In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

How to Fix a Hacked WordPress Site: A Step-by-Step Guide on Identifying and Removing Malware
Tips

How to Fix a Hacked WordPress Site: A Step-by-Step Guide on Identifying and Removing Malware

by Adriana Cacoveanu on Jun 19 2018

“Mysterious” pop-ups that you did not initiate, inexplicable auto-linking keywords, frequent freezing of your website... These are all but clear signs that your WordPress site has been hacked! Now what? Where should you look for the “infection”? Here's a step-by-step guide on how to fix a hacked WordPress site.

And it goes without saying that the very first step to take is to:

Keep calm!

Next, you'll need to figure out how precisely that malicious individual has found his/her way into your site. What security vulnerability has he detected and exploited?

Once you've determined how your WordPress website's got hacked, figuring out how to remove the malware is already a half-solved problem.

So, let's dig in before this hypothetical infection has spread out throughout your entire website:

 

Step 1: Identify the Hacked Files (and Change Your Password)

Remember what we've already agreed upon, that the very first step to take is precisely not to panic?

So, while keeping your cool, start your “investigations” by asking yourself 3 key questions  — this, of course, after you've already asked yourself “How to remove malware from my WordPress site?”:

 

  • Are you able to access your admin panel?
  • Is your site already marked as insecure (by Google)?
  • Is your site redirecting automatically to another website once you log yourself in?

     

At this point, I also strongly recommend that you changed your password, as well. And this before you jump to the next step of your investigation.

Note: remember to change it again after you've cleaned up your website, as well.

 

1.1. Give Your Site a Thorough Scan Using a Security Tool/Plugin

And I do think that it never gets redundant for me to stress out:

Turning on a powerful WordPress security plugin on your website is one of the best shields that you could activate around it.

In case of an emergency situation, like this one here, you'd simply enable it to scan your site remotely and track down malware locations and malicious payloads and, most of all:

A good security plugin would identify and alert you, in real-time, of all the changes made to your website.

Note: everyone knows it, yet most website owners stubbornly ignore the importance of keeping their loads of WordPress themes and plugins updated regularly. They just overlook the fact that out-of-date files are by far hackers' “top favorite” security vulnerabilities. 

 

1.2. Check Whether Your Core Files Have Been Compromised

And since they're by far the most valuable files on your site, it's only normal to check their integrity first things first:

 

  • wp-includes
  • root folders
  • wp-admin

     

Most of these core files should never ever be modified.

And there are 2 ways of checking them:

 

  1. you either use the diff command in your terminal
  2. or you check them manually, via SFTP

     

If they're unchanged and therefore clean, move on to the next step of this “how to fix a hacked WordPress site” guide:

 

1.3. Check the Integrity of the Recently Modified Files

It may also be that precisely the recently modified files on your WordPress site are the “corrupted” ones.

To know for sure, identify the files that have been recently modified.

And again, you have 2 options at hand for this type of “investigation”:

 

  1. the manual check
  2. running the right commands in your Linux terminal

     

For manually identifying these newly changed files that might have been hacked just go through these steps here:

 

  • log into your server (use the SSH terminal or an FTP client)
  • if it's SSH that you're using, then it's this command that will automatically list all the files that got modified the last 15 days: $ find ./ -type f -mtime -15
  • if it's SFTP that you're using, just scan through the last modified date column for all files on your server
  • … detect any files that recent changes have been made to

     

Now for tracking down these possibly “infected” recently modified files using the terminal, just follow these 2 simple steps:

 

  • run this command in your terminal: $ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r 
  • next, if you want to identify the directory files, enter this command: $ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r 

     

Are there any unexplainable changes made to those files in the last 7-30 days?

 

1.4. Check the Diagnostic Pages 

A conveniently handy way to remove a virus from your WordPress website is to “track it down” using Google's or another website security authority's tool to give your site a deep scan with.

Has yours already been blacklisted by one of these authorities?

Then simply run the Google Transparency Report:

 

  • go to Safe Browsing Site Status website
  • enter your website's URL there
  • check both the Site Safety Details and the Testing Details sections 

     

It's a quick and easy way to collect valuable information about any suspicious downloads, redirects, and spams on your site, as well as priceless data about Google's recent scan that ended in malware being detected.

Note: another way of identifying malware that's within your reach is by using a free webmaster tool — Google Webmasters Central, Norton SafeWeb, Bing Webmaster Tools etc.

 

Step 2: How to Fix a Hacked WordPress Site: Removing the Detected Malware

After all your preliminary investigations, you should put together your battle plan for actually removing the identified hack from your WordPress site. And for restoring it to its pre-hack clean state, too, obviously.

