A Server Hack, Downtime and Some Housekeeping – Fixing a Hacked WordPress Site

Fixing a hacked wordpress site

If you have been a regular visitor to our blog here, you would have noticed that we went offline for a few days. And a couple of days before that you would have noticed that the page load speed was strangely high. You might even have come across some weird characters, texts and banners on the pages.

Well, the last 10 days were extremely eventful for us. We went through some really harrowing days, with me spending hours trying to clean the code. Some of the days were very long for me with barely a few hours of sleep. We did lose some traffic and also some revenue.

And all of this, thanks to some crook out there who just wanted to test his hacking skills on WordPress. And fortunately for me, he picked my website to test this. (If you are wondering on my usage of the term “fortunately”, then I will explain it to you in a while)

The result –

  • malicious codes all over my website files and database
  • a website that behaves strangely and takes ages to load
  • days of sleepless work

When we first saw these codes in our website, we straight away got to work and cleaned all the files. Just as we thought everything was fine (we even published a post in between) the codes started re-appearing and this time even worse.

Now after about 10 days, we are finally up and running… better than how we were, with more energy and enthusiasm than before.

Are you a blogger? Is your blog a self hosted WordPress blog?

If yes, then you need to read this post. After the last week’s experience, I felt it right to put together this post which will help a lot of your bloggers out there in ensuring that you do not lose your hard work to some hackers’ mischief.

So before we even get into discussing about fixing a hacked WordPress site, I think it is important to speak about how to prevent a hacking attack and how do you find out if your site is hacked.

How to Find out if your WordPress Site is hacked

It is important that you keep monitoring your site. But I know it is not humanly possible to monitor a site 24/7 and it is here that we need some of these monitoring tools to see what is going on with your blog.

Pingdom Monitoring Service – Pingdom has a monitoring service that monitors your site uptimes. It will trigger an alert to your mailbox if it finds that your site is down. If you get such an alert, there is every reason for you to suspect an issue though, it might not always be a hacker attack. But whenever you see such an alert just check your website for anything that looks abnormal.

Wordfence Plugin – Wordfence is an extremely handy plugin that sends alerts when there are files changes, login failures, login attempts etc. This can be your best companion in monitoring your WordPress blogs. It is easy to configure and is available for free.

An alert from Wordfence was the first hint we received that there is a hacking attempt. We got a alert saying that a file has been modified. Since this was one of the core files in WordPress, I grew suspicious and went over to the blog to see what had happened. We were a day late in doing this. We missed the alert because I couldn’t check my emails for 2 days as we were travelling. That was more than enough for the hacker to do his work.

There are some other signs as well, of a hacked WordPress blog. You should be able to see this as soon as you login.

Login Screen – You login screen which should look like the below screenshot will start to look a little weird. I couldn’t capture a screenshot of the login page, else I could have shown it to you. But you should be able to see it straight away, if you are aware of how the login screens normally look.

wploginscreen

Sidebar Menu Items – Another sign that there is an issue with your blog can be seen on the sidebar menu items. WordPress defaults has a fly open menu. When you hover over any option, there is a fly open menu that opens to the right with the sub menu item. But if there is a problem with the code in the WordPress files, this will not work. Instead when you click on the main menu item, that is when the sub menu opens.

If you are wondering as to why this happens, then it is because the malicious codes are normally injected into the index files in your WordPress installation. So wherever there is an index.php file, the code will be there.

Another file that is normally attacked is the wp-config.php file.

If you have access to the root folder of your installation, then you an open any index.php file or, the wp-config.php file and check the codes. You should find something like the below in these files.

fixing a hacked wordpress site

This is the malicious code that gets injected into the files.

Fixing a Hacked WordPress Site – Some tips

It is not an easy task fixing a hacked WordPress site. If your database is untouched, then you are lucky because restoring shouldn’t be too much of a pain. But if your database is also attacked, then you will need some professional help to restore your database.

First let us look at how to restore a site when the database is not affected.

Step – 1: The first thing to do is delete the native WordPress files and folders except the wp-config.php file and the wp-content folder. Remember to leave alone any other folders that are not native to the WordPress installation. Once you have done that, just upload all the WordPress files once again.

Remember that this will not need you to re-install the blog. You are just replacing the files.

Step – 2: Proceed to delete any index.php files in the wp-content folder. Don’t worry, these should regenerate themselves.

