WordPress Hacked: Effective Steps to Recover Your Site
Over 2,200 cyber attacks happen per day, equating to over 800,000 people falling victim to them per year. With so many cyber threats looming across the web, there’s a chance one of them will infiltrate your WordPress website.
However, you shouldn’t panic if your WordPress site has been hacked. In this article, we will go through 11 steps to recover your website and prevent future hacks.
Let’s start by clarifying whether the issue is a WordPress hack.
Signs of a Hacked WordPress Website
It is not always easy to diagnose a hacked website. Check for the following signs to understand whether your site has been hacked:
- You can’t log in to the WordPress admin panel.
- There’s content and design you haven’t uploaded.
- There’s a sudden drop in traffic.
- The website redirects users and sends spam emails.
- Browser blocklist warnings appear when visiting your WordPress website.
- Your WordPress files are missing.
- The server logs detect unusual activities and visits from unknown places.
- A new member with admin rights has been added without your consent.
- Your security plugin alerts you about a potential breach.
How a WordPress Site Gets Hacked
Here are some of the most common cyber attacks that can take advantage of the WordPress security vulnerabilities:
- Backdoors ‒ malware that negates authentication procedures to access the WordPress core files.
- Brute-force attacks ‒ a hacking method that uses the trial and error strategy to guess your login credentials.
- Cross-Site Scripting (XSS) ‒ a code injection attack that executes malicious scripts into a website’s code.
- SQL injection attacks ‒ a hacking method involving code injection that targets vulnerable SQL requests.
- Malicious redirects ‒ a backdoor redirecting your website visitors to a shady website.
- Pharma hacks ‒ an SEO spam attack that infects your website with malicious content. As a result, your website will start ranking for these spammy keywords, damaging your brand reputation.
- Denial of Service (DoS) ‒ an attack designed to shut down a website or a network by overwhelming the targeted system with requests.
Reasons Why a WordPress Site Gets Hacked
You might wonder why your website got hacked. Here are the top three reasons hackers might see your WordPress website as a prime target for their cyber attacks.
Insecure Login Credentials
8% of infected WordPress websites have weak passwords, such as “12345,” “picture1,” and “password.” While a strong password doesn’t guarantee immunity against hacking, secure login credentials add another layer of security to your website and personal information.
Outdated WordPress core files, plugins, and themes are among the most common causes of hacked websites. Keeping your WordPress installations up to date is essential as software updates come with security patches that address the previous version’s vulnerabilities. Without updates, hackers can exploit those vulnerabilities to access your WordPress site.
Poor Website Code
Low-quality WordPress plugins and themes tend to have poor code, introducing vulnerabilities to your WordPress site. Therefore, we recommend getting your themes and plugins from the official WordPress repository or reputable marketplaces that provide regular updates and support.
11 Solutions to Fix a Hacked WordPress Website
After confirming that your WordPress site is hacked, it’s time to fix the issue. In the following section, we will explain how to clean a hacked WordPress site in 11 simple steps.
1. Put WordPress in Maintenance Mode
If you still have access to your WordPress dashboard, put your website in maintenance mode immediately. Doing so will prevent visitors from opening your hacked WordPress site, protecting their personal information and device from whatever’s attacking it. You will also preserve your brand’s credibility by not letting a hacked WordPress site go live.
Hostinger users can enable the maintenance mode via their hPanel dashboard. You only need to navigate to Dashboard under the WordPress section of hPanel and click on the Maintenance mode option.
Check out our article on the WordPress maintenance mode for different ways to turn it on.
2. Reset WordPress Password
If hackers gain access to your website, your login credentials will be compromised. Therefore, the best first step to fix your hacked site is to reset your WordPress admin, FTP, database, and hosting account passwords.
Plenty of password management tools like NordPass offer a generator you can use to create strong passwords and keep them safe for you. The ideal password should have at least 16 characters, including letters, numbers, and symbols.
We also recommend enabling two-factor authentication and limiting login attempts to add extra layers of protection to your WordPress login credentials.
3. Update WordPress
Before attempting to fix your hacked website, it’s best to update your old WordPress installations. Doing so helps prevent hackers from taking advantage of the site’s vulnerabilities to undo your fix, keeping your site secure after the hack.
Check out our article on updating WordPress if you need help. We also recommend updating your themes and plugins as cyber attacks commonly infiltrate WordPress via outdated plugins and theme files.
4. Deactivate Plugins and Themes
Deactivating your plugins and themes and then reactivating them one by one allows you to narrow down infected installations. Once you discover the faulty installations, deactivate and delete them.
This would also be the perfect time to remove unused WordPress installations from your website. Having unnecessary themes and plugins installed on your site can create access points for malware to carry out WordPress hacks, even if they’re inactive.
