WordPress site infected? How to Clean a WordPress Hack

Has your WordPress site been hacked and infected? We have got some basic advice on how to clean an infected site.

WordPress has become the world’s most popular content management system, but what about security? Because WordPress is used on so many websites, hackers are focusing on it. Automatic scripts are searching for vulnerabilities 24/7. If they succeed and compromise your WordPress website, you are facing serious problems. Amongst other consequences, Google will be displaying a message in search results warning potential visitors that your website might be compromised.

Google message in search results with 'website potentially hacked' warning

Google message in search results with ‘website potentially hacked’ warning

Steps required to clean a hacked WordPress website

Take the following five steps in order to clean an infected WordPress website. In most cases, your site will be clean and operational after you followed this guide. Hint: Sucuri does not only offer permanent website protection by blocking hacking attempts. They also have a brilliant and in-depth tutorial which we recommend: How to Clean a Hacked WordPress Site*

Setp 1: Identify infected files

In a first step, identify infected files. Find out if files in your WordPress core folders like wp-admin, wp-includes and the WordPress root folder were modified. Plugins help finding files which were modified or added. Website Firewall provider Sucuri offers a free WordPress plugin that you can find in the WordPress official repository. Another frequently used solution is the firewall and scanning plugin offered by WordFence. Another approach that makes sense is to download a clean, official WordPress core zip file to your local computer. You can then compare this clean file set to the current WordPress file system on your web server. That way, you will be able to identify files which were changed or added.

Setp 2: Overwrite core files with fresh and clean copies

Should core files or plugins be infected, you overwrite them with fresh, clean copies. But note that your wp-config.php file and your wp-content contain individual information which should not be overwritten.

Step 3: Check your custom content folders. Malicious content can also be hidden in your wp-content folders

Also: Don’t forget to check your custom fontent colders. I experienced a hack on one of my website several years ago which did not include any changes to the WordPress core installation. Instead of modifying the WordPress core itself, hackers had added content to my /wp-content/uploads folders. They had uploaded stock images – which were, of course, not licensed. Imagine what could have happened if the stock photo agency had discovered these images – being puclically present on my web server without a valid license. So, as a reminder: If your WordPress core files are clean, this does not mean that your website is not infected.

Step 4: Clean hacked database tables, if any

Of course, an infection can also affect your WordPress database. If you have the knowledge required to deal with your SQL database, use tools like Search-Replace-DB or Adminer. The information provided by your malware scanner can help identifying content which has to be removed. Experienced users can check for  malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc.

Step 5: Check if your site has been blacklisted

Also check if your WordPress website has already been blacklisted by Google or other website security authorities. They offer diagnostic and free tools which reveal the current security status of your website. Getting that security status back to normal will be your next task if your WordPress website is already blacklisted.

Detailed tutorial and access to professional help

Sucuri has an excellent, in-depth tutorial guiding you through all of these steps. I recommend taking a look at this resource, and while you are at it, also check their offer of immediate professional help. Signing up for their Website Security Platform you will receive a professional repair and cleaning service even for websites which are already infected at the time of signup. A fair deal from my point of view.

Read more on Sucuri’s website – in detail: How to Clean a Hacked WordPress Site*

* Links marked with an asterisk (*) are so-called affiliate links. If you click on such an affiliate link and buy via this link, we get a commission from the respective online shop or provider. For you, the price doesn’t change.

Written by
Bernhard has been working as a tech editor for 10 years, then became a communications specialist. In 2011, he founded his own agency Lots of Ways. He is blogging and working with WordPress since 2006.

Have your say!

3 1

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Lost Password

Please enter your username or email address. You will receive a link to create a new password via email.