For this, here are the most effective measures at hand for you to apply:

 

2.1. Is a Clean Backup Available? Use It to Compare Pre-Hack to Post-Hack Files

Is there any need for me to stress out that:

You should back up your website on a daily basis!

And the very situation that you're in now is by far one of the strongest reasons to do that:

“How to fix a hacked WordPress site” will get reduced to: “simply comparing a clean backup to the current hacked version of your site!"

Identify the files that have been modified and get them removed.

It goes without saying that you risk losing some of your files —  those added/updated after the last backup — but you do want a clean website now, don't you?

2.2. Remove the Identified Infected Files from Your Website

Once you've restored your WordPress backup, you can easily remove any suspicious plugin, theme or other types of file.

Note: do handle core files with utmost caution, though! Mind you don't accidentally overwrite your wp-content folder or your wp-config.php file.

When it comes to infected custom files, you could replace them with a clean recent backup or with fresh new copies.

“But how do I remove “malicious” code manually?” you might ask yourself.

Let me go briefly through all the key steps required:

 

  • log into your server (via SSH or SFTP)
  • back up your website
  • track down the recently modified files
  • replace any suspicious files with copies from the WordPress repository
  • use a text editor for opening up any custom files there and remove any suspicious code that you'll detect 
  • test your newly cleaned up website

     

Word of caution: manually removing a malware infection from your WordPress site does call for special safety measures. Never remove corrupted code without first backing everything up!

 

2.3. Remove All Malware Infections from Your Database Tables, as Well 

Now, you do agree that a “how to fix a hacked WordPress site” tutorial couldn't possibly skip the step where database tables get cleaned up of any malware infection.

Here's how you do it:

 

  • connect to your database using your database admin panel
  • create a backup of your database
  • give it a deep scan looking for any suspicious content 
  • if detected, open the table containing that specific link or spammy keywords
  • manually remove that infected piece of content
  • give your website a “post database clean up” test
  • remove any tools that you might have used specifically for this operation —  Adminer or maybe Search-Replace-DB

     

2.4. Check All The User Permissions: Look for New, Unfamiliar User Accounts

My advice to you, when it comes to user accounts, to user roles and permissions on your WordPress site is to:

Keep just one single admin user and stick to the essential user roles (and granted permissions):

  • author
  • editor
  • contributor 
  • etc.

     

This is one of the most effective prevention measures that you could take so you don't end up asking yourself How to clean up a hacked WordPress site?”

Now, coming back to our investigation here, here's how you remove all the unfamiliar WordPress user accounts from your website:

 

  • first, back up both your site and your database
  • log into your admin panel and click the “Users” tab
  • track down any unfamiliar new user accounts there, hover over them and delete them

     

Note: another wise thing to do is to re-check each user's roles and permissions. If you feel like updating them, simply use the users' role editor plugin.

 

2.5. Detect and “Close” all the Backdoors

And you want to treat this aspect with maximum seriousness. Otherwise, following each and every step indicated to you in this “how to fix a hacked WordPress site” tutorial becomes... pointless.

For the attackers would always have this “secret passage” to infiltrate themselves into your website over and over again.

“But what are backdoors more precisely?” you might ask yourself.

They're files similar to your site's core files — wp-config.php and key directories such as /uploads, /themes, /plugins —  yet strategically placed in the wrong directories. 

Here are some PHP functions that you could recognize them by:

 

  • str_rot13
  • assert
  • base64
  • move_uploaded_file
  • eval
  • system
  • stripslashes
  • gzuncompress

     

Word of caution: keep in mind that there are plugins on your WordPress website that could be legitimately be using these PHP functions; therefore, make sure you test all those "apparently suspicious changes" before rushing to remove the so-called "malicious" functions. Otherwise, by removing benign functions, you might just break your website.

 

2.6. Request a Review of Your Site, to Have all Malware Warnings Removed

Now, once you've repaired all the damage caused on your Wordpress site, it's only but logical to... let the blacklisting authorities know that your site's clean now.

For this, you can just request a review of your recovered website.

 

2.7. Change Your WordPress Salt Keys 

The very last step to take in this “How to fix a hacked WordPress site” process is to change the security keys from your wp-config.php file:

This way, even if a potential attacker stole your password, he would get automatically auto-logged out once you've changed your WordPress salt keys.

Next, you can just change your password, as well as the ones of other users on your site.

 

Or, Just Cut All These Steps Down to a Single One: Preventive Maintenance

Which means adopting a WordPress maintenance and support plan tailored just for you and your specific security feature needs.

This way, not only that you'd save the time (and spare your nerves) that you'd otherwise invest in carrying out all the steps included in a tedious “how to fix a hacked WordPress site” process, but:

From running regular updates to on-going maintenance of your website's core components to regular security audits, you wouldn't need to... move a single finger. Our WordPress maintenance and support team would handle it for you.

