A Server Hack, Downtime and Some Housekeeping – Fixing a Hacked WordPress Site

post modified on March 18


Written by Puja

Fixing a hacked wordpress site

If you have been a regular visitor to our blog here, you would have noticed that we went offline for a few days. And a couple of days before that you would have noticed that the page load speed was strangely high. You might even have come across some weird characters, texts and banners on the pages.

Well, the last 10 days were extremely eventful for us. We went through some really harrowing days, with me spending hours trying to clean the code. Some of the days were very long for me with barely a few hours of sleep. We did lose some traffic and also some revenue.

And all of this, thanks to some crook out there who just wanted to test his hacking skills on WordPress. And fortunately for me, he picked my website to test this. (If you are wondering on my usage of the term “fortunately”, then I will explain it to you in a while)

The result –

  • malicious codes all over my website files and database
  • a website that behaves strangely and takes ages to load
  • days of sleepless work

When we first saw these codes in our website, we straight away got to work and cleaned all the files. Just as we thought everything was fine (we even published a post in between) the codes started re-appearing and this time even worse.

Now after about 10 days, we are finally up and running… better than how we were, with more energy and enthusiasm than before.

Are you a blogger? Is your blog a self hosted WordPress blog?

If yes, then you need to read this post. After the last week’s experience, I felt it right to put together this post which will help a lot of your bloggers out there in ensuring that you do not lose your hard work to some hackers’ mischief.

So before we even get into discussing about fixing a hacked WordPress site, I think it is important to speak about how to prevent a hacking attack and how do you find out if your site is hacked.

How to Find out if your WordPress Site is hacked

It is important that you keep monitoring your site. But I know it is not humanly possible to monitor a site 24/7 and it is here that we need some of these monitoring tools to see what is going on with your blog.

Pingdom Monitoring Service – Pingdom has a monitoring service that monitors your site uptimes. It will trigger an alert to your mailbox if it finds that your site is down. If you get such an alert, there is every reason for you to suspect an issue though, it might not always be a hacker attack. But whenever you see such an alert just check your website for anything that looks abnormal.

Wordfence Plugin – Wordfence is an extremely handy plugin that sends alerts when there are files changes, login failures, login attempts etc. This can be your best companion in monitoring your WordPress blogs. It is easy to configure and is available for free.

An alert from Wordfence was the first hint we received that there is a hacking attempt. We got a alert saying that a file has been modified. Since this was one of the core files in WordPress, I grew suspicious and went over to the blog to see what had happened. We were a day late in doing this. We missed the alert because I couldn’t check my emails for 2 days as we were travelling. That was more than enough for the hacker to do his work.

There are some other signs as well, of a hacked WordPress blog. You should be able to see this as soon as you login.

Login Screen – You login screen which should look like the below screenshot will start to look a little weird. I couldn’t capture a screenshot of the login page, else I could have shown it to you. But you should be able to see it straight away, if you are aware of how the login screens normally look.

wploginscreen

Sidebar Menu Items – Another sign that there is an issue with your blog can be seen on the sidebar menu items. WordPress defaults has a fly open menu. When you hover over any option, there is a fly open menu that opens to the right with the sub menu item. But if there is a problem with the code in the WordPress files, this will not work. Instead when you click on the main menu item, that is when the sub menu opens.

If you are wondering as to why this happens, then it is because the malicious codes are normally injected into the index files in your WordPress installation. So wherever there is an index.php file, the code will be there.

Another file that is normally attacked is the wp-config.php file.

If you have access to the root folder of your installation, then you an open any index.php file or, the wp-config.php file and check the codes. You should find something like the below in these files.

fixing a hacked wordpress site

This is the malicious code that gets injected into the files.

Fixing a Hacked WordPress Site – Some tips

It is not an easy task fixing a hacked WordPress site. If your database is untouched, then you are lucky because restoring shouldn’t be too much of a pain. But if your database is also attacked, then you will need some professional help to restore your database.

First let us look at how to restore a site when the database is not affected.

Step – 1: The first thing to do is delete the native WordPress files and folders except the wp-config.php file and the wp-content folder. Remember to leave alone any other folders that are not native to the WordPress installation. Once you have done that, just upload all the WordPress files once again.

Remember that this will not need you to re-install the blog. You are just replacing the files.

Step – 2: Proceed to delete any index.php files in the wp-content folder. Don’t worry, these should regenerate themselves.

Step – 3: Now delete any theme files in the themes folder under the wp-content folder and then upload them once again.

Step – 4: The next step is to delete all the plugin files from the plugins folder. Just reinstall the plugin one by one. Don’t worry, the configurations would not be untouched because you haven’t done anything with the database.

