WordPress hacked? First aid

Learn in this article how to restore your hacked WordPress blog - More info in the WordPress Tutorial from checkdomain.net

From the series "E-mails that nobody likes to receive": "Your WordPress page has been blocked. Reason: Malicious code has been infiltrated. Please remove it immediately". Unfortunately, checkdomain support also has to send such messages regularly, because hacked WordPress pages are not uncommon. In this article we show you how you can clean up your blog in a few steps and get it up and running again. So, don't panic, take a deep breath and get to the side!

How do I know my side's been hacked?

Web hosters like checkdomain regularly check customer servers for malware. If anomalies are detected, the directory or infected application is automatically blocked. Customers are immediately informed by e-mail and asked to take care of the problem.

In addition to a mail from the provider, there are a number of other indications of a hacker attack:

  • The website is difficult to read because umlauts and special characters are no longer displayed correctly.
  • When logging into the dashboard of the blog the sentence "hacked by..." appears suddenly
  • Hackers often also leave their traces in the meta data of the page

If you notice any of these signs on your WordPress blog, take immediate action to limit the damage.

Step 1: Put the WordPress page offline

Hacked pages are often misused as spam or malicious code slingshots. Anyone can become a victim of such an attack, from a small newcomer to a large well-known blog. Hackers usually don't have a specific page in their sights, but aim to spread their malware as widely as possible. To do this, they attack websites where there are security gaps.

If your WordPress page has not already been taken offline by the provider, you must do so as soon as you detect the infection. As the domain owner of the hacked system, you are liable for all possible damages, such as loss of personal data. In case of a case you have to prove that you acted "without culpable hesitation".

In addition, Google quickly removes affected pages from the index so that no other users or pages are affected. You can prevent all this by temporarily blocking your own site from the public.

Block your site yourself with a plugin

If you still have access to the admin area, installing a maintenance mode plugin is the fastest and easiest solution. For example, download WP Quick Maintenance from the plugin directory of WordPress and activate the maintenance mode - from now on visitors will only see a maintenance hint. Of course you can also create another error page. Basically you should be rather cautious with information about the hacker attack in order not to damage the reputation of your site.

In maintenance mode: An appropriate plugin is the fastest solution to block hacked pages. Screenshot: S. Cantzler
In maintenance mode: An appropriate plugin is the fastest solution to block hacked pages. Screenshot: S. Cantzler

Step 2: Preservation of evidence

Even if it sounds absurd at first sight, save a backup of the hacked WordPress website including the database. Why? It's very simple, so you can secure evidence if you want to report the hacker attack or file claims for damages. Do not save the file on your computer, but on an external storage medium, isolated from other files.

Step 3: Trojan scan

Next you should check if your computer has been hacked besides your WordPress page. If so, the attacker probably spied out your passwords this way. So that he doesn't get all your changes delivered free of charge, use a virus protection program (which has been updated beforehand) to search for Trojans and remove them if necessary.

The ECO-Verband der Internetwirtschaft offers free programs for this purpose that can be used to remove various types of malware from your computer.

Step 4: Change all passwords

Since you don't know exactly if or which of your passwords have been spied out, you should change all passwords to prevent unauthorized access.

They have to be changed in any case:

  • Passwords of WordPress users
  • FTP passwords and SSH access (if applicable)
  • Passwords of your MySQL databases
  • Web hosting passwords
  • Email passwords

We have put together some tips for secure passwords for you here.

Step 5: Find malicious code

This is where the often tedious search for clues begins: you must try to locate the attack. Was it via the WordPress core, i.e. a security hole in WordPress itself? About the theme or a plugin?

The search can be done manually or automatically. The prerequisite for a manual search is a relatively large amount of experience and usually a lot of time. You check files and directories for conspicuous patterns and modification data. Often files like index.php in the root or header.php in the theme folder are changed and malicious code is added.