“Prevention is better than cure” is so much more than just a saying...

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

DrupalTips
How SEO Helps Your Website Grow

How SEO Helps Your Website Grow

  Search engine optimization (SEO) is a powerful tool for helping your website grow and reach its full potential. SEO involves optimizing your website to make it easier for search engines like Google to find and rank it in their search results. By using SEO techniques such as keyword research, content optimization, link building, and more, you can increase the visibility of your website and attract more visitors. With the right SEO strategy in place, you can drive more traffic to your site and generate more leads and sales. In this article, we'll discuss how SEO can help your website grow and become successful. What is SEO? SEO stands for Search Engine Optimization, and it is the process of optimizing a website to make it easier for search engines like Google to find and rank it in their search results. SEO involves a variety of techniques, such as keyword research, content optimization, link building, and more. By using these techniques, you can increase your website’s visibility and attract more visitors. SEO helps your website become more visible in the search engine results pages (SERPs), which can lead to more traffic, leads, and sales. Benefits of SEO for Website Growth Let's have a look at some of the top benefits of SEO for website growth: Increased visibility: SEO helps your website become more visible in the search query, which can lead to more traffic and leads. Improved user experience: SEO also helps enhance the user experience of your website by making it easier to navigate and providing relevant content. Increased brand awareness: SEO can help boost brand awareness by making your website more visible in the SERPs, which can lead to more people recognizing your brand. Higher conversion rates: SEO can also help increase your website's conversion rate by making it easier for visitors to find what they are looking for and take the desired action. More organic traffic: SEO can help you drive more organic traffic to your website, which is free and highly targeted. Keyword Research for SEO Keyword research is an important part of SEO, and it involves finding the right keywords to target for your website. Keyword research helps you identify the words and phrases that people are searching for when looking for products or services related to your business. By targeting these keywords, you can increase your website’s visibility in the SERPs and attract more organic traffic. When doing keyword research, you can use specialized software to make the job easier. Content Optimization for SEO Content optimization involves optimizing your website’s content to make it more relevant to search engines. Content optimization includes optimizing titles, meta descriptions, headings, images, and other elements of your website’s content. Many companies rely on a solid blog approach to boost their content optimization strategy and highlight their SEO efforts. Link-Building Strategies for SEO Link-building is another top SEO strategy, and it involves creating backlinks to your website from other websites. Backlinks are links from other websites that point to your website, and they can help improve your website’s visibility in the SERPs. There are a variety of link-building strategies you can use to build backlinks for your website. These include guest blogging, directory submissions, social media marketing, and more. Conclusion SEO is an important part of website growth, and it can help you increase your website’s visibility in the SERPs, attract more organic traffic, and boost your conversion rates.  In the competitive digital world, brands that harness the power of SEO are on top of the game.  If you, too, want to integrate SEO into your web development project and are looking for professional advice, don't hesitate to contact Optasy. Optasy is a web development company that provides complete web development and maintenance services that support business growth.  Photo credit: Unsplash.  ... Read more
Raluca Olariu / Feb 14'2023
Tips
Website Security Best Practices

Website Security Best Practices

  Website security is an important consideration for any business or organization with an online presence. With the ever-increasing threats posed by cybercriminals, it is essential to ensure that your website is secure and protected from malicious attacks. Implementing best practices in website security can help protect your website from hackers, malware, and other malicious activities and security issues. This article will discuss some of the best practices for website security and how you can stay away from cybercriminals and improve your security posture.    "Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are." - Jeh Johnson Overview of Cybersecurity in 2023 The cybersecurity landscape heads towards a privacy-first approach to information security in 2023. Also, aligning regulations globally will allow businesses to gain more security and data protection.  There are growing voices that give their positive vote to passwordless authentication, which will presumably eliminate the risk of password breaches and amplify organizational security.  However, the rise of the Internet of Things (IoT) devices will likely increase security risks for organizations and expose more security vulnerabilities.  So how can websites cope and become more agile and accessible in this uncertain cyber landscape?   Best Website Security Practices in 2023 At the moment, the best website security practices involve a combination of proactive measures and reactive responses. Proactive measures include implementing strong authentication methods, encrypting data, and regularly patching software. Reactive responses include monitoring suspicious activity and responding quickly to identified security threats or security breaches. Strong Authentication Multi-factor authentication is one of the most important best practices for website security. It involves using two or more factors to verify a user’s identity, such as strong login credentials, and a biometric factor like a fingerprint or facial recognition. This ensures that only authorized users can access the website and its data, protecting it from unauthorized access. Additionally, strong authentication can help protect against phishing attacks, which are attempts to gain access to sensitive information by posing as a legitimate website. Encryption Encrypting data is another significant best practice for website security. Encryption scrambles data so that it can only be read by the intended recipient, making it more difficult for hackers to access sensitive information. It also helps protect against man-in-the-middle attacks, which occur when a hacker intercepts data as it is being transmitted between two parties. Software Patching Software updates are another important best practice for website security. Regularly patching software helps protect against vulnerabilities that can be exploited by hackers. It also ensures that the latest security features are in place, making it more difficult for attackers to access sensitive information. Monitoring and Response Reactive responses like monitoring suspicious activities or responding quickly to identified threats are two valuable tools for website security. Monitoring for suspicious activity can help identify potential threats before they become a problem. Responding quickly to identified threats can help minimize the damage caused by malicious code. Conclusion Keeping websites secure in 2023 involves a combination of proactive measures and reactive responses. These best practices are just some measures you can take to protect your digital assets. If you want to go more in-depth and opt for complex ways to secure your website, don't hesitate to contact Optasy.    Photo credit: Pixabay.... Read more
Raluca Olariu / Jan 25'2023
DrupalTips
Top Drupal Debugging Techniques