Step – 5: The last step involves cleaning the malicious code off your wp-config.php file. Open the file and delete the code that you saw in the above screenshot. The easiest thing is to compare your wp-config file to the sample file that will be there in the same directory.

Just delete anything that you find before the below code –

<?php
/**
* The base configurations of the WordPress.

And that should be it. Your blog should be good to go from here.

Now the tricky part is if your database is also affected. The only way to restore your blog is to restore the database to an earlier version; a version before your site was attacked.

But the big question is where will you find a database backup. It is here that you need to be a little proactive with your blog, if you are serious about your blog.

You need to ensure that you are backing up your database once everyday.

You can do this by installing any plugin that can help you create a backup. Most of these plugins will help you backup your database to Amazon S3 or, Dropbox.

You can just do a search in the plugins directory and you will find all the different plugins. Install whichever you feel is good for your blog. Almost all of them are good.

My recommendation:

WP Backup – You can find this plugin the WordPress repository or, you can download it from this link here. This plugin can backup your database to Dropbox and Amazon S3 and it can also do that automatically at your scheduled times.

This plugin was the one I had on my blog here and since I usually maintain a month’s files, I had enough backups to restore my blog to a period when the files were no infected.

You will have to do some housekeeping once you have restored the database because some of your posts during the period that you blog was hacked will no more be there. You will have to rewrite those and re-upload those images as well.

But once you have done this, you can rest assured that your blog is clean and you are ready to rock.

Managed WordPress Hosting : If you can afford a couple of dollars more, I would recommend that you go for a managed WordPress hosting account. Part of the reason why we were inactive here for the last 10 odd days is because we just migrated to a Managed WordPress Hosting account at Godaddy. The migration took a while because of some issues with the WordPress files. Otherwise it is a one-click migration and it is pretty easy doing it.

I would highly recommend that you go for a Managed WordPress hosting account, primarily because of the fact that in the rare case that you blog gets hacked (which is unlikely because of the stringent security measures in a managed WordPress hosting), it is easy to restore your blog. You can do it by a few clicks, because in a managed WordPress hosting, there are nightly backups of both the files and database. And most hosting companies keep at least a month’s worth of backups. And restoring is just about selecting the date and clicking the “restore” button.

We recommend 3 managed WordPress hosting because we use all the 3 of them and we know that they are worth it.

  1. Godaddy Managed WordPress Hosting
  2. Bluehost WordPress Hosting
  3. iPage WordPress Essentials

Protecting Your WordPress Blog

We discussed a lot about fixing a hacked WordPress site. But the critical part in all of this is about ensuring that you have enough protection for your blogs so that it doesn’t get hacked.

There are some simple things that you can do in order to ensure that you are protecting your WordPress blog from hackers.

Keep your WordPress Installation updated

It is important that you keep your WordPress installation updated. Update the plugins, themes and your WordPress files as and when an update is available. These are security updates and hence it is important that you install them.

Delete any unused databases

If you have any unused database in your hosting account from any of your previous WordPress blogs, then ensure that you are deleting them. These database often serve as the entry for hackers.

Delete any unused WordPress Installation Files

If you had a blog earlier which you are no more running, then it is advisable that you delete the WordPress files from the hosting server. These files often remain outdated because you are not updating them regularly and can hence serve as the entry point for hackers.

My Recommendation

WP Site Guardian – I use a very handy plugin which prevents a variety of hacking attempts. This is a very handy plugin when it come to protecting your WordPress blogs. I highly recommend using this plugin. It is a one time investment of a few dollars but can save you days of hard work. You can find more about it here.

Getting hacked can be a serious pain and if it is a WordPress blog on which you spent years working hard, then the frustration can be indescribable. While no security is enough security, you can still protect your blog enough to at least prevent easily getting hacked.

I hope this post provided you some good information on fixing a hacked WordPress site.

Do let me know your thoughts, suggestions and feedback by commenting below. Let me know if you need my help in any way.

A self-proclaimed Champion Cook, who gets the confidence from the love and praises showered upon me by my family consisting of a Cute little Daughter and a husband who loves the Internet more than me (LoL..) and who incidentally happens to be the man behind the technical aspects of this blog.
I love working from home and the benefits that come from it and that is why I started this blog where I document all my adventures with cooking.
Follow me on my journey..

Read More Articles:

Video – How to Make Momos Chutney

Want to receive Recipe updates into your inbox every week?

  • No more missing out on our latest recipes
  • Save your recipe emails for referring to it in the future
  • No fluff or, spam. Just pure value
Signup for today!
You will get one short email per week. You can unsubscribe anytime.
>