WordPress is the world’s most popular software for creating web sites and chances are that you have made your web site in WordPress.

This popularity comes with one drawback though; WordPress is the target of many hackers and it is not a rare occurrence to see a WordPress site getting infected with malware. These malware damages your and/or our business’s reputation and could get you into other issues too, such as your web hosting company banning or suspending your web site.

How to identify a hacked WordPress web site

  • When you visit the web site, you might see that its content is altered and perhaps the site entirely broken with missing styles, images and text.

  • The site might redirect you to a completely unrelated web site.

  • Your web hosting company will tell you that your web site has been sending spam email out.

  • Your web site may not load at all.

  • Your web site will load but will be extremely slow.

  • Your web hosting company will tell you that your web site is using server resources heavily and often reach the limits.

  • You notice that your Google rankings drop.

Prevention is always better than cure, is not it? Let us look at the ways in which we can prevent our WordPress websites from getting infected with malware / hacked.

Preventive measures

  • Install and maintain a popular and a top rated security/firewall plugin, such as Wordfence. Make sure you configure it for maximum safety; you can consult the plugin documentation for this.

  • Always use top rated and frequently updated plugins and themes.

  • Use a site monitoring tool like Pingdom so you immediately know when your site goes offline and you can take action before the hack spreads.

  • Use strong passwords and not easy to remember generic passwords. https://passwordsgenerator.net/ is a web site that lets you generate strong and random passwords. If possible, change your passwords at least every 3 months.

  • Keep your WordPress version, themes and plugins always up to date.

  • Change your WordPress login URL, WPS Hide Login is the plugin you need for this.

  • Change your administrator user’s user name from default ‘admin’ to a random name.

  • Make sure your files and folders have correct ownership and permission settings, your hosting company can help you with this.

  • Always keep backups.

  • Last but not the least, choose a reputed web hosting company that is in your team and constantly monitors and upgrades their servers and services. We at Webhostpython care for your website’s security and can help you with configuring your websites to be more secure.

Okay, even if always keep our web site updated and have all the tools and settings in place, our WordPress site can still get hacked and infected with malware. In this case we need to act quick and get rid of the malware. Let us look at what we can get to clean up WordPress sites when they are compromised. Before anything, please change all your passwords!

Cleaning up compromised WordPress sites

  • The easiest and the quickest method if you know the time and date the hack took place, you can archive the site in its current state and the restore the site from the most recent backup prior to the hack taking place and then make sure the site is further secured and updates are installed if they have not been. You can use the archived hacked version of the site to analyze where it got infected and identify the offending plugins/ theme files and take action.

  • Most often, we have seen that the infections edit the core WordPress files. The most common files are index.php, wp-config.php and the wp-settings.php files. On the top of these files or anywhere else you might see random and cryptic code which you should remove.
Wordpress header.php hack
  • And then the next step is to identify the main source of attack if it is a plugin that we use. To do this, you can open the error_log file and check to see if it lists any plugin names and chances are that the listed plugin(s) is the place where the attack originated. Then, please delete the plugin folder(s) from the wp-content/plugins/ folder and install the updated version later. You can also open the wp-content/plugins/ folder to see the plugins that were most recently modified.

  • If you are not able to identify the infected plugin, the best bet is to delete them all and then installing them later after the following step.

  • Download the correct version of WordPress and replace its wp-includes and wp-admin folder with your site’s corresponding folders. You can open the wp-includes/version.php file to determine your current WordPress version. Also, copy and paste the following default WordPress .htaccess code into your current .htaccess file; replacing its contents. Also replace the files whose names start with wp- in your root folder (wp-settings.php and the like)

BEGIN WordPress

RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

END WordPress

  • After the above steps are carried out please log into your WordPress backend and update all your plugins and themes as well WordPress version.

  • If you are unable to access your WordPress backend or if the site is still down/infected with malware, you can contact your web host for support.