Step – 3: Now delete any theme files in the themes folder under the wp-content folder and then upload them once again.

Step – 4: The next step is to delete all the plugin files from the plugins folder. Just reinstall the plugin one by one. Don’t worry, the configurations would not be untouched because you haven’t done anything with the database.

Step – 5: The last step involves cleaning the malicious code off your wp-config.php file. Open the file and delete the code that you saw in the above screenshot. The easiest thing is to compare your wp-config file to the sample file that will be there in the same directory.

Just delete anything that you find before the below code –

<?php
/**
* The base configurations of the WordPress.

And that should be it. Your blog should be good to go from here.

Now the tricky part is if your database is also affected. The only way to restore your blog is to restore the database to an earlier version; a version before your site was attacked.

But the big question is where will you find a database backup. It is here that you need to be a little proactive with your blog, if you are serious about your blog.

You need to ensure that you are backing up your database once everyday.

You can do this by installing any plugin that can help you create a backup. Most of these plugins will help you backup your database to Amazon S3 or, Dropbox.

You can just do a search in the plugins directory and you will find all the different plugins. Install whichever you feel is good for your blog. Almost all of them are good.

My recommendation:

WP Backup – You can find this plugin the WordPress repository or, you can download it from this link here. This plugin can backup your database to Dropbox and Amazon S3 and it can also do that automatically at your scheduled times.

This plugin was the one I had on my blog here and since I usually maintain a month’s files, I had enough backups to restore my blog to a period when the files were no infected.

You will have to do some housekeeping once you have restored the database because some of your posts during the period that you blog was hacked will no more be there. You will have to rewrite those and re-upload those images as well.

But once you have done this, you can rest assured that your blog is clean and you are ready to rock.

Managed WordPress Hosting : If you can afford a couple of dollars more, I would recommend that you go for a managed WordPress hosting account. Part of the reason why we were inactive here for the last 10 odd days is because we just migrated to a Managed WordPress Hosting account at Godaddy. The migration took a while because of some issues with the WordPress files. Otherwise it is a one-click migration and it is pretty easy doing it.

I would highly recommend that you go for a Managed WordPress hosting account, primarily because of the fact that in the rare case that you blog gets hacked (which is unlikely because of the stringent security measures in a managed WordPress hosting), it is easy to restore your blog. You can do it by a few clicks, because in a managed WordPress hosting, there are nightly backups of both the files and database. And most hosting companies keep at least a month’s worth of backups. And restoring is just about selecting the date and clicking the “restore” button.

We recommend 3 managed WordPress hosting because we use all the 3 of them and we know that they are worth it.

  1. Godaddy Managed WordPress Hosting
  2. Bluehost WordPress Hosting
  3. iPage WordPress Essentials

Protecting Your WordPress Blog

We discussed a lot about fixing a hacked WordPress site. But the critical part in all of this is about ensuring that you have enough protection for your blogs so that it doesn’t get hacked.

There are some simple things that you can do in order to ensure that you are protecting your WordPress blog from hackers.

Keep your WordPress Installation updated

It is important that you keep your WordPress installation updated. Update the plugins, themes and your WordPress files as and when an update is available. These are security updates and hence it is important that you install them.

Delete any unused databases

If you have any unused database in your hosting account from any of your previous WordPress blogs, then ensure that you are deleting them. These database often serve as the entry for hackers.

Delete any unused WordPress Installation Files

If you had a blog earlier which you are no more running, then it is advisable that you delete the WordPress files from the hosting server. These files often remain outdated because you are not updating them regularly and can hence serve as the entry point for hackers.

My Recommendation

WP Site Guardian – I use a very handy plugin which prevents a variety of hacking attempts. This is a very handy plugin when it come to protecting your WordPress blogs. I highly recommend using this plugin. It is a one time investment of a few dollars but can save you days of hard work. You can find more about it here.

Getting hacked can be a serious pain and if it is a WordPress blog on which you spent years working hard, then the frustration can be indescribable. While no security is enough security, you can still protect your blog enough to at least prevent easily getting hacked.

I hope this post provided you some good information on fixing a hacked WordPress site.

Do let me know your thoughts, suggestions and feedback by commenting below. Let me know if you need my help in any way.