Much easier are automatic malware scans, which are also possible via plugin. In his blog post on hacked websites, Arne has created a list of tools that help in the search for malicious code. He also gives concrete tips on how to identify malicious code in the script.

And once you've found what you're looking for and removed the malware, it's time to close security gaps - for example, through regular updates and good passwords.

Good to know: Hackers are often only successful because website operators are too comfortable. Even basic security measures such as regular updates of plugins or themes are not carried out. In fact, many premium themes, for example, do not have automatic updates - updates have to be done manually. Sometimes even plugins contained in themes are obsolete and therefore a security risk. Or passwords like "12345" or "Admin" are used.

Security holes occur most often with plugins and themes, while WordPress very rarely has so-called security holes. The WordPress community usually reacts very quickly to these problems. It is crucial that you always keep your applications up to date and that you regularly update and install security patches.

Step 6: Reinstall WordPress

Depending on where the attack occurred, it may be sufficient to simply upload the WordPress core again - without having to restore the content via backup. To reinstall WordPress, upload the folders wp-admin and wp-include, as well as all files in the WordPress root.

Are you unsure whether the new WP installation will suffice? Then play it safe, delete all content in your webspace and upload WordPress including themes, plugins and content. This step is difficult, but may save you a lot of new trouble. Because attackers often leave behind well-camouflaged backdoor scripts that they can use to gain access to your system again later. Complete cleaning protects you from this.

The UpdraftPlus WordPress Backup Plugin allows full backups, both manual and scheduled. The backup is done via Dropbox, Google Drive, Rackspace, FTP, SFTP or E-Mail. Screenshot: S. Cantzler
The UpdraftPlus WordPress Backup Plugin allows full backups, both manual and scheduled. The backup is done via Dropbox, Google Drive, Rackspace, FTP, SFTP or E-Mail. Screenshot: S. Cantzler

Very helpful in this case is a backup of your blog, which of course should be from the time before the hacker attack. Web hosting packages from checkdomain are backed up automatically and regularly. For security reasons you should also create your own backups of your WordPress page and save them separately. During the backup creation you can be supported by different plugins like UpdraftPlus WordPress Backup Plugin.

If you don't have a secure backup available, you have no choice but to upload all content including databases and images again.

Step 7: Unlock your WordPress page

All first aid steps done, no more malware to find and your site is running again? Then you can unlock it. If it has been blocked by your provider: Contact your provider and tell them that the malicious code has been removed. If you have taken your site offline yourself, deactivate the plugin for maintenance mode or remove your own blocking, for example via directory protection. Now you have to apply to Google for a new check so that your page is included in the index again. You can read about the steps you need to take here. Done!

Safety tips for the future

To make it difficult for hackers on your WordPress page in the future, here are a few short security tips:

  • Use secure passwords (at least eight characters long, composed of upper and lower case letters, numbers and special characters).
  • Do not use generic usernames: User names such as admin or e-mail addresses are a friendly invitation for hackers. Choose a different username. To do this, go to your WordPress dashboard, click the User menu item, and then click Add New. Create a new, secure name and give it the role of administrator.
  • Change the URL for your WordPress login: You can customize the default path www.deinedomain.de/wp-admin/ with appropriate plugins. Create a directory protection for the administration area.
  • Take care of backups regularly, which are stored on a separate storage medium
  • Scan your site for malware at regular intervals - there are also plugins to support this, such as Wordfence.
  • In general, however, the formula applies to plugins: As much as necessary, but as little as possible.

With our first aid instructions you should be able to remove the hacker attack quickly. Nevertheless, be thorough in your malware search and keep your WordPress always up to date.

Other products you might be interested in
Website Builder
Create your own website without any programming knowledge.
Create a Website
Concentrate fully on your project! Performance and security included.
Optimize your Web site and achieve top rankings.
Website optimization
SSL Certificates
For your site, more safety protect yourself from hacker attacks.
Quickly protect