Big or small, about 90,000 WordPress sites are hacked everyday! Once hackers gain access, they can use WordPress websites for all sorts of malicious activities including illegal ones. They can deface your home page and promote their own propaganda, launch attacks on bigger sites, sell illegal drugs/products, and redirect visitors to their own site, among a long list of other things. Once you know you’re hacked, you need to fix it immediately.
However, detecting and cleaning it is not always easy since there are different kinds of hacks and each one has its own complexities. In this article, we’ll guide you on how to check if your site is hacked, what steps to take to fix it, and how to prevent it in the future.
TL;DR – If you’ve been hacked and need to get your website fixed immediately, you can use our WordPress Malware Scanner and Cleaner – MalCare. No matter what kind of malware you have on your website, MalCare will remove every last bit of it. You can be 100% hack-free instantly and be shielded from future attacks.
How to Check if your WordPress Site is Hacked
Hacks are tricky because there are so many different ways it can happen to you. Moreover, your site could be hacked for months and you won’t have a clue. Here are the easy ways to identify if you are hacked:
- Google blacklists your website. This means a warning appears to visitors that states “This site may be hacked. Visiting this site may cause harm to your computer”. Your site can even be deindexed and not appear on the search results.
- You can see that malware is present on your pages through Google search console.
- If you’re lucky, a customer may notice they’re being redirected or there’s SEO spam on your site and bring it to your attention.
- Your hosting provider sends you a notice that you have malware on your site. Also, your web host may suspend your account immediately and take your site offline.
Now, this isn’t always the case. Hackers are savvy in finding ways to disguise their hack and hide it away from plain sight making it unnoticeable. You may experience a random drastic dip in traffic or extreme slowdown of your site’s performance. You might see that a plugin you don’t recognise is present on your website, or there’s a new user added to your admin panel. Now, if you suspect your site is hacked, here are ways to be sure:
Check safe browsing status –
Visit Google’s Transparency Report and enter your site’s URL. It will give you the current status of your site and let you know if you have any unsafe content present.
Incognito mode –
Sometimes the hack isn’t visible to the site owner. Try visiting your website from another browser or use Incognito mode to check if your WordPress website is functioning fine. You might see your homepage has been defaced or it’s redirecting to another site.
Use Online Tools –
There are tools like VirusTotal available online that allow you to enter your site’s URL and help detect if you have any malware on your site. Other tools available include aw-snap and spamhaus. These tools, however, may not be sufficient to find hidden malware.
Contact your host –
Check with your hosting provider if they have detected any malicious activity on your site. They may be able to help you locate the hack.
Use a Malware Scanner –
This is highly recommended and the best way to detect if there’s malware on your site. Hackers are only becoming smarter by the day and more advanced in their skills. A malware scanner is your best bet in finding the hack easily.
How to Scan and Clean a Hacked WordPress Website
In order to fix your hacked site, you first need to scan it to find the infected files, after which you can proceed to clean it up. There are two options available – using a plugin or manually. We’ll show you the plugin way first because that’s the easiest! However, if you’re looking to do it manually, jump to this section.
Scan and Clean a Hacked WordPress Website Using a Plugin
Scanning and cleaning up a hacked website is a complex and time-consuming task. WordPress security plugins make it easy for you by automating the complications and fix your site for you. By using such plugins, you can clean up the malware in no time and get back to business.
Step 1: Choose a security plugin
There are plenty of WordPress security plugins available in the market that will scan and clean your site. Note: Not all of them are the same. While only a few do a thorough scan, others rely on outdated methods such as signature matching where they try to detect code that is malicious. Many a time, new malicious code goes undetected so you may think your site is clean when it really is not. Considering the difficulties faced in trying to find the hack, you need one that does a deep and thorough scan and you should consider this when choosing the right malware removal plugin.
We recommend you use MalCare to scan your site because it uses over 100 signals to detect malware – even those smartly disguised or hidden. Simply sign up and the automated scanner will run through your website and detect malware in under 60 seconds. Further, many plugins require you to contact their personnel and request for a cleanup. They will then proceed to fix your site and this process may take hours or sometimes even days. MalCare is the only plugin available that allows you to auto-clean your site. You don’t have to wait for anyone else to do it. Your site will be hack-free in a few minutes.
