WordPress Site Hacked

From Hostek.com Wiki
Jump to: navigation, search

IMPORTANT NOTE: Be sure to keep your WordPress install up to date AND keep your themes and plugins up to date.


Introduction

This article explains what to do if your WordPress site is compromised by a hacker and how to resolve the issue. If you find that the steps in this article are too technically challenging, please contact our support team and explain the situation; and we can offer assistance with getting your site back to normal.


Causes

The following are the most common way that a WordPress site gets compromised:

  • Your desktop or laptop computer gets a virus/spyware/malware application installed, and that application records your login keystrokes on the WordPress site(keylogger) and sends the username/password to the hacker.
  • The WordPress site contains a theme with a vulnerability
  • The WordPress site contains a plugin with a vulnerability


Remedy

Below are some steps you can take to fix your WordPress site:

  1. Move everything except the /wp-config.php file into a backup directory (you can name it something like /Quarantine or /OLD)
  2. Create a backup of your MySQL database through PHPMyAdmin (Accessible from your hosting control panel)
  3. NOTE: Steps 1 and 2 are critical. If anything goes wrong, the backup of your site files and database will allow you to revert the changes.
  4. Download the latest version of WordPress here: https://wordpress.org/download/
  5. Upload the files and folders from the latest version of WordPress that you downloaded. This should replace the /wp-admin, /wp-includes, index.php, etc. that you moved to the backup folder in the first step.
  6. Edit your wp-config.php file and ensure nothing bad was added by the hacker (this can often be a snippet of code added to the beginning or end of the file that shouldn't be there. If you are unsure, compare the wp-config.php file with the wp-config-sample.php that came with version of WordPress you downloaded in step one)
  7. Update the MySQL database password and place the new password in the wp-config.php file because the hacker may have gotten the old password
  8. Log into the WordPress admin (/wp-login.php) and navigate to the 'Users' section. The hacker may have added some additional users to your site so you should delete any users that you did not add.
  9. Update the password for all of the valid WordPress users in-case that is how the hacker got into the site
  10. Go to the 'Settings'->'Permalinks' page and click 'Save'. This will re-create your .htaccess(Apache) or web.config(IIS) file.
  11. Copy everything from your old /wp-content/Uploads folder into your new /wp-content folder. This will bring over any images, audio, and video that were previously uploaded to your site.
  12. Re-install any plugins and themes you were using on the site. If you had made modifications to your theme or plugins and need to bring the files over from the backup of the site, be very careful. The hacker may have injected bad code into your old theme and/or plugin files that will allow them to get back into the site. You should only move over files that are absolutely necessary and check the content of those files for anything suspicious.


Adding extra security

These are some extra steps you can take to lock down your WordPress installation.

  • Disable file editing through the WordPress by adding "define('DISALLOW_FILE_EDIT', true);" to your wp-config.php file - reference: [1]
  • Disable direct script execution in both your /wp-content and /wp-includes directories. The PHP files in these directories should only be used via includes from the core WordPress code and not directly.
  • Add Basic authentication to your /wp-admin directory. This will cause your administrator section to require a double-login, but it adds an extra layer of security to your WordPress admin dashboard.


Additional considerations

Here are some additional considerations to take after an event.

  • Scan the desktop or laptop computer you use to administer the site for malware.
  • Update your FTP password.


More Information

https://codex.wordpress.org/Hardening_WordPress
https://codex.wordpress.org/FAQ_My_site_was_hacked