How To Recover Hacked WordPress Website?

In this step by step guide we are going to discuss why WordPress is hacked, 10 best tips to secure your WordPress website and how to recover your hacked WordPress websites and some free plugins to secure your WordPress website.

Posted on by

Do you want to know how to recover hacked WordPress website. WordPress is most popular and powerful Content Management System to create websites, that’s why it is heavily targeted by hackers, because of its popularity WordPress is target of hackers looking to “take over” pieces of your site for their own benefit.

There are a lot of people who wants to know how to recover hacked WordPress website and this article will help you to make your WordPress make websites more secure and safe.

Also read: How To Make Your Website Secure: 10 WordPress Security Tips

WordPress itself is a secure CMS and security updates are rolled out automatically whenever a major security vulnerability is spotted but even the most secure websites on the Internet are vulnerable to attacks and can be hacked.

JetPack one of the most widely used plugin offers a lot of security features to Secure WordPress Sites.

Jetpack’s Security features include:

If you are a WordPress users there are some basic WordPress security settings that can prevent you from many commonly known threats. A strong user name and password, latest WordPress version, Themes and plugins from trusted developers, regular backups and security plugins can help you to make your website more secure and safe.

WordPress is now powering almost %25 of websites, and hackers target thousand of WordPress website daily. So many websites are hacked successfully, so many WordPress users are successfully targeted because a lot of people have the “it won’t happen to me” or “i will do it later” syndrome. So many people don’t expect it to happen and then suddenly their website gets hacked.

Why WordPress Website are hacked Successfully

There are many different reason and every case is not same but there are some common mistake. If you will avoid these mistakes your website will be more secure and safe. Here is a list of many possible reasons why a site is hacked.

Out dated WordPress version

This one is a big problem since W3Techs found that over 15.8% of WordPress sites are not up-to-date (Using WordPress version 3 or older), meaning recent security patches won’t mean a thing for these folks and their sites are open to attack.

In many cases, people got hacked because a site, hosted on VPS or shared host was not regularly updated.

Out dated WordPress version can be really dangerous, Always delete out dated, test website or update to latest version, other wise it can end up affecting your several other sites on your server. The hacker can easily use the compromised site to gain entry into a couple of your other sites, hosted on the same server.

Out dated or malicious plugins and themes

keep in mind that hacker will often target widely installed plugins or themes with known security vulnerabilities. In most cases, your WordPress website won’t be targeted specifically, but will be hacked because of some vulnerability in a plugin or theme installed on your site.

The top security vulnerability has been with WordPress plugins and custom scripts.

Weak user names and Passwords

Never use admin as your default user name and weak password. WordPress Brute Force attacks can be very successful when people use passwords like ‘123456’ and usernames like ‘admin.’.

Local environment (Laptops or Desktop)

The first place you should start with is your local environment. In many cases, the source of the attack/infection begins in your local computer. Make sure you run a full anti-virus and malware scan on your local computer.

10 Tips: How to make your website secure

  1. Make sure your local environment is safe
  2. House your site with a trusted hosting provide
  3. Always use Latest WordPress version
  4. Always update plugins and theme
  5. Download themes plugins from trusted developers
  6. Install a security plugins : it can help you to quickly detected the exploit
  7. limit login attempts : Prevent Brute Force attacks
  8. Install a back up plugin
  9. Use strong Passwords for WordPress, hosting control panel etc
  10. Never use “Admin” as WordPress user name

How to recover hacked WordPress website

Here are few step to recover a hacked WordPress website.

Scan your local machine : Don’t panic, you need to stay calm. because a clear, focused mind is the key to efficiently responding to any security breach. It is really important. Make sure you run a full anti-virus/malware scan on your local machine.

Change all passwords : This is a must. Change all Server control panel, Hosting account center, SSH, FTP, database usernames and passwords.

investigate Upon discovering that one of your sites is hacked, take a few moments and check any other site that you may have, especially if they are on the same server. If one site is hacked, it’s likely that other sites on the same server are hacked as well.

Backup If you have back up of your website, it is great. because you can quickly fix the issues. otherwise create a back up of your website. Even though you have been hacked, there could be valuable information on your website that you may need to recover later.

Keep in mind that many hosting providers may shut down or even delete your site immediately after finding out your site has been compromised, especially on shared hosting plans. contact your hosting provider as they may have detected malware, viruses or similar issues with your site then blocked it to protect others on the server.

