What to do when your WordPress site has been hacked?

What to do when your WordPress site has been hacked?

After a hack you will want to either find the offending ‘hack’ and remove it or restore a recent backup. In worst case scenarios where the Database had been lost permanently you can use Google’s Cache or the WayBackTimeMachine to find old copies of the site and rebuild manually.

This article will get you back online as best you can based on your ‘pre-hack’ backups and will lead on to securing your site so you don’t get hacked again.

How do hacks work in WordPress?

Hackers can work in various ways to get in and mess up your website but in WordPress its quite common to,

  • find an existing vulnerability in an installed plugin or theme. This is why we update plugins all the time. In my experience this is the most common. From there they will add some malware to do various nefarious things,
  • or your password was found somehow (eg third party data center got hacked and your details were ‘leaked’) and they used it to login to your site,
  • or you have an insecure password and someone brute force attacked it and got in that way. This one works with the above commonly.
    • Once a third party service (eg iCloud or LastPass) is hacked some of your usernames and passwords are known to hackers. As people often use the same password for lots of very different accounts (eg your Paypal, bank, WordPress Site and Netflix all have the same username and/or password) once one set is known they can login to your other accounts also.

It’s also possible that a hack has been made to the code base or to the database. In the later case then restoring a backup is your next step but ideally you will want to make sure there are no ‘hacked’ files in the WordPress code base also.

How can I make sure there are no ‘hacked’ files in my WordPress Codebase?

Some hackers will add extra code to your website files once they have gained access. These will help them hack you again in future if you ONLY restore the database and ignored the WordPress code itself.

To check this we can use a Security Plugin like WordFence or Securi which will compare your WordPress Core files to the original and tell you if there is a difference. From there you can ‘revert’ to the original file to remove these hacks.

PROTIP: This comparison is only to WordPress Core files so it is also good practice to update all the plugins to those with which have newer versions available but even with this it is possible that the hack remains in the plugins. In my experience this is not likely but it is possible so in that case it might even be necessary to uninstall and re-install all plugins.

Restoring a backup

First, take a backup of the hacked database

Take a backup of the site before any of the below. You can do this by following the instructions here from your cPanel in your hosting account.

Now use your restore database functionality

The best way to restore a WordPress site post hack is to restore a complete back up of your database and files. If you have backups set up (either on your server or in a plugin) then just go restore your site to one of them.

I can’t really tell you exactly how to do this as each server and plugin will do it differently but usually there is just a list of ‘backups‘ and a restore button for each of them and you choose one to restore.

If your website is on a Bluehost Account you can go to ‘My Sites-> select the site in question -> Find the ‘Backups’ tab. From here you will see a list of all the backups you have. If you see nothing here then you might not have a backup. Its also possible you have another plugin doing your backups so check your plugins folder also for any backup plugin there.

A list of backups on my Bluehost server.

Restoring a backup is not always effective to remove the ‘hack’ however, because a lot of malware will not even be obvious to you the admin user. This means that you won’t be sure when the hack even started (could be months) and therefore you won’t know which backup to even restore.

If however, you have an idea of when it was then thats fine – go restore your back up.

PROTIP: You can lose data this way as well so I would suggest you actually take a backup of the database (which has been hacked) because its still the most up to date version of the database. To illustrate what I mean further, let’s say you have a backup running every 24 hours and your last backup was 12 hours ago. If you restore to that version you lose 12 hours worth of data. Depending on your site this may or may not be an issue. If your site is not regularly updated then ignore this. If it is, like a popular ecommerce site, then you will lose orders and these customers will be left in limbo perhaps. Take a backup of the site’s database in its ‘pre-hacked’ state before restoring.

What if you don’t have a back up?

You have two options as far as I know. Use the Way Back Time Machine to find a previous version of the site or use Google Searche’s cache for its indexed versions of your pages. This could be one way to at least get back the HTML, CSS and JS.

From there you could use these to rebuild the website from those. It would be quite a manual and effortful job but its possible.

Way Back Time Machine:

This is more or less self explanatory but go to their site, enter your URL and see if there are any previously cached versions of your site to peruse. Find a cached version and then click on it. Then click on the date in the calendar where it is highlighted and the date/time stamp. You will be able to scroll around the cached version of that page from whenever that was.

For example, when I type in the URL of this site I can see a list of pages which this tool has archived here.

Google’s Search Cache:

Google caches links show you what a web page looked like the last time Google visited it.

Go to google.com and search for something very similar to your website url but with a space. For eg for this site, betterdeveloperdocs.com you should actually search for ‘betterdeveloperdocs com‘ and you will see all the pages which Google has cached for your site.

Next to the search result go to the ‘…’ symbol and click on it. The select the ‘cached and you can view Google’s cached version of your site.

From here you could manually go through hand get the images etc. Slow and arduous but it’s possible.

How do I reduce chances of getting hacked again?

To stop a hack from happening again you will want to do things like,

  • install security plugins,
  • use Google Recaptcha’s,
  • change the login URL etc and
  • update plugins and themes regularly.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *