Fix and protect your hacked WordPress site

When your WordPress site is compromised, the burning question is: “how to fix, protect your hacked WordPress website?” You need answers fast. This straightforward guide cuts through the panic, offering you clear, concise steps to recover your site and shield it against future security threats.

Let’s jump into action and secure your website. Remember, hackers are known to target not only large and well-known websites but also insignificant ones.

Key Takeaways

  • Immediately change all passwords and assess the extent of the damage when a WordPress site is hacked and put the website into maintenance mode to protect visitors.
  • Use malware scanners like WordFence or Sucuri to locate and remove malicious code, checking core WordPress files manually and clean infected files, using a backup if necessary.
  • After cleaning the site, restore from backups, reinstall WordPress core and plugins, verify with Google Search Console, enhance security (e.g., with WAF and regular updates), and communicate with users about the breach and ongoing security efforts.

How Do I Know If I’ve Been Hacked?

There are a number of ways to tell if your website has been hacked but one of the most common ways is if you are redirected to another site or you simply see a 403 Forbidden error when you try to access your website. The signs will differ from website to website but if the appearance of your website has changed or you are unable to access it, it would appear your site has been compromised.

If your site has been hacked, you may receive a message in Google Search Console (formally Google Webmaster Tools) or have a “site may be hacked” tag underneath your website listing in Google search.

Immediate Actions For A Compromised WordPress Site

Person changing multiple locks, symbolising the need to change all passwords after a hack

Being hacked is a nightmare for any website owner. The shock and panic can be overwhelming but the key is to act quickly and take immediate actions. Here’s what you should do if your hacked WordPress site is compromised, as well as some tips for dealing with hacked WordPress sites in general.

What To Do Next

Use what is my IP in Google to find your IP address

Firstly, you’ll need access to your website on your computer. To do this, you will need your computer’s IP address (unique number that your computer identifies on the internet with). You can find your device’s IP simply by visiting www.whatismyip.com.

Once you have this information, you can access your website from your computer. The underlined number in the image below is an example of your IP. Write down your unique IP as you’ll need to reference it later on.

Allowing Your IP Access

Allowing your IP access to access a hacked website

To allow your IP to access your website you will need to make a small change to your .htaccess file. Locate your ‘File Manager’ ‘in your web hosting control panel, open your public_html’ folder (the folder may be renamed as something else as it differs from hosting providers) and then open your ‘.htaccess’ file. Once it is opened, you should see a text file just like the one in the image below:

The ‘deny from all’ line, is what is blocking users from visiting your website. To grant yourself access, below ‘deny from all’ add ‘allow from enter your IP’.

Deny all IP address to access your site using deny from all protocol

Once saved, you and only you will be able to access your WordPress admin panel from this single device. Now that you have access to your admin panel, you can take steps to identifying and removing malicious content form your website. To do this, we recommend that you download and install the Wordfence plugin which is one of the best anti-malware plugins that scans your website for issues.

Identifying malicious content using Wordfence plugin

Additional Measures: Secondary Scan

In case Wordfence doesn’t find any malware, you can run your website through a second scan using Sucuri, an excellent third-party company that specialises in malware detection. This will hopefully flag up any suspicious elements on your site.

Change All Your Passwords Immediately

The very first action you should take when you discover your WordPress site has been hacked is to change all your passwords, including your WordPress password. This not only secures your WordPress admin password but also passwords for:

  • your FTP
  • cPanel
  • database
  • email linked to the WordPress site

Changing passwords immediately can prevent further unauthorised access and contain the breach.

Assess The Extent Of The Damage

After securing your accounts, the next step is evaluating the damage’s extent. Look out for any of the following signs that your WordPress site has been compromised:

  • Sudden traffic drops
  • Unauthorised changes to your homepage
  • Internal server errors
  • Security alerts from browsers

If you notice any of these signs, it’s important to take immediate action to address the security breach.

Contact your web hosting provider to assist in the investigation of the breach.

Enter Maintenance Mode

Upon confirming a hack, safeguarding your visitors from the compromised content becomes crucial. Enter maintenance mode using a plugin like Coming Soon Page & Maintenance Mode or through the WordPress admin dashboard. This keeps the public from viewing your compromised site while you work on fixing it.

Scanning & Removing Malicious Code

Malware scanner detecting and removing malicious code from a website

Once immediate actions have been taken, you must locate and remove any malicious code from your site. There are several ways to do this, from using malware scanners to manually inspecting core WordPress files. We’ll delve deeper into these options.

Choose The Right Malware Scanner

To effectively scan your site for malware, you need the right tools. Wordfence and Sucuri are two highly recommended malware scanners for WordPress. They provide customisable scanning, schedule settings and performance adjustments. If you can’t install a plugin, web-based scanners can also be used, but they lack the ability to remove detected malware.

Manual Inspection Of Core WordPress Files

Although using a malware scanner is efficient, you shouldn’t overlook the importance of manually inspecting your WordPress core files for hacking signs. Compare your current files and database tables to the original versions. Be extra cautious with critical areas like the wp-admin and wp-includes directories and the wp-config.php file.

Cleaning Infected Files

Upon identifying the infected files, the next step is to cleanup. You can do this manually by cleaning hacked database tables and checking for recently modified files. If manual cleaning is insufficient, restoring the entire WordPress installation from a clean backup might be necessary.

Remember to re-install a clean version of the WordPress theme and remove any malicious code from the wp-config.php file.

Restoring Your WordPress Website

Reactivating your site using code

Having removed all malicious code, you can now focus on restoring your WordPress site to its previous state. This involves:

  1. Using a backup plugin to restore your site from a previous backup.
  2. Reinstalling WordPress core and plugins.
  3. Verifying your site with Google Search Console to ensure it is secure and free from malware.

