Has your WordPress site been hacked and infected? We have got some basic advice on how to clean an infected site.
WordPress has become the world’s most popular content management system, but what about security? Because WordPress is used on so many websites, hackers are focusing on it. Automatic scripts are searching for vulnerabilities 24/7. If they succeed and compromise your WordPress website, you are facing serious problems. Amongst other consequences, Google will be displaying a message in search results warning potential visitors that your website might be compromised.
Steps required to clean a hacked WordPress website
Take the following five steps in order to clean an infected WordPress website. In most cases, your site will be clean and operational after you followed this guide. Hint: Sucuri does not only offer permanent website protection by blocking hacking attempts. They also have a brilliant and in-depth tutorial which we recommend: How to Clean a Hacked WordPress Site*
Setp 1: Identify infected files
In a first step, identify infected files. Find out if files in your WordPress core folders like wp-admin, wp-includes and the WordPress root folder were modified. Plugins help finding files which were modified or added. Website Firewall provider Sucuri offers a free WordPress plugin that you can find in the WordPress official repository. Another frequently used solution is the firewall and scanning plugin offered by WordFence. Another approach that makes sense is to download a clean, official WordPress core zip file to your local computer. You can then compare this clean file set to the current WordPress file system on your web server. That way, you will be able to identify files which were changed or added.
Setp 2: Overwrite core files with fresh and clean copies
Should core files or plugins be infected, you overwrite them with fresh, clean copies. But note that your wp-config.php file and your wp-content contain individual information which should not be overwritten.
Also: Don’t forget to check your custom fontent colders. I experienced a hack on one of my website several years ago which did not include any changes to the WordPress core installation. Instead of modifying the WordPress core itself, hackers had added content to my /wp-content/uploads folders. They had uploaded stock images – which were, of course, not licensed. Imagine what could have happened if the stock photo agency had discovered these images – being puclically present on my web server without a valid license. So, as a reminder: If your WordPress core files are clean, this does not mean that your website is not infected.
Step 4: Clean hacked database tables, if any
Of course, an infection can also affect your WordPress database. If you have the knowledge required to deal with your SQL database, use tools like Search-Replace-DB or Adminer. The information provided by your malware scanner can help identifying content which has to be removed. Experienced users can check for malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.
Step 5: Check if your site has been blacklisted
Also check if your WordPress website has already been blacklisted by Google or other website security authorities. They offer diagnostic and free tools which reveal the current security status of your website. Getting that security status back to normal will be your next task if your WordPress website is already blacklisted.
Detailed tutorial and access to professional help
Sucuri has an excellent, in-depth tutorial guiding you through all of these steps. I recommend taking a look at this resource, and while you are at it, also check their offer of immediate professional help. Signing up for their Website Security Platform you will receive a professional repair and cleaning service even for websites which are already infected at the time of signup. A fair deal from my point of view.
* Links marked with an asterisk (*) are so-called affiliate links. If you click on such an affiliate link and buy via this link, we get a commission from the respective online shop or provider. For you, the price doesn’t change.