So, your site got hacked. It happens to the best of us and the cause can be anything, from a weak password to some theme or plugin vulnerability. Most of the times, finding the root cause of the problem can be hard and difficult to confirm; even if you clean-up the infected pages, there is a chance that some malicious code is sitting dormant somewhere on your files, waiting for its next strike after a few hours, weeks or even months.
So, how do you clean up an infected WordPress site? Sadly, there is no easy way and you will have to dedicate quite a few hours of work. If you don’t know where to begin, here is a checklist of 10 steps that you can follow:
- Create a fresh WordPress installation.
- Go to the
wp-content/uploads
folder of your infected site and make sure that it only contains subfolders and photos and no .php or .js files. Then, scan it with an antivirus software, just in case, and if it comes up clean copy it to the clean installation that you have made on step #1. - Create a new, blank database with different username and password compared to the old one and import the most recent clean version of your old one (hoping that it’s actually clean).
- On your fresh installation, install one by one all the plugins that you used, on their latest versions. If you think that you don’t need some of them or have doubts about its quality, don’t install it at all. Even deactivated, an insecure plugin can pose a security risk.
- Install your theme again, making sure that you have its latest version. If you didn’t use a child theme, then you need to write down any changes that you might have done and add them again, this time using a child theme. If you have unused themes, remove them for the same reason mentioned on step #4.
- Login to your WordPress admin panel, go to the “Users” section and check if there are users that shouldn’t be there. If there are, delete them.
- Change the Admin’s password. If the site has more than one users, check if you can lower their permissions. They can add content to the site without being Admins (the Editor’s role should be fine). Then change their passwords as well. It goes without saying that the passwords should be strong enough.
- Find a good security plugin, install it and use its suggested options. iThemes Security, Shield Security, WordFence, Sucuri Scanner are a few good options. Don’t just blindly install them and tick every option they have, though. Read their documentation and maybe find some online tutorial.
- From now on, make sure that you regularly update WordPress core, your plugins and your theme. It would also be a good idea to subscribe to wpvulndb.com in order to receive a daily update about WordPress core, plugins and theme vulnerabilities.
- Backup your site (files and database) regularly in order to be able to restore it if anything bad happens again in the future.
Keep in mind that the aforementioned steps cannot guarantee their success. The malicious code may be hiding in the database or on some other site of the same server. Following those steps, though, you can claim that you have done the best you could and, in fact, there is a good chance that you have indeed properly cleaned-up your infected site.