Clean hacked WordPress website? In this blog tutorial, we’ll guide you through the steps to clean and secure a hacked WordPress website.
In most cases, website hacks are not carried out by individual attackers, but by automated bot networks that scan for vulnerabilities. These bots infiltrate your site to inject malicious content and insert backlinks for their own benefit.
Leading Causes of Hacked WordPress Sites
- Outdated WordPress Core, Themes, or Plugins
- Failure to update the WordPress core, themes, or plugins leaves sites exposed to known vulnerabilities.
- Use of Nulled Themes and Plugins
- Nulled themes and plugins are one of the leading causes of hacked WordPress sites because they often contain hidden malware, backdoors, and malicious code that compromise security, making sites highly vulnerable to attacks.
- Weak Passwords
- Simple or reused passwords make it easier for hackers to brute-force their way into accounts, especially admin accounts.
- Insecure Web Hosting
- Shared hosting environments with poor security measures can lead to cross-site contamination, where one vulnerable site affects others on the same server.
- Lack of SSL Encryption
- Sites without HTTPS (SSL certificates) are vulnerable to man-in-the-middle attacks, where hackers can intercept sensitive data.
- Insecure Plugins or Themes
- Using plugins or themes from untrusted or unverified sources may introduce malicious code into the site.
- File Permissions Misconfigurations
- Improper file permissions on the server can allow unauthorized access to sensitive files and folders, making it easier for attackers to exploit them.
- Malware or Phishing Attacks
- Downloading compromised files or falling victim to phishing can lead to malicious code being injected into the site.
- SQL Injections or Cross-Site Scripting (XSS)
- Poorly coded forms, search boxes, or comment sections can be exploited by hackers to inject malicious SQL or scripts, gaining access to the site’s database.
- Default Admin Usernames
- Using default usernames like ‘admin’ makes it easier for hackers to guess login credentials, increasing the risk of brute-force attacks.
How to clean hacked wordpress website?
The first step to clean hacked wordpress is to replace all WordPress core files, theme files, and plugin files with fresh copies from the official WordPress repository. This ensures that any compromised or altered files are restored to their original, secure state.
For the following steps you need to login to ssh.
1. Replace WordPress Core Files
The first step in cleaning your site is to replace the core WordPress files with fresh, uninfected ones from the official repository.
Steps:
- Delete the
wp-admin
andwp-includes
directories. - Remove all
.php
files in the root directory except forwp-config.php
. Be cautious and also look for any suspicious files that shouldn’t be there. - Download the latest WordPress core files from the repository:
wp core download --force
This command ensures that a fresh, clean version of WordPress is downloaded and replaces the old core files.
2. Reinstall All Plugins
Hacked sites often have compromised plugins, especially if they’re outdated or from untrustworthy sources. Reinstall all plugins to ensure they are clean versions.
Steps:
- Use the following command to force reinstall all active plugins:
wp plugin install $(wp plugin list --field=name) --force
This command reinstalls each plugin, ensuring fresh, secure copies are in place.
3. Scan and Remove Malware
After replacing the core files and plugins, it’s crucial to scan your site for malware or any remaining malicious code. Use security plugins like Wordfence or Sucuri to perform a full site scan.
Steps:
- Install a security plugin:
wp plugin install wordfence --activate
- Run a full malware scan to identify and remove any infected files or suspicious code.
- Follow the plugin’s instructions to clean up any malicious files found during the scan.
It is suggested that you set WordFence to high-sensitivity.
Malware removal helper bash script by WPLH:
This script is designed to help maintain and clean hacked WordPress site, with a focus on malware removal. It automates several tasks without needing root access, making it safe to run as a regular user. Here’s a summary of what it does:
- Checks for WP-CLI and jq: If these tools (used for managing WordPress and parsing JSON) aren’t installed, the script automatically downloads and installs them for you.
- WordPress Health Check: It verifies if your WordPress installation is functional. If not, it advises you on fixing common issues.
- Remove Non-Core Files: The script can clean up your WordPress installation by deleting PHP files that don’t belong to the WordPress core, which could be potential malware.
- Update WordPress Core: You have the option to either update to the latest WordPress version or keep the current one.
- Plugin and Theme Management:
- It can uninstall inactive plugins.
- It offers to remove unwanted folders from the
wp-content/plugins
directory. - You can choose to reinstall plugins, either keeping the same versions or updating to the latest.
- It also offers to reinstall all WordPress themes.
- Clean Uploads Directory: It provides an option to remove any PHP files in the
wp-content/uploads
directory, which could be used by hackers. - Admin User Management: The script can create a new admin user and remove all existing ones, reassigning their posts to the new user. This is useful if you suspect any of your admin accounts are compromised.
This script provides a step-by-step guide and prompts you for confirmation before performing actions, ensuring that you are in control throughout the process.
wget https://pastebin.com/raw/8Gw8f6eR > removal.sh
bash removal.sh
If you are unsure say yes to all prompts.
This steps should help you fully clean hacked wordpress website.
Finally, once you clean hacked wordpress site is cleaned, it’s crucial to implement stronger security measures to prevent future hacks. Regularly updating your WordPress core, themes, and plugins is essential, along with using strong, unique passwords for all accounts. Additionally, consider enabling two-factor authentication (2FA), configuring a firewall for added protection, and ensuring that your hosting provider offers robust security features. By maintaining these best practices, you can significantly reduce the chances of future breaches and keep your website secure.
In addition to the security measures mentioned, it’s highly recommended to schedule regular backups of your website. Backups should be stored offsite to ensure that in the event of another attack, you can quickly restore your site to a clean state without losing any data. You can use plugins or hosting services that offer automated backups and monitoring. Regularly auditing your site for any unusual activity, unauthorized users, or unexpected changes will help you detect potential threats early, allowing you to take immediate action to safeguard your website.