This Article Was Written By

Puja

I am a self-proclaimed Champion Cook, who gets the confidence to call myself that way from the love and praises showered upon me by my family consisting of a Cute little Daughter and a husband who loves the Internet more than me (LoL..) and who incidentally happens to be the man behind the technical aspects of my blog. I love working from home and the benefits that come from it and that is what prompted me to start my own Blog at http://thetastesofindia.com where I document all my adventures with cooking. Follow me on my journey..

Leave a Comment

  • Lisa at celebrate creativity March 18, 2016, 3:52 AM

    Wow, Puja. First, I’m sorry you had hacking issues with your site. You’ve included a lot of great information here. Honestly, much of it is over my head but this certainly gives me a list of things to start becoming familiar with.

    I recently switched to self-hosting and it’s a scary world indeed with so many hackers and devious efforts going on all around you.

    Thanks for an interesting and sobering read. Good luck with keeping the hacking beasts at bay.

    Reply
    • Puja March 18, 2016, 1:37 PM

      I know a lot of those are actually Greek to me as well. Thanks to my husband (Dilip) who takes care of all of these backend activities, I do not have to worry about any of it.

      Reply
  • David @ Spiced March 19, 2016, 12:21 AM

    Ugh…I’m sorry that you’ve going through this, Puja. But I’m bookmarking this one in case I need it in the future. Good to see that you are back up and running again!

    Reply
    • Puja March 19, 2016, 1:56 AM

      Thanks David!!!

      Reply
  • kushi March 19, 2016, 9:40 AM

    Good to see that everything is fine now. Thank you for sharing such useful post! Bookmarked!

    Reply
    • Puja March 19, 2016, 1:52 PM

      Thanks a lot Kushi!!! ๐Ÿ™‚

      Reply
  • Joscelyn | Wifemamafoodie March 20, 2016, 2:37 AM

    So sorry this happened to you, Puja! It’s annoying when people do mean things for no reason. I’m glad that everything is better know though and I appreciate all of these helpful tips that you shared with us too. Hopefully it doesn’t happen again!

    Reply
    • Puja March 21, 2016, 1:16 AM

      Glad you found this post helpful Joscelyn. ๐Ÿ™‚

      Reply
  • Manali @ CookWithManali March 22, 2016, 4:06 AM

    so sorry all this happened Puja, sounds like a complete mess! I’m glad it’s all behind you now and thanks for these super useful tips!

    Reply
    • Puja March 22, 2016, 4:24 PM

      Thanks Manali, it is a real pain when something like this happens and I am hoping that these tips will help others from preventing something like this.

      Reply
  • Anu - My Ginger Garlic Kitchen March 22, 2016, 2:31 PM

    I am sorry to hear about troubled hacking issue. I am glad to know that things are better now. And thank you so much for these useful tips.

    Reply
    • Puja March 22, 2016, 4:17 PM

      You are right I am really happy that things are better now.
      Thanks Anu for your kind words.

      Reply
  • marcie March 23, 2016, 10:52 AM

    I’m so sorry that you experienced this, Puja — that’s so upsetting! Thank you for sharing this so that we know what to look for!

    Reply
    • Puja March 23, 2016, 4:44 PM

      Thanks Marcie!!!

      Reply
  • Agness March 24, 2016, 3:14 AM

    Good tips! It seems like you are a specialist in WordPress.

    Reply
    • Puja March 24, 2016, 10:06 PM

      Thankyou Agness. ๐Ÿ™‚

      Reply
  • Summer March 24, 2016, 7:20 PM

    Oh no! Sorry to hear that your blog got hacked. Glad you were able to fix it and thanks for all this helpful information โ™ฅ

    summerdaisy.net

    Reply
    • Puja March 24, 2016, 10:03 PM

      Thanks Summer. ๐Ÿ™‚

      Reply
  • Priya March 24, 2016, 9:06 PM

    Good to see you back puja.. I don’t have WordPress site but still I am bookmarking this post so that in future if plan to have WordPress then will help me or I can help my friends out there…

    Reply
    • Puja March 24, 2016, 10:03 PM

      Thanks Priya for your kind words!!!

      Reply
  • padma March 30, 2016, 1:36 AM

    Oh I’m so sorry Puja that you had to undergo all this…I don’t know why people do such mean things!!…Thank you so much for all the useful info..Glad it’s better now and you are back!!

    Reply
    • Puja March 30, 2016, 2:00 AM

      Thanks Padama, I hope you liked the post and found it helpful to you. ๐Ÿ™‚

      Reply
0 Shares
+1
Share
Pin
Tweet
Stumble