How to Clean a Hacked WordPress Site
Do you have a hacked WordPress Website?
No matter, how much popular CMS(Control Management System) you are using – WordPress, Drupal, Joomla, etc. – any of them can get hacked.
Steps to removing malware, spam, and other hacks from WordPress.
Getting hacked is among the most worsed and discouraging experiences as a website owner. No matter how much you secure your websites, there is always a loophole in your site that helps to hack your websites. Forbes says, “about 30,000 websites are infected every day, and who knows the next target is yours.”
Think for a while; you worked hard, and the website is getting more traffic, and unknowingly it gets hacked.
You feel like almost lose everything on your site; no way hackers will give your site back to you.
As a cloud security auditor, especially WordPress, You don’t have to worry about finding out precisely I will helo you to verify how your site was hacked with some easy tips and tricks in your site’s logs.
How to verify Your Site is Hacked or not?
Normally, WordPress users get panic when websites get hacked, especially when their website is not responding or numbers of spam comments.
Some people hire WordPress specialists in a higher budget of around $500+, thinking that they need help recovering their site. However, some of the users struggle to figure out technical problems or if it has been hacked.
But, it doesn’t have to be difficult to determine if the site has been hacked. There are some common signs of a hacked site, such as:
- Unknown and unnecessary pop-ups appearing that were not added
- Websites URLs are automatically redirected to other spammy websites.
- The website freezes continuously for a couple of minutes or seconds.
- Displaying unwanted and unknown message or text on your header or footer
- Auto-linking of keywords to other external websites
- You received an email from your hosting provider that you are doing something malicious.
In the event you detect any of the indicators above, you need to make sure to secure your WordPress site right away.
1. Check Core WordPress File Integrity
You can use tools that scan your site remotely to find malicious payloads and malware. There are different free WordPress plugin that you can find in the official WordPress repository Like Wordfence, Sucuri, etc.
Most of the WordPress core files should never be modified. You need to check for integrity issues in the wp-admin, wp-includes, and root folders.
a. Sucuri Scanner
You can use tools that scan your site remotely to find malicious payloads and malware. Sucuri has a free WordPress plugin that you can find in the official WordPress repository.
How to scan WordPress for malware with Sucuri,
- Visit the <ahref=”https://sitecheck.sucuri.net/” target=”_blank”>SiteCheck website.
- Enter your WordPress URL
- Click Scan Website
- If the site is infected, review the warning message.
- Note any payloads and locations (if available).
- Note any blacklist warnings.
If the remote scanner isn’t able to find a payload, continue with other tests in this section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.
If you have multiple WordPress sites on the same server, we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We encourage every website owner to isolate their hosting and web accounts.[Source Sucuri]
A remote scanner will browse the site to identify potential security issues on your WordPress site. Some issues may not show up in a browser. Instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes remote and server-side scanners. Learn more about how remote scanners work.
b. Wordfence Plugin
When we think about Wordfence and how it improves your WordPress security posture, there are two core features we tend to focus on: the firewall and the security scanner.
As the first layer of defense, the Wordfence firewall gets the most attention because it blocks hackers from gaining access. But, the scanner plays an equally important role, alerting you to the myriad of security findings that help you keep your site secure and respond quickly if you get hacked.
The Wordfence security scan performs a variety of functions, but perhaps the most important is malware detection. Wordfence scan checks your site to ensure you have not been infected with malware.
Steps to Install WordFence Plugin
The beginner’s guide to Yoast SEO
1️⃣ Log in to your WordPress website.
When you logged in successfully, you will be in your ‘Dashboard.’
2️⃣ Click on ‘Plugins.’
On the left-hand side, you will see a menu. In that menu, click on ‘Plugins.’
3️⃣ Search for ‘Wordfence’
Click on ‘Add New’ near the top of the screen. Type ‘Wordfence’ in the search bar.
4️⃣ Install the plugin
Searching will give you a page of search results. Our plugin should be visible now. Click the ‘Install Now’ link to start installing our plugin.
5️⃣ Activate the plugin
Once the installation has finished, click the ‘Activate’ button. It has appeared where the ‘Install Now’ button was previously located.
Configure the Basic Steps of the plugin.
6️⃣ Start Scanning
c. Manual Check via Command Line
New or recently modified files may be part of the hack.
Most core WordPress files should never be modified. You need to check for integrity issues in the wp-admin, wp-includes, and root folders.
The quickest way to confirm the integrity of your WordPress core files is by using the diff command in the terminal. If you are not comfortable using the command line, you can manually check your files via SFTP.
You can check and identify recently modified hacked files with the following steps.
How to manually check recently modified files in WordPress:
- Log into your server using an FTP client or SSH terminal.
- If using SSH, you can list all files modified in the last 15 days using this command:
$ find ./ -type f -mtime -15
- If using SFTP, review by the last modified date column for all files on the server. Note any files that have been recently modified.
How to check recently modified files using terminal commands on Linux:
- Type in your terminal:
$ find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r .
- If you want to see directory files, type in your terminal:
$ find /etc -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r .
if you find any unfamiliar modification in the last 7 – 30 days, then it’s suspicious, else your core files are clean. Even if you believe that your websites get hacked, don’t panic, make sure your site was compromised first.