Help! My WordPress site has been compromised, what should I do?

Remember - it's not personal. Generally if your site has been compromised, in 99% of the time it is not your specific site or business that is being targeted. Spammers and hackers run highly automated systems to probe sites on the Internet for vulnerabilities and often work in highly automated ways to compromise them and then use them for a malicious purpose. 

However, if your site has been compromised, in almost every circumstance it means that there was software installed in your account that was insecure. We suggest that you read the following article explains about why vulnerabilities exist, what we do to try and protect you already, and what you need to do to ensure your site is secure to avoid getting hacked in the first place.

If your site has been found to be compromised, either by sending spam messages or hosting phishing content for instance, there is a simple solution and a hard solution. 

The simple option.

If you have a backup of your site that pre-dates the compromise, restore from this backup point. One of the issues here is that often malware is injected into a site well in advance of it actually being triggered to be used for a malcious purpose. If you do restore from your own backup then we recommend that you carefully inspect that backup to ensure that any files that we may have identified as malware in our report to you do not exist in this backup. We would strongly recommend our CodeGuard Backup solution to you. CodeGuard will take a daily backup of your site and database and will send you an email whenever any files are added, removed or modified in any way. As standard, CodeGuard keeps 90 days worth of backups - so you typically have MANY restore points and will be able to see the exact point at which your code changed. This would let you know the exact point at which your site was compromised. In one click, you can then restore your site to the point before any compromise occurred. This makes restoring a compromised account as easy as a simple click of the mouse.

The complex option. 

Unfortunately if you don't have a clean backup, fixing a compromised site is not straightforward and will take time. If your site has been compromised, we cannot recommend CodeGuard enough going forward - as outlined above, it makes the process of restoring entirely hassle free. The following article will explain what you need to do step by step. If you didn't originally set up your web site, and had your web developer do this for you, then you may wish to provide them with this article so that they are clear on the process to completely clean your web site as it is more involved than simply ensuring WordPress and plugins are up-to-date.

If you don't have a developer, and want us to clean your site for you, we can do so, but this is a chargeable service. The entire process can take between 1-3 hours to complete. If you'd like us to clean your WordPress site for you, please let us know and we can provide you with a quotation for doing so.

If you're going to be doing this yourself, the steps are as follows:

1. Download a backup of your site files and database

If you don't have CodeGuard, or another suitable 100% clean backup, then you would need to ensure that all of your site code is clean. Before we do anything further, it is important that you take a backup of everything you currently have installed. Even a hacked copy of your site probably contains useful information. You don't want to lose this data if something goes wrong with your repair. As a worst case scenario, you can then always restore your account in a hacked state and start over again. To take a backup, if you have now purchased CodeGuard, configure it and run a full backup of your site as it is, including the database. We can help you get this configured if you need. If you do not purchase CodeGuard (and we'd really recommend it!) then you can take a backup from cPanel using cPanel's backup wizard. Download this to your computer and keep it safe - if anything goes wrong in the following steps, you now have a copy of your site data.

2. Make a copy of any images and files that were customised or uploaded, and your wp-config.php file

Images are (usually) exempt from being compromised, and the ones you uploaded yourself will generally be linked in posts and pages in your WordPress install. Grab a copy of the uploaded files in /wp-content/uploads in the backup that you downloaded as we'll need to upload those again once WordPress has been cleaned. Take a copy of your wp-config.php file as well, which will contain your database connection details.

3. Download a fresh copy of WordPress and your theme

Updating plugins and themes via the WordPress admin is a great way to keep your site secure on an ongoing basis. But when your site has been hacked, this is not going to be enough, as updating plugins and themes only replaces files that are new or which have changed from the version you have currently installed, and doesn't delete obsolete file. Furthermore, hackers often inject new files into your account which weren't originally part of the plugin or theme you had installed. Simply updating will potentially leave these files intact and result in your site still being compromised.

So what we need to do is to take a known clean copy of WordPress and your theme by downloading the original files and fully replacing what is in your account with these files.

To do this, you would need to download the WordPress core from WordPress.org and upload it to your hosting space again. You can download a copy of WordPress version from here. As for your theme, if it was a free theme that you sourced from WordPress's web site, you may be able to find it here. If it was a paid theme, you will need to return to the developer's web site where you originally purchased the theme and download a fresh copy from them.

4. Delete everything in your WordPress install directory either by FTP (slower) or cPanel's file manager (faster)

Now that you have ensured you have a backup of your (hacked) site, that you've made a copy of your images from that backup, and that you have downloaded a fresh copy of WordPress and your plugins and theme, it's time to completely remove every single file and folder in your WordPress install folder. This is the ONLY surefire way to completely remove any infected files or folders. As we discussed earlier, it is not uncommon for hackers and spammers to inject multiple files which will all have filenames that make them 'appear' to be regular files that are a part of a theme or plugin, identifying all of these files would in most cases take far longer than completely starting with a known 100% clean state. To do this, we recommend logging into cPanel's file manager and selecting every file and folder in the installation location. You can do this by FTP, but it will be slower.

If your site was installed in public_html (i.e. if your site operated on the cPanel accounts main domain name), then in the File Manager you would select every single file and folder in that directory. If it exists, de-select "cgi-bin" as this is a system folder. If you have a MultiSite account with Kualo and have additional domains hosted within it, deselect any additional domain root folders that you have (these will usually be named "www.yourdomain.com"). You don't want to inadvertently remove any additional sites that you had installed in your account.

