WordPress Site Hacked? How To Fix

Your homepage is not the same anymore and displays strange links and ads to a famous blue pill. Google has even sent you an email to warn you…

Your WordPress site has been hacked!

Through this article we will see a procedure that will allow you to get back to a clean version of your WordPress as soon as possible and how to clean your WordPress?

Note that there are several methods to clean a hacked WordPress and at least as many types of hacking (via WordPress files, via SQL database, etc…).

First of all, calm down! 

It’s not obvious right away, but start by calming down!

You’re not the first and you won’t be the last to get hacked into a WordPress. So, let’s take a breath, calm down and avoid going too fast because if you want to hurry, you just risk doing something stupid…Hacked 

Restore a backup

To make things simpler, and if you’ve had the foresight to do so, you can restore a backup that’s not too old and that looks healthy to you. This is by far the simplest and quickest. Problem, if you have been hacked once, it will happen again. Your WordPress is not secure, so restoring the previous day’s version is just a step backwards to better jump…

Let’s start again, so you have a backup, you restore and your WordPress returns to its original state. Now you have to check that your WordPress is up to date and its plugins too. At this stage, I advise you to immediately change logins & passwords of the latter but also those of your FTP and database. Also check the integrity of your htaccess file.

To check that your plugins don’t contain security holes, install the security scanner plugin and activate it.

Identifying the evil  

How did they do it? That’s the question that should haunt you. Plugin with a loophole? Password cracked? Start already by checking your config.php and index.php files, you can often find the problem there.

You can also help yourself from your host’s logs. Log files keep track of all activity on your hosting (access, actions). You can try to see in these files the traces and actions of your hacker then take the necessary measures (remove plugin, change login, password …).

Note that I’m not talking here about security plugins such as WordFence or iTheme Security but that you can try to use to identify the malicious code. 

A little bit of antivirus

Here we will download the complete site to our computer and run it through the antivirus program. Start by making sure your working environment is healthy and then download your complete site via FTP and copy it to your PC. Run your favourite antivirus software and if there is a problem, it should find it for you.

Traditional scanners such as Avast or Bitdefender work well and can also scan your /uploads/ directory for malicious code hidden in image files.

Antivirus to clean a hacked WordPress 

You might Also Like>>> 5 Amazing Examples of User-Generated Content Marketing Campaigns

Login, passwords

We’re not gonna take any unnecessary risks, hacking in once…

So we take this opportunity to review all FTP, database, login and WordPress passwords. Don’t hesitate to use complex and long passwords we can never repeat it enough.

To generate a complex password :

go to: https://strongpasswordgenerator.com

and to verify it: https://howsecureismypassword.net

To avoid getting hacked, I’m hardening my password… 

Clean relocation from A to Z

Ultimate solution and longer than backup recovery, full re-installation. It is in my opinion the safest and most efficient. The idea is to start from scratch.

Let me explain: completely reinstall WordPress, its plugins (up to date) and the latest version of the theme then inject articles, pages, menus and images via the native import/export tool of your WordPress.

WordPress Site Hacked

Here is how to proceed in 10 points

  1. Copy by FTP your entire site and its database via PhpMyAdmin to your PC (for security and just in case;) 
  2. From your hacked WordPress, export all content (articles, pages, comments, custom fields, terms, navigation menus and custom content types) via the native “Export” tool (Tools>>Export>>All content), and save the generated XML file on your PC. 
  3. Delete via FTP all your old content (WordPress folders, root files etc…) with the exception of your host’s directories (cgi-bin, log, ssl…)
  4. Delete your database and create a brand new one with complex name and password
  5. Download the latest version of WordPress and install it. 
  6. Install the latest version of your theme
  7. Import all the content of the XML file (created in point 2) via your new WordPress from the menu Tools>>Import>>WordPress
  8. Install the latest versions (up to date and without known flaws) of your plugins 
  9. Follow the guidelines in Section 15 WordPress Security Reminders 
  10. That’s it, all you have to do is get back in shape (Home, Widgets, CSS if any…) 

It’s certainly more constraining and longer but starting from scratch with a WordPress, plugins and an updated theme should limit the risks. You can also take a look at the database (see below) to find possible doubtful elements.

Reinstalling WordPress after a hacking attack 

Let’s check the database

To help you find suspicious links, scripts or iframes, the SQL query below, isolates the messages in your database (be careful however with false positives, it is strongly recommended to make a backup before any modification of the database):

SELECT * FROM wp_posts WHERE post_content LIKE ‘%<iframe%’. 

UNION

SELECT * FROM wp_posts WHERE wp_posts WHERE post_content LIKE ‘%<noscript%’ 

UNION

SELECT * FROM wp_posts WHERE wp_posts WHERE post_content LIKE ‘%display:%’

UNION

SELECT * FROM wp_posts WHERE wp_posts WHERE post_content LIKE ‘%base64%’.

Note: don’t forget to replace the “wp_” prefix used in this example with your own.

sql queries to find malicious code in my WordPress

Conclusion On WordPress Site Hacked…
As stated in the preamble, there are several scenarios. However, the solution of relocation from A to Z gives good results. You can also use several methods together (partial reinstallation + FTP copy of the /uploads/ folder previously passed to the antivirus). Follow best WordPress security practices to avoid such situations in the future.