WordPress Security Guide Step by Step: Recovering and Fixing a Hacked Website
In part one of our WordPress Security Guide, we discussed how to identify and audit backdoor intrusions, malware, and hacking symptoms.
Now, in part two, we will focus on the step-by-step approach to recovering and fixing a hacked WordPress website. In order to protect your website from further harm and potential vulnerabilities, you must act quickly and effectively.
Step #01: Stay Calm and Focused
Keep in mind that bad things do happen, so you shouldn’t panic. You can effectively address the issue at hand and minimize the impact of the hack by remaining calm and focused.
Step #02: Put the Website in Maintenance Mode
If you can still access the admin dashboard, install a maintenance mode plugin or check if your hosting provider offers a built-in feature. In case you can’t access the dashboard, use cPanel credentials to log in and activate maintenance mode. If you have been hired to fix the hacked WordPress website, communicate with the client beforehand.
Step #03: Backup the WordPress Installation
Create a backup of your entire WordPress installation with a dependable backup plugin. Store the reinforcement documents in a secure area, like an outer drive. Alternately, you can download the backup files by utilizing the built-in Backup Manager Wizard in cPanel.
Step #04: Enhance Login Security
Install two essential plugins: “Limit Login Attempts Reloaded” to restrict login attempts, and “Change wp-admin login URL” to modify the default login URL. These measures will enhance the security of your website against brute force attacks.
Step #05: Verify and Update General Settings
Access the WP Admin Dashboard and navigate to Settings > General. Verify that the email and site addresses are correct. If you cannot access the dashboard, use phpMyAdmin via cPanel to access the options and users table. Make the necessary changes accordingly.
Step #06: Delete Suspicious Users
In the WP Admin Dashboard, click on Users and carefully review the list of users. Delete any suspicious or unauthorized user accounts. This step ensures that only trusted individuals have access to the website’s backend.
Step #07: Remove Inactive and Fake Plugins/Themes
Delete all inactive or suspicious plugins and themes from your WordPress installation. Prioritize updating all plugins and themes from the Admin Dashboard before proceeding with manual removal.
Step #08: Upload Fresh Copies of Core Files
Using cPanel’s upload feature or FTP/SFTP, upload fresh copies of WordPress core files, themes, and plugins in a zipped format. Delete the old directories and unzip the fresh files in the same directory. Verify and delete any unnecessary files in the root directory and check all relevant directories for any anomalies.
Step #09: Scan for Malware
Install the “Anti Malware” plugin by GOTMLS and perform a thorough scan of your website. Delete any suspicious files identified during the scan. While there are other malware scanning plugins available, this particular plugin is recommended for its effectiveness.
Step #10: Verify Files and Logs
Login to cPanel and visually inspect files, paying particular attention to newly uploaded files. Examine log files to identify any suspicious activities or entries that could indicate a potential security breach.
Step #11: Optimize and Repair the Database
Access phpMyAdmin and optimize or repair your WordPress database. If you’re unfamiliar with database operations, consider using plugins designed for this purpose. Delete any unnecessary or suspicious entries, leftovers, or transients to ensure a clean and efficient database.
Step #12: Review and Secure Configuration Files
Open wp-config.php, .htaccess, and robots.txt files in a text editor and verify their integrity through checksum comparison. Change the salt keys within wp-config.php for enhanced security. If you encounter difficulties editing these files, investigate the root cause or seek assistance from your web hosting provider.
Step #13: Manual Investigation
Perform a meticulous manual investigation of all folders, directories, and files in your WordPress installation. Look for any unauthorized modifications, suspicious code, or hidden backdoors that may have been inserted by the hacker.
Step #14: Enable Hotlinking and Leeching Protection
If your web hosting provider offers hotlinking and leeching protection utilities, enable them to prevent unauthorized access and resource abuse. For beginners, there are plugins available that simplify the process of enabling these protections.
Step #15: Delete Unnecessary Content
From the Admin Dashboard, review and delete any unnecessary pages, posts, categories, tags, links, and media items. This can also be done via phpMyAdmin if preferred. Additionally, consider changing the database table prefix for added security.
Step #16: Update Sitemap and Robots.txt
Locate the sitemap.xml and robots.txt files in cPanel and open them in a text editor for analysis. Create a new sitemap manually, ensuring it includes only legitimate and relevant URLs. Resubmit the cleaned sitemap to search engines for indexing. If necessary, plugins are available for beginners to simplify this process.
Step #17: Verify Google Webmaster Console
If you have access to the Google Webmaster Console, log in and follow the provided video tutorial to unverify fake owners and inspect URLs. Utilize the console to access additional security statistics and ensure your website’s integrity.
Step #18: Inspect Files for Suspicious Code
Inspect each file individually, searching for potentially harmful code snippets. Pay attention to keywords like “exec,” “system,” “assert,” “base64,” “str_rot13,” “gzuncompress,” “eval,” “tripslashes,” and “preg_replace” (with “/e/”). These keywords often indicate malicious intent and should be thoroughly reviewed.
Step #19: Protect Critical Files
.htaccess, wp-config.php, and robots.txt are critical files that require enhanced protection. Edit these files to implement additional security measures, safeguarding them against unauthorized access and modifications.
Step #20: Update Credentials
Change all credentials, including passwords, from your PC to the web server. This step should be performed promptly to prevent further unauthorized access. Don’t forget to update email account passwords associated with the WordPress website as well.
Step #21: Scan and Monitor Website Behavior
Rescan your website using security plugins such as Sucuri Security or iThemes Security. Analyze the results and monitor the behavior of your website closely to ensure there are no residual vulnerabilities or suspicious activities.
Step #22: Reindex Website on Search Engines
Once you have resolved the security issues and made the necessary improvements, resubmit your website to search engines for reindexing. This step ensures that search engines recognize the updated and secured version of your website.
Recovering and fixing a hacked WordPress website requires a systematic and diligent approach. By following the step-by-step guide outlined in this article, you can regain control of your website and strengthen its security posture. Remember to prioritize proactive security measures to prevent future hacks and regularly update and monitor your WordPress installation for optimal protection.