WordPress Hacked? What to Do? The Most Important Steps

steps after a Wordpress hack Cyber Security

Your WordPress site has been blocked – please identify and remove the injected malicious code immediately.” These or similar email notifications usually cause a shock to those affected, because from one moment to the next, the affected WordPress site can no longer be accessed. In addition to the question “How could this happen?”, the much more pressing question usually arises: what do I have to do now? In this article I have compiled the most important instructions for action.

Step 1. Lock WordPress site

Why should a hacked WordPress site be blocked?

A hacked WordPress site can quickly become a serious danger – for yourself and for third parties – because your system could be abused for spam or phishing attacks, for example, or infected with malware. Gates of entry are, for example, security gaps in the software, insecure or hacked passwords, or malware embedded or attached to e-mail messages. As the domain owner of the hacked system, you will be liable for any further damages.

Why hosting providers block applications and/or directories

Hosting providers therefore check managed hosting systems products (also called shared hosting environments) for suspicious scripts that suggest malware infestation. If malicious code is discovered on your system or your system is misused to send spam, the directory in question or the hacked or malware-infected application can be blocked.

Moreover, independent institutes also continuously check the Internet and report malware-infected websites to the responsible hosting provider (complaint emails), who in turn has to inform their customers or, in case of acute danger, immediately block the system in question.

How do I block my WordPress site myself?

If you have become aware of the attack yourself or if your provider has alerted you about malicious code on your WordPress site or dangerous security vulnerabilities, you should take immediate action and take your WordPress site offline.

Directory protection

For example, set up directory protection for the directory on your product where the affected WordPress installation is located.

To do this, log into the customer information system. Create a new user group. Create a user and assign a password.

Alternative to directory protection

As an alternative to directory protection, you can simply rename the index.php file located in the WordPress directory to, for example, secure-index.php or back up the current index.php file externally and overwrite it with a new empty index.php file.

Once you have taken your website offline, you should immediately check the WordPress directory for malicious code. You can do the check directly on your hosting product or you can also download the directory in question and analyze it offline on your PC.

In this case, make absolutely sure that your PC is secured with an up-to-date antivirus program.

Step 2. Create error page

For duration of verification we recommend you to create an error page to which you will redirect your website visitors. If possible, avoid any reference to the reason for the block, this could damage your reputation. For example, you should rather write: This website is currently being revised and will be available again shortly. Or something similar.

Step 3. Check WordPress, WordPress theme, data and hosting platform

Now the most important part of the job begins: finding and eliminating malicious code and closing security holes.

Manual malware check

You can perform the check manually. However, this requires some experience and can take a lot of time if necessary.

  • Check the modification date of files and directories. However, hackers often try to cover their tracks and may reset the time stamp of manipulated files.
  • Look for suspicious patterns in the files on your hosting product, particularly in your WordPress directory, for example PHP files inside the upload folder.
  • Analyze the log files of your hosting product.

Automatic malware scans

It is much easier if you use antivirus programs or malware scans for the analysis.

Step 4. Change all passwords

If your WordPress site was hacked or malware was found on your system, you should immediately reset all passwords and most importantly – choose strong passwords. Make sure that you do not forget any password.

  • WordPress login
  • Passwords of all user accounts
  • Database password
  • FTP account password
  • Email password
  • etc.

Step 5. Set up a new (secured) FTP connection to your hosting package

For safety’s sake, you should delete previously used FTP accounts if possible and set up a new account for uploading. To prevent future misuse, you can additionally secure your FTP account with FTP-Lock.

Adjust the file permissions of important files and directories so that they can no longer be modified from the outside. This includes for example the WordPress main directory, the wp-admin and wp-content directory as well as the following files: .htaccess, index.php, wp-blog-header.php, wp-config.php etc.

Step 6. Reinstall WordPress and upload content (if necessary).

If you fail to reliably clean your WordPress directory from malware, you should delete the relevant content on your hosting product and reinstall WordPress including plug-ins and theme and re-upload the relevant content. With a Host Europe WebHosting and WebServer product, all content is backed up on a daily basis. The retention period is 10 to 14 days. If the hacking attack took place within this time window, you can easily import a backup that was created before the time of the attack.

Therefore, for security reasons, we recommend that you regularly create backups of your WordPress site yourself and store it on a separate product for a longer period of time.

If you do not have access to a secure backup, you need to completely re-set all content including databases, images, etc. or check your directory again with professional help and exactly trace the attacker’s actions, e.g. using the log files.

A complete cleaning is therefore important, because attackers often leave behind backdoor scripts, through which they can gain access to your system again.

Step 7. Unlock WordPress

Notify your hosting provider when you have removed the malware from your WordPress site, so that they can unblock your site if necessary. If you have set up directory protection yourself, you can now deactivate it again. Do not forget to also remove the redirect to your error page again.

WordPress hacked? Don’t let it get that far! – Security measures

Basically, we recommend the following security measures for your WordPress installation.

Tip 1. Protect your WordPress site with security settings

  1. Use strong passwords
  2. Change generic usernames
  3. Change the login URL to the administration area of your WordPress site
  4. Set up directory protection for the administration area
  5. Create regular backups for worst case scenarios

Tip 2. Back up your WordPress site regularly

You invest a lot of time and money in building content for your WordPress site, so it’s best to back up that content multiple times. Create backups of your WordPress site yourself and store them for a longer period of time on a separate product.

In the worst case, not all data will be lost, because you can always revert to an older version of your site.

Backups of your WordPress site you can create e.g. via the dashboard of WordPress. Use the function Export Data under the menu item Tools.

Tip 3. Keep your WordPress installation up to date and protect yourself from security vulnerabilities

The enormous popularity makes WordPress a popular target for hackers who exploit vulnerabilities within the program, plug-ins or themes.

WordPress usually reacts quickly and continuously releases new versions and updates that close security holes and vulnerabilities. Always keep your application up-to-date and apply new updates and security patches. Make sure that the plug-ins and themes you use are always up to date as well.

Tip 4. Check your WordPress site regularly for malware

The sooner you are informed about hacking attacks and malicious code, the sooner you can take action and limit the damage.

Rate article
Add a comment