It’s a bit of a nightmare when your website gets hacked.
Most security specialists will charge you a premium to restore your site and they won’t tell you what’s involved in the process.
Shhhhh – it’s a secret! ????
Not me!
I’d like to share my 22-step plan on how to restore a hacked WordPress site so that you can see exactly what I do and how much effort it takes.
You can do this yourself if you have the time and skills.
Restoring A Hacked WordPress Site – Step Process
- Zip up the entire remote site files and download them to local
- Wipe the remote root folder (everything goes)
- Change FTP, cPanel, email account and MySQL passwords
- Unzip local site and scan for any malware using a good quality antivirus software, e.g. Norton.
- Search all the local site file contents for terms such as preg_replace(“/.*/e” and base64_decode
Note: there are legitimate uses for Base64 decoding. What you are looking for is a large number of hex or escape strings
i.e. “\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65” - Perform an operating system (Windows/MacOs/Limux) search across the local folder for timthumb.php – if found – you need to scrap the plugin and find an alternative – read why timthumb.php is evil !!
- Check that your .htaccess file hasn’t been compromised and check that there are no other .htaccess files in any other folder (windows search)
- Create a new separate root folder and unzip the latest WordPress version there
- Copy your wp-config.php from the old site over to the new folder
- Change your DB_PASS and your secret keys
- Upload new clean bare WP to the remote site
- Login to WordPress and immediately change all user passwords – try to use a random password generator like https://www.vpnmentor.com/tools/secure-password-generator/ and bump the characters up to 12 or 16
- Install the “WordFence” firewall plugin
- If you don’t want to install a full firewall plugin (what are you nuts? Your site just got hacked!) at the very least install the “Limit Login Attempts Reloaded” plugin and set it to 3 attempts
- Create a new administrator user. Hint: don’t call it Admin, Sys, System, Administrator, Operator, WordPress or anything like that
- Delete the old administrator users making sure the posts/pages are inherited by the new administrator user created in the previous step
- Now you have a working and secured core WP installation
- Reinstall all the plugins from the Admin Dashboard and reactivate them if WP has already had them deactivated. The settings should be already stored in the DB
- Upload / FTP your theme to the live server and reactivate the theme. The theme settings should be picked up from the DB but I’ve had instances where you have to set up menus again – bad theme!
- Last to upload / FTP is your wp-content/uploads (and any other non-WP folders in there after checking they are OK and contain only the correct media)
Note: this is a favourite place for hackers to store their .php or .cgi scripts sometimes named “cache” - I recommend using Xcloner as a backup tool and setting up a cPanel crontab job to perform your backups. Either FTP them to another site or purchase an Amazon S3 storage bin – it’s ultra-cheap
Depending on how familiar you are with WordPress and hosting control panels and how many plugins and uploads a site has, this process is very time-consuming. Restoration time depends on how many files make up your website as they all need to get checked.
I provide a hacked WordPress website restoration service if you don’t have the required technical skills or time to do it.
And once your site is up and running again you may want to start putting into place some extra web security policies and processes.
Has your WordPress site been hacked recently? Tell us your story.
5 Responses
Super Duper Wil … just what I needed !
Will, great read. May have to ask your advise in come consulting. I’m very comfortable with WP, but I’m an operations guys, infrastructure etc. WP design, form and function I do not feel is my strong point.
Great Article.
DVR
My website was hacked and I came accross http://hacksecure.me
They recovered in very economical rates.
Just for reference, that URL no longer works (2017)
Thanks Kaylee for the link to a better online password generator! I’ve added it to the post.