So is your WordPress site hacked?
This guide helps fixhackedwebsite.com customers who find their WordPress site hacked; however, it can be used by most tech companies and hosting companies. We will explain the steps we are taking to get you back to your website and what steps you can take to help us.
Above all: don’t panic! Being hacked is frightening and frustrating, particularly when your website is critical. At fixhackedwebsite.com we want both to help reduce disruption and to help solve the problem so that you don’t hack your WordPress site over and over.
What is a WordPress hack?
The majority of people understand that a website has been hacked from headlines in the media that steal data and then sell it or simply dump it online. These targeted hacks can cause massive damage to businesses, but are rare.
Most of the hacks we see on our platforms are automated attacks; instead of targeting a specific website, attackers use known software vulnerabilities such as WordPress. They then attempt to target this weakness as many sites as possible. The contents of websites compromised by such automated attacks do not impact hackers. Instead they try to extortion or abuse your hosting account ‘s resources.
Each hack is slightly different, but the most common hack types can be classified as:
We ‘re by far the most common hack we see; in fact, long before our customer even spots this hack often. A compromised site will begin to send large numbers of e-mails to several recipients. If you have ever been asked to get a rich prince ‘s money by email-the email you received was probably sent via a hacked website.
Node in a bot network
Your site starts to send a lot of traffic to a different address. Indeed, the attacker uses your internet connection and server resources to try and force another website offline. Such a hack is used to guide hundreds of hacked websites to one site. The result is a Distributed Service Denial (DDoS).
Your website content is modified in this form of hack to include links to malware , viruses and other dangerous stuff. This type of hack is one of the most obvious to visitors to your website and can result in a blacklist for malware on your site in Google.
Like malware hosting, your content has been changed again or new content has been added. This hack uses your site to host content to support the promotion of another site, product or service.
When the site content is encrypted or deleted, it is asked to pay the client to “release” the files.
Your contents are simply replaced by new hacker content. This may be a political message or even someone who claims they have hacked your website. Defacement is the web graffiti but with much worse reputation impact.
How do WordPress websites get hacked?
WordPress site is hacked for a variety of reasons, but the number one reason is that items like WordPress core, plugins and themes are not kept up to date. If vulnerabilities are discovered, most developers patch your plugin or theme (fix the exploit) before the vulnerability is announced. This means that the vulnerability will not affect you if you run the latest version.
However, there are other ways sites are hacked, such as with weak passwords for logins like FTP users. If someone can devine your password, they can do whatever they can. See our password protection article if you need help.
An additional way sites are hacked is to trick an admin user to cause an action to upload files. In certain cases our firewall rules for the Web application can help to stop them, but if the firewall doesn’t know the action is malicious, it can do it.
Finally, if you enable visitors to upload files (intentionally or not) and don’t have appropriate safeguards, these files can also be used to hack your site.
People who try to hack websites often use combinations of the above techniques to try to access your site. If your site is compromised, they also build additional ways of collecting knowledge. Such “backdoors” on the web guarantee access even though the first method has been found and fixed. That’s why we claim that if you were hacked once, you were hacked many times.
Don’t panic again! Most hacks are preventable; we will help to prevent them in the future once we have cleaned your website.
How do we detect a WordPress hack?
The first time they learn that most of our customers have been compromised is when we contact them directly.
We track our network proactively and continuously search for suspicious activities across our hosts. For example, hundreds or thousands of emails are unexpectedly received by a website. In the mail queue, one of our system team will look at whether the emails are genuine. We don’t have to read emails in detail, we just look at headers and topics. Spam email versus a newsletter is sent very easily.
We also monitor traffic spikes on our network. Each server and product has its own usage agreements but normally we limit the amount of traffic that these systems can send (packages per second), and examine whether they are extremely high. We also perform virus scans throughout our servers regularly to detect this content.
Our servers also run Web Application Firewalls to monitor the traffic directed to them. Although this just shows what a remote user wants to access, it will produce information to help spot hacks.