Utilise A WordPress Backup Plugin

Having a recent backup of your WordPress site can be a lifesaver in the event of a hack. Regularly create backups of your site and database using WordPress plugins through your WordPress dashboard.

WordPress site owners can choose popular options such as Duplicator Pro, UpdraftPlus, Jetpack and VaultPress Backup for their WordPress sites, ensuring the safety of their WordPress users.

These plugins and themes offer features like manual and scheduled backups, cloud storage and easy migration.

Reinstalling WordPress Core & Plugins

Upon restoring your site from a backup, it’s advisable to reinstall the WordPress core along with all plugins. This is crucial as outdated or compromised plugins can leave your site vulnerable to future attacks.

To do this, navigate to Dashboard → Updates and click ‘Re-install Now’.

Verify Your Site With Google Search Console

With your site cleaned and secured, the subsequent step is its verification with Google Search Console. This will lift any potential search engine blacklists and restore your site’s visibility. Be sure to remove any verification tags or HTML verification files left by hackers, and resubmit a new sitemap using an SEO plugin like Yoast.

Strengthening Your Site Against Future Hacks

Website security concept with shield and lock, symbolising protection against future hacks

Overcoming a hack should prompt you to fortify your WordPress site against future attacks by using a reliable WordPress security plugin. The following are some practical measures you can take to ensure your site is less likely to fall victim to future attacks.

Regularly Update WordPress Installations

Keeping your WordPress core, themes and plugins up-to-date is one of the most effective ways to secure your site. Regular updates close security vulnerabilities and protect against hackers. Ensure automatic updates are enabled to maintain the latest versions.

Implement Advanced Login Security Measures

Implementing advanced login security measures such as two-factor authentication adds an extra layer of security to your site. This requires a second form of identification in addition to passwords, making it harder for unauthorised users to gain access.

Opt For Managed WordPress Hosting

Managed WordPress hosting provides specialised support and server optimisation specifically for WordPress websites. This eliminates the need for additional security plugins and simplifies the process of implementing security measures like SSL certificates.

Enhancing WordPress Site Security

Web Application Firewall (WAF) safeguarding a WordPress site from cyber threats

Now that your site has been restored and bolstered, consider taking extra measures to boost your WordPress site’s security. This includes hardening your .htaccess and wp-config.php files, deploying a Web Application Firewall (WAF), and conducting regular security audits.

Harden .htaccess & wp-config.php Files

Hardening your WordPress site involves:

  1. Securing your .htaccess and wp-config.php files from unauthorised access
  2. Limiting access to the WordPress admin area to specific IP addresses
  3. Disabling cookies in the WordPress admin

By implementing these measures, you can significantly increase your WordPress site’s security.

Deploy A Web Application Firewall (WAF)

Web Application Firewall protecting a WordPress website from threats

Deploying a Web Application Firewall (WAF) provides an extra layer of security to your site. A WAF protects against specific types of threats, such as SQL injections, cross-site scripting (XSS), and DDoS attacks, by intercepting HTTP requests and analysing them for rule violations.

Regular Security Audits

Conducting regular security audits is a good practice to identify and fix potential vulnerabilities. Regular malware scanning of your WordPress site is crucial and should be done at least monthly, with increased frequency during significant changes or after installing new plugins.

Recovery & Communication

Recovery from a hack is just part of the solution. It’s equally important to keep your users informed about the incident, your remedial actions, and measures you’re implementing to thwart future attacks.

We’ve published a new blog post on WordPress Recovery Mode and how to use it to fix your website, which guides users through resolving critical errors in WordPress. This post explains how to access recovery mode, troubleshoot common issues and restore your site quickly and efficiently.

Informing Your Users About The Hack

Transparent communication with your users is crucial after a security breach. Utilise multiple channels as follows so to inform them about the breach such as email, phone, website, social media and a press release. Provide resources to assist affected individuals and maintain communication about ongoing security efforts.

GDPR

If your site experiences a security breach and is hacked, it is crucial to promptly inform the data commissioner in accordance with GDPR regulations to ensure transparency and compliance with data protection requirements.

Monitoring For Aftereffects

Recovering from a hack isn’t a one-time event. It’s crucial to monitor for aftereffects to catch any residual issues and prevent further damage.

Resetting passwords, updating software, resubmitting your site to search engines are part of this ongoing process.

Summary

In conclusion, securing your WordPress site is critical in today’s digital age. From immediate actions to long-term measures, each step plays a crucial role in ensuring your site’s security. Although being hacked is a daunting experience, with the right knowledge and resources, you can recover and fortify your site against future attacks.

Frequently Asked Questions

What are the step you can take if your WordPress file is hacked?

After your WordPress site has been hacked, you should immediately reset passwords, update plugins, remove unauthorised users, unwanted files, and clean out your sitemap. Reinstall plugins, themes and WordPress core, and clean out your database if necessary to restore and protect your website.

How do I secure my WordPress site?

To secure your WordPress site, keep your themes and plugins updated, use strong and unique passwords, limit login attempts, enable two-factor authentication and regularly back up your site. Using a security plugin like iThemes Security can also enhance your site’s security.

Can someone hack my WordPress website?

Yes, despite the security measures taken, there is still a possibility of your WordPress website getting hacked. It’s important to regularly update plugins, the WordPress core, and theme files to minimise the risk.

How important is communication after a hack?

After a hack, communication is crucial to inform users about the breach and the steps taken to secure the site. It helps build trust and manage expectations.