Your selection should look something like this:

Once selected, delete all of these files and folders. Open up the cgi-bin folder if it exists, and make sure that anything in there is something YOU put in there. In a standard hosting account, this will be empty - if there is something there, and you know you didn't put it there, delete those files (you have a backup anyway in case you forgot that you put something in there from ages ago). If you do have a MultiSite account with addon domains, then unfortunately it is still possible that those addon domains are compromised as well. You'll need to repeat this process again for any addon domains that have WordPress installed, or run a similar process for any other applications or web sites installed in those folders to ensure that there is no malware within.

5. Change your database password in cPanel

When a site is compromised, hackers may have been able to read your database username and password. This means that it is vital to change your MySQL database password in cPanel, otherwise your hacker may make a return visit. To do this, log into cPanel and click on the MySQL databases icon. Scroll to the bottom of this page where you will see a table with the title "Current Users". If you had multiple WordPress installs, or if you had installed other applications, there may be multiple users here. If that's the case for you, then you'll need to identify which user your WordPress installation was connecting with before. To do this, open up the copy of the wp-config.php file you had previously downloaded and scroll to the line which says:

/** MySQL database username */

Just below this, you will see a variable containing your MySQL username.

It will look something like this:

define('DB_USER', 'yourcpanelusername_wp686');

In this case, your username would be: yourcpanelusername_wp68

Go back to cPanel and locate that username in the list. Click 'Set Password'. On the next screen, use the "Password Generator" link to generate a highly secure password. Take a copy of this password. Don't worry - it's not going to be used to log into your WordPress admin area, you won't need to remember this password, this is simply to connect your WordPress install to the database. Once you  have generated this password, your screen will look like this:

Click "Change Password" and your database user password will be changed.

Open up the copy of wp-config.php that you downloaded earlier. Locate the line below:

/** MySQL database password */

Copy the new password between the quote marks on the line beneath that, replacing the password that was in there before. This file now contains the new password credentials to allow it to connect to your database.

We would additionally recommend that you change the auth keys and salts. These are located below the line:

* Authentication Unique Keys and Salts.

For each of those fields, change the random letters/hash symbols between the quote marks. Although these can be any word you want, we recommend making them similarly long and abstract.

6. Re-upload all of the clean files you just downloaded

Now that everything has been removed, and your database password changed, it's time to upload the clean WordPress core and a clean copy of your theme. Start by uploading the WordPress core files. Once uploaded, upload your wp-config.php file that you just updated with the new database password and new unique keys. Then upload your theme in accordance with the guidelines of your theme developer. Note that uploading WordPress and a clean copy of your theme doesn't mean that you'll lose your pages and site config. All of your WordPress pages, posts and configurations are stored in the database, so these will still be there. Similarly, in 99% of themes, all of the theme customisations are stored in the database. There are only a few cases where themes store config options in files - and these are very baaaaad themes. So your site will in almost all cases look exactly like it did before and contain all the same content - if for any reason it doesn't, it probably means that its time to replace the theme you are using anyway, its highly likely this theme may have even been the root cause of your hack.

7. Re-upload your images and uploads

Re-upload your images and uploaded content that you copied earlier back into /wp-conftent/uploads. This will ensure that any images and files that you had linked in any pages and posts are now available again.

8. Point your browser to the WordPress updater file

This will usually be located at www.yourdomain.com/wp-admin/upgrade.php. This will make any necessary changes to your database structure to support the latest version of WordPress.

9. Immediately change your WordPress admin password

If you have more than one admin user, i.e. a user with full admin priveleges, and they can't also immediately change their password, set them to a user level where they don't have administrator level access until such a time as they can log in and change their own password. You can then set them back to administrator level after their passwords have been changed.

10. Install the WordFence security plugin

Install the WordFence plugin - this is a Firewall plugin for WordPress that will greatly enhance the security of your WordPress install. Once installed, one important final step is to go to your Wordfence options in the side menu and configure it according to this article. This is very important to ensure that WordFence is configured to properly protect your site and also run optimally (so your site isn't slow).

11. Enable CloudFlare in cPanel

CloudFlare is a company we have partnered with to add additional security benefits to your site. It will help keep malicious users at bay, as well as add speed enhancements to your web site. CloudFlare can be enabled in cPanel in a single click and is highly recommended. This blog post will let you know how.

Once these steps are all done, your site should be clean and better protected for future ...but now you need to keep it secure!

Your site is only as secure as you keep it going forward. We do everything possible to try and ensure that you are protected. We run a firewall on our servers to mitigate potential attacks, partner with CloudFlare to provide a free defence shield for bad visitors, we run Patchman to notify you of outdated WordPress installs, known vulnerabilities and attempt to patch vulnerable files that we find in your account, and  we also provide a solution to allow you to auto-update your WordPress, themes and plugins. But we can only do so much - the ultimate responsibility for keeping WordPress and any other software installed in your account secure ultimately lies with you OR your web design agency, if you are paying them to keep your site maintained. The important thing going forward is to keep it from being hacked again. For WordPress, this comes down to actively ensuring that you keep plugins, themes and WordPress itself running on the latest secure releases. Generally this process takes a matter of minutes every now and again, and is much, much less time consuming than the process you have just followed to clean it.

... and importantly!

If you have a MultiSite account with any other addon domains, or if you have any other applications installed in your account, it is equally possible that these sites or applications are also compromised. You should additionally therefore ensure that any other WordPress installations and applications installed in your account are equally cleaned and that you keep on top of updates on these applications so that they remain secure.