Top Drupal Debugging Techniques

  Debugging is an essential part of developing any website, and Drupal is no exception. Debugging in Drupal can be a complex process due to the complexity of the system and its many components. However, with the right techniques, it is possible to identify and resolve issues quickly. In this article, we will discuss some of the top debugging techniques for Drupal that can help you troubleshoot your website more efficiently. We will cover topics such as using the Devel module, using Xdebug, and other helpful tips and tricks. With these techniques in hand, you'll be able to recognize and repair any problems on your Drupal site quickly.     Using the Devel Module for Debugging The Devel module is a powerful tool for debugging Drupal websites. It provides a suite of tools to help you quickly identify and resolve issues. The Devel module includes features such as the ability to view database queries, generate dummy content, and debug PHP code. It also has an API that allows developers to create custom debugging tools. Using the Devel module can be helpful when trying to identify the source of an issue. It can also be used to generate dummy content for testing purposes.     Utilizing Xdebug for Troubleshooting Xdebug is a powerful debugging tool that can be used to troubleshoot issues on Drupal websites. It provides detailed information about the code execution, including stack traces and variable values. This can help developers quickly identify the source of an issue and resolve it more efficiently. Xdebug also has features such as breakpoints, which allow developers to pause the execution of code at certain points to inspect the application's state. This can be helpful when trying to identify and fix complex issues.     Leveraging Drupal's Logging System Drupal's logging system is a powerful tool for debugging websites. It provides detailed information about the events that occur on the website, including errors and warnings. This can be helpful when trying to identify the source of an issue. The logging system also allows developers to set up custom log levels, which can be used to filter out unnecessary information and focus on specific types of events. This can help developers quickly identify and resolve issues.   Using the Drupal Console for Debugging The Drupal Console is a command-line interface that can be used to debug Drupal websites. It provides commands for inspecting the database, generating dummy content, and running tests. This can be helpful when trying to identify and fix issues quickly. The Drupal Console also has an API that allows developers to create custom commands for debugging purposes.   Have You Completed Your Drupal 10 Migration? The release of Drupal 10 marks a major milestone for the platform, and it is important to ensure that your website is up-to-date with the latest version. Migrating to Drupal 10 can be a complex process, but it is essential for ensuring that your website remains secure and performs optimally. When migrating to Drupal 10, it is important to test the website thoroughly and use debugging techniques to identify and resolve any issues. The Devel module, Xdebug, and Drupal's logging system can all be used to troubleshoot any problems that may arise during the migration process. Don't forget to ensure that all of the modules and themes used on the website are compatible with Drupal 10. It is recommended to use the Update Status module to check for any available updates and apply them before migrating to Drupal 10. Additionally, it is a good idea to create a backup of your website before beginning the migration process in case something goes wrong. By taking these steps, you can ensure that your website is properly migrated and running smoothly on Drupal 10.     Conclusion Debugging in Drupal can be a complex process, but with the right techniques, it is possible to debug your website faster and easier. If you need more advice on your next web development project or on your Drupal 10 migration, our team of experts is here to help you. Contact us for more details.   Photo credit: Unpslash.... Read more
Raluca Olariu / Jan 16'2023

Need a new Project?

Dare us to shape and boost your idea(s)!

Start a Project

(416) 243-2431

Contact

(416) 243-2431

Toronto Downtown

First Canadian Place,
100 King St. W. Suite 5700, Toronto

Toronto West

2275 Upper Middle
Rd. E, Suite 101
Toronto

New York

1177 Avenue of the
Americas, 5th Floor,
New York