Scan Your Files If you have a back up, use this clean back up to restore your website. otherwise backup your compromised site. Once you have backed up your entire compromised site, you’re ready to Scan your website.

WordPress Security Plugins

If you can access your website, Log Into Your WordPress Admin Panel, install a security plug to scan all files.

Find and remove the hack : If you cannot access your website, your host has deleted all files, use your back up files. Check all WordPress files and delete the known suspected files, make a list of all suspected files. See if there are any .exe files and delete them.

Compare hacked files against known clean backups : there are various types of symptoms and they affect your website and it’s visitors. For instance, malicious redirects can often be found in files like .htaccess, and index.php at the root of your website. While others will focus on the wp-content/themes directory targeting index.php, header.php, footer.php and functions.php.

Websites that provide free scans for hacked files

Sucuri Site Scan : is a free service for comprehensive site scan, it also lets you know if your site has been blacklisted.

Unmask Parasites : Lets you know if your site has been hacked. This is a great first step in determining whether there is a problem

Norton Safe Web : Lets you quickly find out if there are any threats associated with your site.

Quttera : Scans your site for malware.

VirusTotal : You can scan your website or IP address for common viruses, trojans, malware and the like. It uses over 50 different scanners to get more accurate results.

Clean up WordPress

Once you find what the code is and what it is doing, now it is time to remove it from your site. If you have a clean back up of your website it is easy to restore your website. Once you’ve secured your website, use your most recent backup.

If you restore from a known clean backup of your WordPress Database, and re-upload your backed up WordPress plugin and theme files through FTP or SFTP, that will ensure that all those bits are clean of malicious code are gone.

  • Change all passwords
  • Restore everything using the most recent backups possible
  • Reinstall WordPress from scratch or Replace the core WordPress files with latest version
  • Must change your secret keys : WordPress Secret Key generator
  • re-import database (make sure it is safe)
  • reinstall themes and plugins from scratch.
  • Install security and back up plugins
  • Scan your website again to make sure it is safe
  • Contact your web host to remove you from the blacklist
  • Work with Google and your host to get the site removed from their blacklist

Resources

I hope now you know how you can make your website more secure and how to recover a hacked WordPress site. Here are 2 good resources.

Download Free eBook: Cheat sheet to increase Blog Traffic, Subscribers and Earning.

One response on “How To Recover Hacked WordPress Website?

  1. Luca

    I want to share with you some useful technique to fight compromised PHP web pages:

    1) If your site has been hacked, you have to start verifying your .htaccess file. Sometimes attackers handle user request using mod_rewrite;

    2) On next step, you can check files modified recently. Using Linux with shell access, you can do that issuing this command (find files newer than seven days):

    find -type f -mtime -7

    3) Another step is searching for common viruses pattern like “base64_decode”,”GLOBALS”, “eval”, etc. You can issue this command:

    find -type f -iname "*.php" -exec egrep -Hi "base64_decode|GLOBALS|eval" {} \;

    This technique may fail sometime, because most viruses will appear like this string:

    ${"\x47L\x4f\x42\x41LS"}["\x6c\x68\x73l\x61wk"]="c";$kvbemdpsn="c";${"\x47\x4c\x4f\x42\x41\x4cS"}["\x68\x78a\x77\x67\x6d\x6d\x70\x6c\x77o"]="b\x6b\x66";${"GLOB\x41L\x53"}["\x70tx\x75\x76\x74uij\x6d"]="\x76bl";${"\x47\x4c\x4fB\x41\x4c\x53"}["g\x6f\x6fl\x72\x7a"]="\x62\x6b\x66";

    4) I’ve uploaded my own signature database at https://www.wp-security-optimizer.com/malware-database.txt

    5) Search PHP file stored in folder that must contain only images:

    find ( -path '/img/' -or -path '/image/' -or -path '/upload/' ) -type f -iname ".php"

    6) Search for the small file that may contain “single-line-malware” like this:

    “”

    find -type f -iname "*.php" ( -size -1k -and -size +0 ) -exec cat -v {} \; | egrep -i "POST|eval|chr|base64|strto"

    7) If you use WordPress, install a security plugin like “WP Security Optimizer” (https://wp-security-optimizer.com) that can verify corrupted and infected PHP files stored into “wp-admin” and “wp-includes” folders. This plugin can also block vulnerability scanners like WPScan and various attack (such of Bruteforce, XML-RPC, and DDOS)

    Hope it’s useful

Leave a Reply

Your email address will not be published. Required fields are marked *