We also proactively inspect certain plugins and WordPress core files on our WordPress hosting to verify that they have not been maliciously modified. Every platform has its own specific collection of security tools for that platform. Of course, we may not have spotted the hack. A hacked site often sleeps for weeks or months. The platform could be off our radar before the hacks are used.
Sometimes clients spot files which they are sure they did not upload, or they can have a plugin which spotted hacked files and which flags problems.
However, it is initially found that a hacked WordPress website follows the same process once alerted and a member of our team investigates.
How we investigate hacked WordPress websites?
If something has been flagged as compromised, a member of our team will review your account.
During the investigation, we begin by confirming whether a site has been hacked. False positive things can and do happen and only in the last resort do we start our hacked site.
When one or more hackers are detected, we look at the initial effect of the hack as a starting point, and lock it down quickly. Whenever practical, we ensure that hacked files can not be accessed except by our team and that malicious processes or e-mails are stopped immediately.
This can lead to a lack of functionality instantly on your web, but your web will still work. Often, if your site index page has been compromised, or for Ransomware, for instance, it is not practical. If it is dangerous for you or anyone who visits the site to maintain your website up and running – we will take action to take the site offline.
At this stage we also use the snapshot function in the control panel to take a snapshot of your website. This means you always have access to the contents, files and any custom settings of your site.
We understand the sensation of turning your stomach to find out that your site was hacked. Don’t worry, our team is here to help and we will do our utmost to get you back to work as soon as possible. We will also ensure your site is restored as cleanly and safely as possible – the last thing anyone wants is to repeat the hack.
What we will do?
- Help to identify hacks
- Provide a snapshot of your site
- Remove all malicious content
- Freshly WordPress update
- It is possible to safely import contents and restore your plugins
- Work with you to make your website work as before
- Advise how to enhance site security
What you need to do?
- Give us a contact point during the restoration
- Download and install any premium plugins and topics that may not be available
- Add non-WordPress content to the site
- Check your website for restore problems
- Reapply custom settings where we can’t do that.
We will also get in touch if we are not already in contact at this point. Although we do not want to panic, everyone has an urgent solution and we will contact them as soon as possible.
Due to the nature of the hacked websites, the first contact with the account owner always takes place. We will ask you to authenticate a support ticket so that we can work on your behalf. For the duration of the case, we will also ask you to nominate one point of contact. In a short period of time, we will probably need to do a lot of work; it is important that we speak to someone quickly to let them know what’s going on and ask questions about the setup of the site if necessary.
This person is usually the website owner but can also be a technical contact. If the contact is not already listed on your account, you may need to add it to your control panel as a technical contact.
We will explain what was found during the examination stage and guide you on how to access the snapshot during this initial contact. We’ll keep it for as long as you need it, and you don’t have to download it immediately. The snapshot is also saved on a remote server.
Frequently Asked WordPress hack questions
You probably have many questions for us at this point, understandably, and please do not hesitate to ask! Be mindful that such questions might be difficult to address, but here are some of the most frequent hack queries we have:
How long was my WordPress website hacked?
While we can see the date on which a file claims were added or edited, this date can be modified. It is not uncommon to see, for example, that a file argument was last updated on 1 Jan 1970. Furthermore, we won’t know if every hacked file has been identified and an older hack can exist.
How did you hack my WordPress website?
We will also learn and share details with you. For instance, we can see if someone has changed your files via FTP or whether a hack has a specific plugin directory. But these could have occurred again after the initial hack.
Is my customer details collected?
We can assess to a limited extent whether your website data has been targeted; that is, if you store confidential data, you should take it for granted.
Clean a hacked WordPress Website Today!
We can start cleaning up your WordPress site once we have answered your questions. This is the stage that most customers fear because we can’t recover from a backup – we just don’t know whether it’s hacked out or not.
The following steps are taken to fix your website:
- We get a list of the plugins and themes you have installed to restore them later.
- We export your posts / pages / custom post types and rather than SQL dumps we use the built in WordPress export-this helps to limit potential problems with hacks in the database.
- We isolate and remove your files from your httpdocs folder. As this happens, your site will go offline briefly. At this stage, the files are still on the server, but only accessible by our team.
