What to do my site was hacked
Please note that all our Care Plans sites are secured and constantly monitored for security vulnerabilities. If you are not on a Care Plan or in case you need more security options you can check how we can help you here.
Some WordPress themes or plugins are vulnerable because they are popular and used by so many – this makes WordPress a popular target. You need to take steps to secure your theme, your plugins, your file permissions and your databases.
When addressing a security issue, as a website owner, you’re likely experiencing an undue amount of stress. It’s often the most vulnerable you have found yourself since being on line and it’s contrary to what every one told you, “Hey, WordPress is Easy!!”
The good news is that all is not lost! Yes, you might lose some money. Yes, you might take a hit against your brand. Yes, you will recover from this.
So, yes, take a step back and compose yourself. Doing so will allow you to more effectively take control of the situation and allow you to recover your online presence.
The first actionable step you should take post-compromise is documentation. Take a moment to document what you’re experiencing, and if possible times. A couple of things you want to keep in mind:
- What are you seeing that leads you to believe you are hacked?
- What time did you notice this issue? What timezone?
- What actions have you taken recently? Was a new plugin installed? Did you make a change to a theme? Modify a widget?
You are creating the baseline for what is recognized as an incident report. Whether you are planning to perform the incident response yourself, or engage a professional organization, this document will prove invaluable over time.
We can help you annotate details of your host environment as well. It will be required at some point during the incident response process.
Scan your website.
When scanning your website you have a few different ways to do this, you can use external remote scanners or application level scanners. Each are designed to look and report on different things. No one solution is the best approach, but together you improve your odds greatly.
Application Based Scanners (Plugins):
Remote Based Scanners (Crawlers):
There are also a number of other related security plugins available in the WP repo. The ones annotated above have been around a long time and have strong communities behind each of them.
Scan your local environment.
In addition to scanning your website, you should start scanning your local environment. In many instances, the source of the attack / infection begins on your local box (i.e., notebook, desktop, etc…). Attackers are running trojans locally that allow them to sniff login access information to things like FTP and /wp-admin that allow them to log in as the site owner.
Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them. So maybe try a different one. This advice extends to both Windows, OS X and Linux machines.
One very serious implication of a hack these days is around Email blacklisting. This seems to be happening more and more. Make sure you are not confusing Emails hack with your website's hack.
As websites are abused to send out SPAM emails, Email Blacklist authorities are flagging the website IP’s and those IP’s are often associated with the same server being used for email. That's why we never use your server to host and send your emails. The best thing you can do about your emails if not managed by us is to look at our Microsoft Partnership's Office 365 solution when it comes to your business needs.
Be Mindful of Website Blacklists.
Google Blacklist issues can be detrimental to your brand. They currently blacklist somewhere in the neighborhood of 9,500 to 10,000 websites a day. This number grows daily. There are various forms of warnings, from large splash pages warning users to stay away, to more subtle warnings that pop up in your Search Engine Result Pages (SERPs).
Although Google is one of the more prominent ones, there are a number of other blacklist entities like Bing, Yahoo and a wide range of Desktop AntiVirus applications. Understand that your clients / website visitors may leverage any number of tools and any one of them could be causing the issue.
It’s recommended that you register your site with the various online webmaster consoles like:
Improve your Access Controls.
You will often hear folks talking about updating things like Passwords. Yes, this is a very important piece, but it’s one small piece in a much larger problem. We need improve our overall posture when it comes to access control. This means using Complex, Long and Unique passwords for starters. The best recommendation is to use a Password Generator like those found in apps like 1Password and LastPass.
Remember that this includes changing all access points. When we say access points we mean things like FTP / SFTP, WP-ADMIN, CPANEL (or any other administrator panel you use with your host) and MYSQL.
This also extends beyond your user, and must include all users that have access to the environment.
It is also recommended to consider using some form of Two Factor / Multi-Factor authentication system. In it’s most basic form, it introduces, and requires, a second form of authentication when logging into your WordPress instance.
