Like any content management system, WordPress is not immune to security vulnerabilities. The best way to recover from a WordPress compromise is to restore from a known good backup. You should always maintain proper backups (don’t rely on a data sync, for example).
But unfortunately, backups are not always possible. In those cases, cleaning up the site is the only option. In this post, I’ll provide some general guidance on steps you can take to fix your site if it ever gets hacked, and to keep it secured going forward.
Start with the basics
Your website is hacked. So you can’t trust it. Do not trust your WordPress administrator dashboard! The only way to clean up the website is to replace (and/or fix) files manually, through the command line (if you have SSH access), or using a FTP program like Filezilla.
Take a new backup. Before doing anything, I strongly recommend taking a backup of your website. This way, you’ll have something to come back to if your attempts to fix the website go horribly awry – even if the new backup contains files that are compromised. But there’s another reason you’ll want to keep a backup (just in case). Sometimes, law enforcement or other forensics investigators will need to get involved. If they do, it is important that you have collected – and securely maintained – as much evidence as possible.
Clean up the files…
Now that you’ve take a new backup, you can start to clean things up. Remember: Don’t use the WordPress administrator dashboard. The website is hacked. So what makes you think you can trust it? Use a FTP program (or the command line, if you have SSH access), instead.
First, completely delete any unused themes and plugins. If they aren’t being used, then you should get rid of them. Even though they are inactive, they can still pose a security risk. (They can also affect your website’s overall performance).
Second, download a new copy of WordPress core from wordpress.org. Delete EVERYTHING in your website’s root directory (except for wp-config.php and for everything in the wp-content/ directory). Then, unpack the new version you just downloaded from WordPress.org, and put the original wp-config.php file & wp-content/ directory back into place.
Third, follow the same exact method to replace all of your WordPress plugins, in the wp-content/plugins/ directory. The majority of your plugins (if not all) can easily be re-downloaded from WordPress.org/plugins/. For any plugins that are not available from wordpress.org, contact the plugin maintainers to get a new copy of the plugin.
Forth (if possible), follow this method again to replace your theme files. But this can be tricky, especially if you have customized your theme and you didn’t use a child theme (you really should be using a child theme!).
If it’s not possible to completely replace your theme files, then you should manually inspect your theme’s files to make sure no malicious code is present.
Download a security plugin…
As a general rule of thumb, I install WordFence on any website I manage. Used by millions of WordPress websites, it is one of the most popular and versatile WordPress security plugins available. Another great plugin is the Sucuri Scanner, and I sometimes use this plugin whenever I’m in the process of cleaning up a compromised site.
Download one (or both) of these plugins, and upload the plugin(s) to your website via FTP.
Now you can finally login to the admin dashboard…
If you haven’t upgraded WordPress and/or some of your plugins in a while. the website will first likely want to upgrade the database after you get logged in. Once that is done, you should finish activating and configuring the security plugin, and use that to scan for any remaining potential malware on the website.
By following these steps, you may be able to recover your website and make it a safe & habitable destination for your visitors again. But depending on the severity of the compromise, following these steps is no guarantee for eradicating any malware on the site. If you’re unsure, hire a professional. Good luck!