your nose to clean your site.

By the way, did you know that with most leading WordPress malware removal plugins you pay separately for each cleanup?

We know. You’re being held hostage by the very plugin that’s supposed to protect you!

Here’s how you can use MalCare to clean up your site defacement:

Step 1: Install MalCare

Install MalCare plugin from our site.

Upload MalCare Plugin

Step 2: Scan Your Site

Use MalCare to Scan Your Site automatically:

Security Status of Site on BlogVault

Step 3: Clean Your Site in 1 Click

Click on ‘Auto-clean’ to clean instantly:

Auto Clean your Site with 1 click

Once all this is done, you should definitely check out our guide on protecting your site from future attacks.

You get all this for just $89/year!

Join 250,000 other sites and install MalCare today.

How to Clean Site Defacement Manually (NOT RECOMMENDED)

Manual malware cleanup is never a good idea.

Why?

Simple – it’s too difficult to pinpoint the source of the infection through manual analysis.

With a site defacement attack, there’s no way of telling what kind of malware infected your site without examining it further.

The worst part is that you could end up breaking your site in the process.

That being said, this next part is about some manual methods of cleanup that may work out for you. Again, there are no guarantees here.

Part 1: Check the WordPress Core Files for Malware

WordPress core files govern the way in which your site behaves. Infecting one of these files is usually the top priority for any hacker. This is for two reasons:

  • It’s very difficult to tell good and bad code apart
  • No one likes to mess with the core files – changing something can break your site
Step 1: Check the WordPress version on your site

Follow the steps in this article by Kinsta to check the WordPress version. 

In some advanced hacks, you may not be able to access your WordPress dashboard. No worries. Even if you can’t access your WordPress admin dashboard, you can still find your WordPress version.

Step 2: Download your WordPress files using cPanel

This article by Clook will show you how you can download your files from cPanel directly. Thankfully, you don’t really have to download each file one at a time. Go to your site’s cPanel and use the Backup Wizard to download the files.

Step 3: Download the version of WordPress on your site

You can download the original WordPress files here. Check the version from step 1 and find the right one in the list. Then click ‘Download’.

Step 4: Run a Diffchecker

We saved the worst for last.

You will now have to compare your site’s WordPress files with the actual WordPress files. Use a diffchecker to find differences in code.

CAUTION: Do not delete any code unless you are 100% certain that it’s bad code.

Part 2: Check for Backdoors

Backdoors are basically code snippets that give a hacker access to your WordPress site. Hackers leave backdoors to ensure that they can reinfect your site even if you manage to clean it up. Usually, they are malicious PHP code.

An easy way to do this is to search your files for malicious PHP functions such as:

  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

NOTE: These functions are not inherently malicious. Lots of WordPress plugins use the exact same functions to perform essential tasks. So, unless you are 100% sure of what you are doing, do NOT delete the files or their contents. It can completely wreck your site.

Part 3: Remove Any Unknown Admin Accounts

In some cases such as the hacked redirect malware, the hacker creates bogus admin accounts for themselves. It’s just another way to regain control of your site in case you manage to clean the site defacement.

Like we said, the hacker doesn’t believe that you can actually win.

The simplest solution is to go to your WordPress dashboard and remove any suspicious-looking admin accounts.

Then, change the passwords for all users for good measure.

Part 4: Scan Plugin and Theme Files

You can download plugin and theme files from the WordPress repository.

After that, you’ll have to run the diffchecker again on the plugin and theme files. The process is exactly like diffchecking the core files.

But this is even more annoying. 

There may not even be a plugin update that covers the vulnerability.

Not just that, you may not even find a version of the plugin on the WordPress repo. Most premium themes and plugins are not openly available.

Part 5: Scan and Clean Your Database

Run.

No, seriously. That’s our official advice. If it comes down to manually cleaning your database, just run.

One tiny mistake can ruin any chances of ever recovering your site.

That aside, you can search the database for malicious scripts just like you scanned the files for backdoors. It’s essentially the same concept, but more volatile.

Search for known malware keywords such as:

  • <script>
  • eval
  • base64_decode
  • gzinflate
  • preg_replace
  • str_rot13

CAUTION: This does not guarantee anything. You may end up cleaning your site. You may end up wrecking your site completely. It’s a bad idea either way.

And that’s it!

Did you manage to clean your site defacement?

Let us know in the comments section below.

If the manual methods didn’t work, just install MalCare to clean your site defacement in 60 seconds and get back to making money again.

How Did Your Site Get Infected In The First Place?

There’s no clear answer here.

Sorry, but that’s just how powerful the site defacement attack is.

In reality, site defacement isn’t a breed of malware. 

Site defacement is the consequence of a malware attack.

The most common malware that can cause site defacement include:

But this is a list of umbrella malware anyway.

Each of these malware have hundreds of variants and can hide literally anywhere on a WordPress site.

The good news is that there are ways to prevent this from happening again.

How to Prevent Site Defacement Attacks

There are lots of different ways to hack a WordPress site.

So, here’s a list of things you can do to harden your security today:

Use the Principle of Least Privilege (POLP)

There’s a reason why WordPress gives you an option for different user roles. Admin accounts have the highest security clearance in a WordPress site. So, be very careful about who becomes an admin.

Pro Tip: If you have a lot of guest contributors, give them Author privileges. After their contributions are over, revoke their clearance immediately.

Don’t Use the Default Admin Mail

Stop using admin@yoursite.com as your administrator email.

Most hackers will try to use this email for phishing attacks and scams.

Once they get login credentials, you are done for.

Too Many Plugins Are Never Good

Plugins, especially outdated ones can be exploited really easily. Most plugins proudly declare that your site is using them along with their version details. Update all your plugins and remove the ones that you don’t need.

Remove Error Messages from Login Page

Ever get an error message that says, “Wrong password”?

When a hacker sees that, they know it’s the password that they got wrong. The username was correct. If they can guess the right password now, they can get into your account just like that!

Limit File Uploads

Be careful with the kinds of file uploads you allow. There are known hacks where the hacker uploaded a favicon that carried malicious PHP. You’ll think that you’re uploading a harmless picture. In reality, you just helped a hacker create an admin account for themselves.

Use SSL/TLS

Now, SSL certificates are not the pinnacle of security.

But they’re better than nothing at all.

Be sure to use an SSL certificate for all your pages and all your site assets. This is especially true for multisites.

Scan Your Site Daily

Install MalCare’s free scanner to scan your site for malware every day on auto-pilot. MalCare offers comprehensive bot protection and firewalls along with malware scanning and removal capabilities. Honestly, you just can’t go wrong with it.

What’s Next?

Most hackers are successful because most WordPress site administrators don’t know a lot about security. The simplest thing to do is to invest in a powerful solution like MalCare. But really, the least you can do is educate yourself on hacks of different kinds.

Join our Facebook Group – we give away free advice on how to make the most of WordPress. We just crossed 1,000 members and it’s totally free.

Drop a comment about how helpful you found this article.

Did we solve your problem? Let us know!

Until next time, folks.

Website Defacement
Share via
Copy link