A Simple Easy Guide to Clean Your Hacked Wordpress Site

Published: 2022-11-23

A Guide To Clean Hacked Wordpress Sites

Hi! Lately I’ve been getting some more requests to clean up some sites with -hacks or malware. The main reasons why I’ve been seeing this: An abandoned Wordpress Dashboard with plugins that are no longer supported and need updating. Even premium plugins could be a risk if they are not backed by a company or community that updates them every so often.

Before We Start

In order to effectively clean up the site, we first want to make a backup of the site. If you are able to log in to your site, my plugin of choice is All-in-One WP Migration🔗. It let’s you create a quick portable backup. If your site is heavily compromised, then go for a manual Wordpress backup.. Don’t forget to backup your database too!

Step 1: Try to login

It’s as simple as that. If you can log in to your site, things will be relatively easier. If you can’t login, there are a couple of things we can do. The first step would be to check your .htaccess file. You could even replace the contents with the default .htaccess🔗 file. It may be the case that you can’t even save this file. Check for user permissions and make sure it’s set to 644. You can do this using FTP or SSH.

Since you are here now, make sure to take a general look at file permissions. They should be either 755 folders or 644 for files. 755 folder permissions gives the file owner the ability to read, write, and execute files, while other Wordpress users will only be able to read and execute them. If you are still unable to login by this point, don’t worry, continue on to the next step.

Step 2: Check Recent Changes To Files

For this step you need SSH access. If you run the following command, you will get a list of php files that have been edited in the last 3 days. Do this for both PHP and JS files.

find . -type f -name '*.php' -ctime -3

or show files modified in the last 3 days.

find /home/yourdirectory/yoursite/ -mtime -10 -ls

You have a backup, so get rid of those weird folders with random strings and those random PHP files.

This step was mostly used to get rid of the obvious files manually. Don’t take too long in this step, we just want to make sure these random PHP files are not being continuously generated.

Step 3: New /wp-admin and /wp-includes - Reinstalling WP Core Files

It’s likely your /wp-admin and /wp-includes folders have been damaged, so let’s go ahead and replace those. In order to not mess up our site, we need to find out what Wordpress version we are running. One method of doing this is by viewing the source code and searching for a meta tag that will give us the wordpress version. For example:

<meta name="generator" content="WordPress 6.1.1" />

Next step is to go to Wordpress.org🔗 and download the corresponding version.

Now erase the /wp-admin and /wp-includes folders and add the newly downloaded folders instead. Do not replace files, we want to erase and write.

Step 4: Log In & Cleanup

I recommend using the Wordfence🔗 plugin for this step. Once you are logged in, make sure you go to Options and make sure the option to scan all files outside of the Wordpress installation is checked. You might also want to disable the option to Pause the scan while the window is inactive. You will now get a list of files that shouldn’t be here. Click on either Repair or Delete files for each case. You will also get a list of outdated plugins and themes. If you are not using it, erase it. If you are using it, make sure it’s safe. You can Patchstack🔗 to look up a plugin or theme in case it has a vulnerability.

Step 5: Wordpress Content

By this point your site should be working or partially working, but we are not done. We still need to look into the /wp-content folder. This is not a folder we can erase and replace. Wordfence should have caught 99%-100% of the malicious files. Check your theme header and footer PHP files and make sure there is no malicious code.

grep -ril base64 *

The command above will search the contents of files recursively and list all the files that include the pattern you specified. To identify potential backdoors, check for the following.

base64
exec
move_uploaded_file
str_rot13
gzuncompress
eval
stripslashes
system
assert
preg_replace (with /e/)

⚠️IMPORTANT! Not all files that have base64 are malicious, so be aware of that. Some plugins use these functions in order to handle certain operations. You could double check by downloading the original plugin and comparing it to what you have on your site.

Next Steps

The site should be mostly clean by now or even clean already…but… It could happen again right? Right! So take a look at your admin user accounts. Sometimes hackers leave a user account in place to mess with you later on. Don’t forget about plugins and themes. It’s very likely one of them was the culprit, in fact, the majority of the time that is the case. Don’t forget to take a quick look at your Posts and Pages. There are times where some JS code or iFrames are inserted and cause redirects.

Recommendations

One thing I like to avoid is cheap hosting. Using cheap hosting does not only get slow after some months, which affects SEO and Core Web Vitals, but also tends to get attacked frequently.

I would recommend a VPS with some sort of Wordpress administration service for more security. I avoid cPanel because it’s targeted a lot and once a site in here gets hacked, usually all sites get hacked. Guess what happens next… Your cPanel is now a spam server.

Recommendations could go on and on by hardening your wordpress site. Hide your WP version, disabling XML-RPC, etc.

Don’t forget to back up!

Need Help?

You can always reach me at 📧 [email protected]