Step 2: Take a Backup
Before you proceed to fix your site, we strongly recommend that you take a backup of your website. This will ensure you don’t lose any data while cleaning up your hacked website. When you sign up for MalCare, you also get access to WordPress backups by BlogVault. So the same tool will take a backup for you.
Step 3: Download and Install the Plugin
To illustrate the process of using a plugin, we’re going to show you how to use MalCare on your website to be hack-free immediately! Visit malcare.com, create an account, and install the plugin.
Step 4: Scan your WordPress site
Visit the dashboard and add your site. The scan will automatically run. If you are an existing customer, MalCare runs scheduled scans automatically, but if you want one immediately, you can access the dashboard and click ‘Security’. This page shows you the health of your site. You can then click on ‘Scan site’. Once complete, if your site is hacked, you’ll see a notification that tells you how many hacked files have been detected and that your site is at risk.
Step 5: Clean your Hacked WordPress Site
To clean up your site with MalCare is simple. Click on ‘Auto-Clean’, and you’ll be directed to enter your site’s FTP/SFTP credentials. You need your host/server name, FTP type, username and password. If you don’t know these details, take a look at how to find your FTP credentials. In the next screen, you will need to select the folder that contains the WP installation. You can usually find this under ‘public_html’ or look for a folder with the name of your website.
After you click on ‘Apply Fix’, the automated cleaning process will begin. This takes a few minutes. You can exit the page if you like and be notified by email once it’s complete. After it’s done, you’ll see that your site is cleaned! That’s it. You can visit your site and see that the hack is removed and your site is back to normal. Note: The process will vary between plugins. Not all plugins are this easy. Some entail a much lengthier and technical process. MalCare enables you to remove malware from your site instantly with just a click. Click To Tweet In case you don’t have access to your WordPress dashboard and are unable to install the security plugin, you can opt for the Emergency Website Malware Removal option. MalCare will get the job done for you.
Scanning and Cleaning a Hacked WordPress Website Manually
If you’d like to attempt a manual scan and clean up, we’ve entailed the process below. But to be honest, this process is annoying. It takes up a lot of time, and worse, even if you’re an experienced tech-savvy person, a small slip up can break your website. We strongly advise you to try this on a test staging site first. If you don’t know what you’re doing, you can simply make matters worse. First, always take a backup before you attempt a manual scan and clean.
Step 1: Get an FTP client
To start, you need to download an FTP client like FileZilla. Open FileZilla, enter your FTP credentials and connect to your site.
Step 2: Find the hacked files
Now, we need to find the hack. You can do this in the following ways:
- Check for recently modified files by looking at the last modified date column. Usually, these files are never changed. So, if you see files have been altered in the last few days, you can be sure that’s the hacked file. You can use the following command in your website’s directory
Find .mtime -5 -ls This will show you the files with modified times in the last five days.
- Now, this method is not foolproof. Hackers can change the modified date and disguise their hack. They could’ve also hacked your site months ago without you knowing it.
- Look for known malicious code and delete them. Usually, hacks have signature codes such as eval, base64_decode, and gzuncompress. Note, some of these codes are used in legitimate plugins. So you might bust a component of your site by deleting them.
- Download a fresh WordPress installation and compare the files to spot discrepancies. Ensure you download the same version as the one your site is running on.
- If you use an audit log, you can inspect it to identify suspicious behaviour. Look out for change in passwords, newly created admin users, any modifications made to files, etc.
- You can also check the log files of your web server or FTP server to see if you received unusual traffic from a particular IP address.
Apart from this, there are more technical ways to scan and clean a site. Here’s a recommended read – Is my site hacked?.
Step 3: Get rid of the malicious code or hacked files
- Once you find the infected files, you can delete the malicious code.
- Download a fresh installation of WordPress. Using FTP, drag and drop your fresh install from your local site (on the left) to your website’s folder on the remote site (on the right). This will overwrite any hacks in the core files.