Additionally, uninstall any plugins and themes obtained outside the official WordPress theme and plugin directories since these types of software have a higher risk of carrying malicious code.
Here are the steps to disable a plugin:
- Go to Plugin -> Installed Plugins from your WP admin dashboard.
- To deactivate one plugin, click on the Deactivate option below it.
- To deactivate multiple plugins at once, check the box next to the chosen ones and select Deactivate from the dropdown menu. Click Apply.
5. Reinstall WordPress
If none of the previous steps work, your WordPress core files might be infected. In this case, you will have to reinstall the core files and start fresh.
The easiest way to do this is through the WordPress admin dashboard. Go to Dashboard -> Updates and click on the Reinstall button.
Before starting a new WordPress installation, make sure to back up your website files first. Avoid overwriting your old website backup version with the new one. You can later compare the hacked WordPress system files with the clean version to identify and remove suspicious files.
Check out our article on reinstalling WordPress to learn more about other methods.
6. Remove New WordPress Users With Admin Privileges
One of the most common signs of hacked WordPress sites is the appearance of new users with admin privileges. If you see any newly added admin accounts that you or other website administrators don’t recognize, remove them immediately.
Refer to our article on managing WordPress user roles for the appropriate steps to remove user accounts from your site.
7. Search for Malware
There are two ways to remove malware from hacked WordPress websites ‒ manually or using a malware removal plugin. We recommend opting for the latter since doing the manual process incorrectly can worsen the situation.
Follow our article covering WordPress malware removal using both methods. The article also highlights the best WordPress security plugins with malware removal features for your consideration.
8. Disable PHP Execution
Hackers can create backdoors in WordPress sites by uploading files with malicious code to the Uploads folder. Disabling PHP execution prevents them from executing those infected files.
First, create an .htaccess file and add the following code to it:
<Files *.php> deny from all </Files>
9. Clean the WordPress Database
After cleaning your WordPress installations, the next step is to comb through the records in your database. Remove any records containing malicious code and new records you don’t recognize to prevent hackers from creating backdoors via a database injection.
Note that doing this process manually is risky and time-consuming, especially if you have tons of records. The site might also break beyond repair if you accidentally delete the wrong records.
For this reason, we recommend choosing one of the best WordPress database plugins for this process.
10. Clean the WordPress Sitemap
A sitemap is a blueprint that helps search engines find and crawl your website’s content. If it’s hacked, your search engine rankings will most likely drop. That’s why it’s worth regenerating a new sitemap when dealing with WordPress malware attacks.
The easiest way to create a WordPress sitemap is by using a WordPress plugin. After that, submit the new sitemap to Google for crawling through Google Search Console. Keep in mind that it can take up to two weeks for the search engine to crawl your website.
11. Contact Your Hosting Provider
If your website runs on shared hosting, there’s a chance the issue comes from another site on the same web server. Contact your hosting provider to check whether the security issues affect more than just your site.
At the very least, your hosting company should be able to recover access to your WordPress site or provide web logs to help narrow down the time of the breach.
A hosting provider plays a major role in ensuring a website’s performance and security are of the highest standards. If you don’t think your current web host can mitigate WordPress hack attacks, it’s time to look for a new one.
Consider getting managed WordPress hosting, as it generally offers security measures built specifically for protecting WordPress website files and installations.
Having your WordPress site hacked is a stressful time. However, it’s best to redirect your energy to damage mitigation and take steps to recover your WordPress site.
Here is a quick recap:
- Put your hacked WordPress website into maintenance mode.
- Reset your password.
- Update your WordPress site.
- Deactivate plugins and themes.
- Reinstall WordPress software.
- Remove WordPress users with admin privileges.
- Search for malware.
- Disable PHP execution.
- Clean the WordPress database.
- Clean the WordPress sitemap.
- Contact your hosting provider.
We hope this article has helped you restore your WordPress site and minimize the damage done to it. Best of luck!
Hacked WordPress FAQ
Is WordPress Easily Hacked?
As WordPress is the most popular content management system (CMS), websites built with this CMS are a popular target for cyber attacks. However, 61% of infected WordPress sites were outdated, meaning they didn’t have the latest security updates to patch vulnerabilities.
Therefore, a WordPress website’s resistance against cyber attacks greatly depends on the admin’s discipline in keeping all the installations up to date.
How to Secure a WordPress Site Without Plugins?
Using strong passwords, limiting login attempts, changing your database table prefix, and opting for a reputable hosting provider are just a few ways to secure a WordPress site. While it’s possible to protect your site without a security plugin, installing it will give you tools to back up WordPress’ built-in security measures.
What Is the Safest CMS?
Drupal is one of the most popular and safest CMS today. The CMS software optimizes most of its built-in features for performance and security and conducts security tests regularly. However, since Drupal is mainly designed for web developers, it has a steeper learning curve than WordPress.