You love selling your toy poodle figurines and handmade cross-stitch projects on your WordPress site with WooCommerce. The time you spend crafting your wares while thinking about the happiness they’ll cause for your customers is soothing and relaxing. Then, one morning you wake up to an email that says “Your Site’s Been Compromised.” You get another notification that your site has been blacklisted. Then yet another from your bank letting you know someone tried to login to your online banking account. You realize somehow you have a hacked WordPress site.

Hacked WordPress Site?

If your WordPress site has been hacked, here are the steps to take.

Stay Calm

There’s not much worse to a business owner than having a source of revenue shut off, especially when it’s the only source. This means that you’ll likely be stressed out and emotional.

Don’t be. To get your site up-and-running quickly, it’s best to stay calm.

Scan Your Site

You can’t fix the problem if you don’t know what you need to fix. For this step, there are two methods to scanning: local and remote.

A local scanner usually comes in the form of a plugin that scans all the files on your server it has access to read and gives you a report of those it thinks have been compromised. Since a local scanner is on your website locally, I’m guessing you can surmise what a remote scan entails.

That’s right! A remote scan crawls the page source for each of the links it finds on your site. It’s looking for anything out of the ordinary, for links to known bad sites, and other markers that there’s malware.

We recommend using MalCare first to scan your hacked WordPress site to get an idea of what needs to be fixed.

Scan Your Computer

The vector for attack is not necessarily a vulnerability in your site, but could be a vulnerability in your local computer. Often times, a person of malicious intent (“hacker”) will use an email to get you to click a link that downloads code they’ve written. This code could do several things, but most commonly it will log your keystrokes and send back username/password combinations to them.

There’s a company called AVG that we recommend for both PC and Mac. Their anti-virus solution can be downloaded for free and is a great solution. They also have other products that help keep your local environment clean and virus free!

Talk to Your Hosting Company

Talking to your hosting company about your hacked WordPress site is especially important when you’re on a shared host. Hosting providers really want to know when a site on their server is hacked. They want to know this because they want to help you find a resolution.

However, that’s not the only reason. Your hosting company will want to know you’ve been compromised because it can affect other sites. When you don’t have your own server (shared hosting) there are extra risks to you and others on that same computer.

Your site may not have been the end target – they may have used you to gain entry to another site. For this reason alone, you should at least notify your host. This still applies even if you think you can handle eradicating the malware on your own.

When you talk to them, let them know the results of the scans you did. You also need to tell them what reasons you have for thinking you were compromised.

Create a Backup

Before we start actually taking any steps toward fixing your site, there’s one last step. We need to have somewhere to come back to in case there’s an issue later. Creating a backup is pretty simple and is typically included with most hosting.

If you don’t have the ability to create a backup via your host, there are several plugins that will help you do that. Using Orion by ManageWP is also another option for free, on-demand backups.

Let’s Fix Your Hacked WordPress Site

Now that you’re here, you should have done some meditation, scanned the site and your computer, and talked with your host. The next thing on our checklist is to fix your hacked WordPress site.

Use the Scan Reports

Most of the time whatever you used for scanning will give you exact files that have been infected. Or, at a minimum, it will tell you files that aren’t as they should be. This gives you a great starting place by telling you which files to look at first.

Replace Core Files

To begin each cleanup, we replace all files in the wp-admin and wp-includes folders. These files are very often targeted and can be replaced safely without harming your installation. You can do this easily by downloading the newest version of WordPress and uploading the files via an FTP client like Filezilla.

Revert Your Theme

Frequently we find that hackers have used your theme’s functions.php file to inject code. Hopefully you follow best practices and haven’t modified your theme files directly. If this is the case, you can download a copy of the theme and upload it to the themes folder to make sure all the files are as they’re meant to be.

Get Help If You Need It

At this point you have looked at all the files on the scan reports, replaced core files, and reverted your theme. If you’re still having issues and think your site might still be compromised, it might be advantageous to get help from WordPress Security Experts (like those we have in-house).

After Your Hacked WordPress Site is Fixed

Reset & Improve All Access Controls

What we mean by resetting all access is passwords is more than just your user login. You should reset your WordPress login and all the accounts of anyone on your site (at minimum, administrators). Then, you need to update your cPanel/Plesk password, the password for the MySQL users, and also for the FTP/SSH users.

But before you go changing the password, let’s talk about what makes a good password.

Improving Access Controls

You should aim for a total length of at least 16 characters. Passwords should contain lower & uppercase letters, numbers, and special characters. A good password doesn’t use words spelled out (i.e. DinosaurDragon). Although, a good password can use numbers and special characters to spell words (i.e. [email protected]@g0n) to make it more secure.

Tools like LastPass will generate random passwords for you and store them in a master vault. Cheers for only needing to remember one password and being secure!

Two-Factor Authentication

Adding an additional layer of security and access control is always a good thing. Two-factor authentication adds an additional step to logging in, but also adds a layer of security.

For those of you who haven’t come in contact with 2FA, the process is pretty simple. You either setup something like Google Authenticator on your phone or it sends a text/email every time you attempt to login. By taking this extra step, you’re ensuring you are the only one that can use your login. Or at a minimum, you’ll have to approve your login being used.

Reset Your WordPress Secret Keys

Your next step in fixing a hacked WordPress site is logging everyone out. In order to kick out any users currently logged in, you need to reset the WordPress Secret Keys. Doing this is pretty simple, you go to the WordPress key generator and then replace the values in wp-config.php with the new ones.

Harden Your Installation

Now that you’ve reset your hacked WordPress site to its original state, you should take steps to secure your WordPress installation. Taking proactive steps now will make it harder to have your site compromised in the future.