Some of the plugins available to assist you with this include:
Reset all Access.
Once you identify a hack, one of the first steps you will want to do is lock things down so that you can minimize any additional changes. The first place to start is with your users. You can do this by forcing a global password reset for all users, especially administrators.
Here is a plugin that can assist with this step:
You also want to clear any users that might be actively logged into WordPress. You do this by updating the secret keys in wp-config. You will need to create a new set here: the WordPress key generator. Take those values then overwrite the values in your wp-config.php file with the new ones. This will force anyone that might still be logged in off.
Restore your site.
We include backups with all our hosting plans. Backups are a critical piece of your continuation of operations. You should also check your plan to know your backup retention policy. You should be able to perform a restore and skill right into the forensics work.
Regardless, before you move into the next phase of cleaning, it is recommended you ask us to take one more snapshot of the environment. Even if it’s infected, depending on the type of hack, the impacts can cause a lot of issues and in the event of catastrophic failure you’ll at least have that bad copy to reference.
Find and remove the hack.
This will be the most daunting part of the entire process. Finding and removing the hack. The exact steps you take will be dictated by a number of factors, including, but not limited to, the symptoms provided above. How you approach the problem will be determined by your own technical aptitude working with websites and web servers.
To help in the process though, we’ve included a number of different resources that should help you in the process:
- Did Your WordPress Site Get Hacked?
- JungleWP can Clean your Hacked WordPress Site
- How to Clean Your Hacked Install
- How To Clean a Hacked WordPress Site
- How to Cope With a Hacked Site
- Four Malware Infections
- How to Clean a WordPress Hack
It might be tempting to purge everything and start over. In some cases that’s possible, but in many instances it’s just not possible. What you can do however is reinstall certain elements of the site with little regard to impacting the core of your website. You always want to make sure you reinstall the same version of software your website is using, if you choose an older or newer one you’re likely to kill your website. When reinstalling, be sure not to use the reinstall options in your WP-ADMIN. Use your FTP / SFTP application to drag and drop the versions. This will prove much more effective in the long run as those installers often only overwrite existing files, and hacks often introduce new files… You can replace the following directories safely:
From there, it’s recommended that you be more diligent in updating and replacing files as you move through wp-content as it contains your theme and plugin files.
The one file you will definitely want to look at is your .htaccess file. It’s one of the more common files, regardless of the type of infection, that is most often updated and used for nefarious activities. This file is often located at the root of your installation folder, but can also be embedded within several other directories on the same installation.
Regardless of the type of infection, there are will be some common files you will want to keep an eye on during your remediation process. They include:
If modified, these files can usually adversely affect all page requests, making them high targets for bad actors.
Once you are clean, you should update your WordPress installation to the latest software. Older versions are more prone to hacks than newer versions.
Change the passwords again!
Remember, you need to change the passwords for your site after making sure your site is clean. So if you only changed them when you discovered the hack, change them again now. Again remembering to use Complex, Long and Unique passwords.
Forensics is the process of understanding what happened. How did the attackers get in? The goal is to understand the attack vector a bad actor used to ensure they’re unable to abuse it again. In many instances, it’s very difficult for website owners to perform this type of analysis due to lack of technical knowledge and / or available data. If you do have the metadata required, then there are tools like like OSSEC and splunk that can help you synthesize the data.
Secure your site.
Now that you have successfully recovered your site, secure it by implementing some (if not all) of the recommended security measures.
Can’t Log Into WordPress Admin Panel
There are times that a bad actor will hijack your administrator account[s]. This is not a reason to panic, there are a few different things you can do to regain control of your account. You can follow these steps to reset your password
Tools like phpMyAdmin and Adminer allow you to log into your database directly, bypassing your Administration Screen and resetting your user in the users table
If you don’t want to mess with password hashes or can’t figure it out, simply update your email and go back to Login Screen, click forgot password, and wait for the email.