Fixing a Compromised WordPress Website

Sep 23, 2020 | Website Security, WordPress

Like any content management system, WordPress is not immune to security vulnerabilities. The best way to recover from a WordPress compromise is to restore from a known good backup. You should always maintain proper backups (don’t rely on a data sync, for example).

But unfortunately, backups are not always possible. In those cases, cleaning up the site is the only option. In this post, I’ll provide some general guidance on steps you can take to fix your site if it ever gets hacked, and to keep it secured going forward.

Start with the basics

Your website is hacked. So you can’t trust it. Do not trust your WordPress administrator dashboard! The only way to clean up the website is to replace (and/or fix) files manually, through the command line (if you have SSH access), or using a FTP program like Filezilla.

Take a new backup. Before doing anything, I strongly recommend taking a backup of your website. This way, you’ll have something to come back to if your attempts to fix the website go horribly awry – even if the new backup contains files that are compromised. But there’s another reason you’ll want to keep a backup (just in case). Sometimes, law enforcement or other forensics investigators will need to get involved. If they do, it is important that you have collected – and securely maintained – as much evidence as possible.

Clean up the files…

Now that you’ve take a new backup, you can start to clean things up. Remember: Don’t use the WordPress administrator dashboard. The website is hacked. So what makes you think you can trust it? Use a FTP program (or the command line, if you have SSH access), instead.

First, completely delete any unused themes and plugins. If they aren’t being used, then you should get rid of them. Even though they are inactive, they can still pose a security risk. (They can also affect your website’s overall performance).

Second, download a new copy of WordPress core from wordpress.org. Delete EVERYTHING in your website’s root directory (except for wp-config.php and for everything in the wp-content/ directory). Then, unpack the new version you just downloaded from WordPress.org, and put the original wp-config.php file & wp-content/ directory back into place.

Third, follow the same exact method to replace all of your WordPress plugins, in the wp-content/plugins/ directory. The majority of your plugins (if not all) can easily be re-downloaded from WordPress.org/plugins/. For any plugins that are not available from wordpress.org, contact the plugin maintainers to get a new copy of the plugin.

Forth (if possible), follow this method again to replace your theme files. But this can be tricky, especially if you have customized your theme and you didn’t use a child theme (you really should be using a child theme!).

If it’s not possible to completely replace your theme files, then you should manually inspect your theme’s files to make sure no malicious code is present.

Download a security plugin…

As a general rule of thumb, I install WordFence on any website I manage. Used by millions of WordPress websites, it is one of the most popular and versatile WordPress security plugins available. Another great plugin is the Sucuri Scanner, and I sometimes use this plugin whenever I’m in the process of cleaning up a compromised site.

Download one (or both) of these plugins, and upload the plugin(s) to your website via FTP.

Now you can finally login to the admin dashboard…

If you haven’t upgraded WordPress and/or some of your plugins in a while. the website will first likely want to upgrade the database after you get logged in. Once that is done, you should finish activating and configuring the security plugin, and use that to scan for any remaining potential malware on the website.

By following these steps, you may be able to recover your website and make it a safe & habitable destination for your visitors again. But depending on the severity of the compromise, following these steps is no guarantee for eradicating any malware on the site. If you’re unsure, hire a professional. Good luck!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Why Choose Barred Owl Web?

The Barred Owl Web team is technically proficient, extremely responsive and provides a high level of customer satisfaction.  We highly recommend Barred Owl Web for web development, technical, and customer support.
– Enrique Fiallo, Director of Technology, NET Institute

Barred Owl Web is the hosting company to call first for nonprofits. Their solutions-oriented, customer – and client – focused approach to web hosting provides agencies the ability to consistently and reliably get their messages out to those who need to hear it. You can count on Barred Owl Web to be responsive to the unique needs of your agency. Barred Owl Web’s customer service is exceptional, and it is kind. Contact them and see for yourself!
Rebecca Whelchel, Executive Director, Metropolitan Ministries (MetMin)

Barred Owl Web has always been responsive to our needs as a small nonprofit. They have helped us immensely with issues like Web server security updates and PCI compliance.
Evan Donovan, Web Developer, Tech Mission

Contact Us

423.693.4234
info@barredowlweb.com

P.O. Box 21514
Chattanooga, TN 37424

15 + 15 =