- We have a clean WordPress copy built on your website. As we do this, your site will show you a default WordPress install briefly. This is usually a matter of minutes at most.
- After checking something suspicious and using a virus scanner to check for problems, we then move your media back to your wp-content / upload folder. We may not move every file in certain circumstances , for example where your site has.zip files in the upload folder. We also warn you about the material that we haven’t moved and why you should check it.
- Next we import your posts and other content from WordPress. This generates user accounts based on those pages as well. Each user account will be set by default to the author’s role. We will also set one user as an administrator so that you can log in and modify user settings.
- Finally, we install and activate your plugins and themes. We can only do that for themes and plugins that are publicly accessible.
My WordPress site is still Not working properly after hack
Maybe your website does not look the same after these first few measures to repair your website-do n’t panic! Only themes and plugins on the wordpress.org website can be accessed. If you purchased your theme from somewhere else we will have no connection and we need your assistance.
If you do not have a copy of the theme files, you must go to the company or website from which you have purchased the theme and download the subject again. When you have a theme file, go to Appearance-> Themes-> Add New-> Upload New and upload and activating theme inside WordPress. Your subject should be added now.
This step can also be repeated for any premium plugins your website uses. Again we can’t access topics or plugins and can’t simply restore them from a backup. We have to assume that your backups are also infected, in order to prevent hack recurrences. It is important that your site is restored from well-known clean sources like wordpress.org or the theme / plugin creator.
Our team can help your website look more like it was before with your theme and plugins. If you have made custom file changes to modify your website look, we will not be able to help you put them back. Some plugin settings may also be lost. While you may be interested in getting your snapshot back online, we strongly discourage copying from snapshot files directly – or you can simply restore the hack.
It is necessary to consider what might be lost at the end of this reconstruction process:
- If you have changed themes or plugin code directly, those modifications will not be restored
- If you have modified WordPress Heart, the changes are not present
- If the content you use except for wp-content / uploads or your own directory, those items will be lost.
- Some settings are not remembered and must be reapplied
- It can take some time to find all the minor variations, so it is worth testing it all carefully.
Our team is there to help during this process. We want you back-up and running with minimal disruption as quickly as possible, but we also need to make sure we don’t restore hacked content. As such, we will not restore specific snapshot files-we can not underline the importance of assuming that all the files are infected.
How can i protect WordPress hacks moving forward?
It is a good time to take stock and review after a site has become cleaned and you feel that you are returning to normal. Once again, our team is ready to help you and you can talk to one of our WordPress specialists about improving your website security.
Here are some important things to take into account when securing a WordPress site:
- Old plugins and themes review. You should delete it if you don’t use a theme or plugin. Even disabled plugins and topics can be used to hack your site.
- If a plugin does not receive or is abandoned active updates from the author, consider searching for alternatives.
- If you want to modify a theme, consider it as a child’s topic. You can make changes and continue to update the parent theme.
- Enable auto-updates for WordPress Core, themes and plugins, or look at plans like our WordPress hosting system, where we can do more for you.
- Ensure the correct permissions of WordPress folders and files (we can help here).
- Go through your website and check every user. Make sure there are only people who are NEED administrators. The authors or editors can be assigned to most users.
- Only people who need access and audit all those who have access to your site have user accounts.
- Ensure that managers use safe passphrases or password managers. See our password advice in the document earlier or ask for our help.
- Consider allowing authentication of two factors for your WordPress website.
- Do not use the same FTP password or any site for your site.
Speak to our team about switching to WordPress Hosting if you use our company hosting platforms for your WordPress account. This framework is specifically designed for WordPress from the ground up and includes many more sophisticated main security features.
Although the seriousness of a website hacked is not what we want to downplay, it unfortunately is a reflection of daily living on the web. It’s disturbing and that’s natural feeling of breach. If you read this guide, we hope to alleviate any fears and provide a simple overview of the steps to clean up a hacked WordPress account.
While hacks ramifications may take time to go away, they usually do not have long-term negative effects if they are handled correctly. Our goal is to get you back up and running as soon as possible and to remove as much stress as we can from this situation.