Whether you’re starting a blog, you own a small business that needs a web presence, or you’re looking for a new CMS platform, you’ve likely run into WordPress a time or two. It’s the most popular content management system in the world, with nearly 75 million websites. That’s why it’s vital to know how to clean hacked WordPress sites when bad guys strike.
Sucuri is a free plugin that you can utilize in WordPress to ensure your site is clean in just a few simple steps. It’s not going to work perfectly for every site every time because hackers are incredibly advanced these days, but it will certainly get you headed in the right direction. There’s a helpful support section where you can try to solve more complicated problems as well.
For our purposes, we’ll go over the basic steps to get you as close to a completely clean hacked WordPress site as possible. Since we don’t know your situation, we can’t get you to a perfect solution, but we can get you close and give you the tools to figure out the rest. Remember, if you ever get stuck, you can head to Sucuri’s website for some professional help.
Step 1: Install and Use the Remote Scanner
When hackers strike, it’s typically to allow them to distribute malware or spam from your site, which means that your whole website might be compromised. By utilizing the free remote scanner tool from Sucuri, called SiteCheck, you’ll be able to identify infected areas of your site quickly.
You’ll need to install the plugin first. After that, you can click on “Sucuri-Free/ Sucuri Scanner” to begin the remote scan from the safety of your WordPress dashboard. Infected sites will send out a warning message to you that will say something like “Site Compromised” or “Malware Identified” so that you know where the problem lies.
If you get such a message, then you will also receive a link that gives you more details about the problem and the actual malicious string so that you have both for reference. You’ll want to save these details for later.
If you don’t get any detections, then you can move on to other tests to help ensure the safety of your hacked WordPress sites.
Step 2: Check for Modifications to WordPress Core Files
If you’ve been using WordPress for a while, then you’re probably aware that you should never alter the core files. Hackers will sometimes modify these files to fit their needs, which means it’s vital to check them out if you’ve had your WordPress website hacked.
To ensure these files are clean, you should head to “Sucuri-Free/ WordPress Integrity.” All you have to do is click on the first link titled “ Verify Integrity of WordPress Core Files” to get a list of all files that aren’t supposed to exist.
You may find that the hackers modified some of your core files. In this case, you’ll want to reinstall WordPress manually. You’ll want to do this by removing all of your top files first and then reinstalling them from a clean source. Make sure you get all wp-admin and wp-includes files as you’re removing and reinstalling to ensure a clean site.
Step 3: Look for Recently Modified Files
Once you are certain your core files are intact, or you’ve reinstalled them, you will need to look in one last location for hacker modifications. Hackers can use plugins and themes to do their dirty work as well, which means you’ll want to ensure those files are clean on your site.
You’ll need to start by heading back to “Sucuri-Free/ WordPress Integrity” on your site’s dashboard. Then you’ll want to click on the second test in the list, which is called “Latest Modified Files.” You’ll want to check out any modified files from the last seven days for sure, but you can go back up to 30 days if you’re hoping to dig deep.
This step is where things can get a little dicey. You might have a ton of compromised files on your hands, and in that case, it will almost certainly be easier for you to remove them all and reinstall them by hand. plugins are generally just plug-and-play, so in that sense, this isn’t a tough step, but if you have a customized theme, that can be a problem.
You should always ensure that you have a backup of your customized theme somewhere else, but if you don’t, then you’ll have to re-customize it once you’ve installed it again. That can take time, and it’s a pain, but hopefully, it’s worth it, in the end, to have a clean and beautiful site again.
If it’s only a thing or two in your theme that the hackers added to serve up some severe malware, then you can usually fix that easily by removing the bad code. You can use the information on the malicious string from our first step to recognize that code and remove it manually.
Step 4: Admin Investigation
We’ve all experienced the dangers of stolen passwords. A hacker getting ahold of one of your admin’s passwords is often the reason for the initial breach, which means you’ll want to investigate.
Head back to the “Sucuri-Free/ WordPress Integrity” area to access the “Admin List Dump” section. This section can help you to see every user that logged into your site. It will also show the user’s IP address and the time when they logged into the site. All of this information can be beneficial to you in finding out where the leak happened.
It’s important to note that the plugin can only see this information as far back as its installation, which means that installing it after you’re hacked will leave you without much hope for solving the when and where questions. This feature is so beneficial that we recommend installing this plugin just for that option; even if you never get hacked, or you catch it early, this feature helps.
Step 5: Password and Secret Key Resets
One last great feature of the Sucuri plugin is it’s “Post Hack” features that allow you to reset all secret keys and passwords for every user on the site. You should always run this on your clean hacked WordPress site to ensure your site is safer from future hackers.
Make sure you utilize this tool to double-check that all email addresses for all users are the same as they originally were. Modifications may be a hacker’s way of getting back into the system. In that case, a simple password reset won’t necessarily help, so this is an essential step.
Hardening Your Site with Sucuri
Now that your hacked WordPress sites are clean, you’ll want to take some steps to ensure that your sites are less likely to fall victim to hackers in the future. If you head to your dashboard and check the Sucuri plugin, you’ll find an option for “Sucuri-Free/ 1-Click Hardening,” which will give you several options to help harden your site against future threats.
The hardening protocols that Sucuri uses will prevent any malicious PHP files from executing directly within the content of your site. It’s not a perfect solution, but it does help to keep you safer than you were before.
Other Steps to Keep Your Site Safe
We’ve seen plenty of hacked WordPress sites as the CMS grows in popularity, but there are always ways to prevent it from happening. Below are a few additional suggestions on how to keep your WordPress site safe:
- Install Sucuri before you get hacked for maximum help
- Run hardening options early on in the development of your site
- Keep a backup of any customized themes or content on another site or offline
- Ensure all admins have excellent passwords with capital letters, numbers, and special characters that are difficult to guess
- Force password changes for admins every few months
- Stay up-to-date on hacker news
- Install a Web Application Firewall (WAF) for maximum protection
This list is not exhaustive. There are other measures you’ll want to take to ensure that your site is completely clean and ready to go again. Those measures include double-checking your posts, pages, and widgets to ensure none of them have malicious modifications or spam spreaders.
You’ll also want to check out your servers to ensure there isn’t anything hinky going on there. Hackers are skilled at what they do, and that means you’ll need a certain level of skill to counteract their antics.
Don’t forget that you can always get professional help from Sucuri as well if you feel like you’re stuck with the free plugin. Hopefully, the SiteCheck plugin can help to keep your WordPress site intact and also help you to clean it up if you ever end up hacked.
Sucuri’s free plugin can do so much for your WordPress website that we highly recommend installing it every time you look at a new WordPress site. This recommendation holds even if it’ll just be a personal blog or a site for your immediate family to see. They make avoiding and cleaning up after hackers look easy.