- You can try restoring your backup to a state before the hack happened. However, you still need to find the vulnerability/backdoor and fix it.
Step 4: Remove vulnerabilities and backdoors
Hackers use vulnerabilities present on your site to hack into it. Removing malicious code will not remove the vulnerability. You need to find and remove any backdoors that cause the hack in the first place. It might be a theme or a plugin that was not receiving updates. Update your website to the latest WordPress version. For detailed steps, refer to this guide on how to scan WordPress backdoor. After deleting the infected files and removing backdoors, your site should be hacked free! Caution: Even after cleaning the code and reinstalling WordPress, there’s no way to tell if your site is thoroughly clean. If you’ve cleaned up the hack but haven’t fixed all the backdoor, chances are you’ll be hacked again, and quite soon!
Things to do after your clean your hacked WordPress site
Right after you fix your hacked site, there are a few things you need to do immediately. Consider this checklist:
- Run a scan again to double check that your site is completely hack-free.
- Take a fresh backup. This will ensure your cleaned site is copied and saved safely.
- Activate the plugins and themes that you need.
- After that, delete unused plugins and themes.
- Change all your passwords and replace them with strong credentials.
- Run updates for WordPress core, theme and plugins if they are available. Refer to our guide to safely update your WordPress site.
- If your site was blacklisted by Google, you need to submit it for review to get it back on the whitelist.
- In case your web host suspended your site, you can contact them to get it back online.
- If you don’t have one already, install an audit or activity log to keep track of changes on your site.
How to Prevent WordPress from Getting Hacked
Getting hacked once is stressful enough! Nobody wants to face such an ordeal a second time around. To make sure this never happens again, we recommend you take the following steps:
Update WordPress Regularly –
Updates not only carry new features and enhancements, but they also carry security patches. If a flaw is found in the software, it is patched up immediately and an update is rolled out. If you choose to stay on the same, you choose to use software that has a known vulnerability making it easy for hackers to exploit it. Consequently, this is one of the most common WordPress hacking techniques.
Use only trusted themes/plugins –
Plugins and themes are often exploited by hackers to enter WordPress sites as they are developed by third-parties and not all have good security measures in place. Free/cracked versions of themes and plugins usually have pre-installed malware. Installing such pirated software on your site is basically opening the door for hackers to enter. Therefore, use only trusted plugins and themes that receive updates regularly.
Delete inactive themes/plugins –
Site owners tend to install themes and plugins and forget about them. This is a bad habit that is rampant among WordPress users. It’s best practice to keep only the active theme and any plugins you are using. The rest should be deactivated and uninstalled.
Switch to a reliable host –
This option is only for those who faced a security issue with hosting providers. Research the market and find a reliable host that meets your requirements. It’s best to have one that offers 24/7 support and has good reviews.
Install a security plugin –
This will ensure you are proactively shielding your site against hackers. If you used the MalCare plugin to scan and clean your site, rest assured, your site is protected for a full year. The plugin puts up a WordPress firewall that defends your site against malicious traffic. It provides round-the-clock protection and regularly scans your site. Moreover, you get access to website hardening features – in which you can disable file editor, protect the uploads folder, change security keys and more.
Implement website hardening –
WordPress recommends you take certain measures to harden your website’s security. You should regularly change all passwords and secret keys, set up alerts for when there are suspicious logins, limit login attempts, disable the file editor, protect your uploads folder and/or disable plugin installations. It may seem like a lot to do, but not to worry, if you’ve installed MalCare, you can completely harden your site with just a few clicks.
To sum up, getting hacked is quite dangerous as it has severe consequences that come with it. You could be roped into selling illegal drugs or promoting propaganda. You could also be pulled into a bigger DDOS scheme wherein hackers attack big companies and brands. Therefore, you need to be take care of your security immediately.
It’s extremely important to know why you were hacked in the first place. Because, this will give you a good understanding of what happened, how to seal all entry points and make sure it doesn’t happen in the future.
Lastly, always keep your site protected by installing MalCare. You’ll never have to worry about getting your WordPress hacked again!
For complete peace of mind Try MalCare security plugin now!