Getting hacked is perhaps among the worst nightmares of every blogger and Internet Marketer. Getting hacked is almost synonymous to getting your business robbed and in a few instances burned. It can affect your search engine rankings, lose your authority, expose your readers to viruses, lose you money of course, and lose your years of hard work.
But getting hacked is not the end of the world, at least that’s what you need to think and believe. I got one of my early blogs hacked after I signed up on a sneaky CPM network, needless to say I lost a few dollars over it. But I’ve learned my lesson and while prevention is always better than cure there are some instances that you will always need treatment in order to salvage whatever it is there to be saved.
Here are a few steps on what to do in case your WordPress website gets hacked.
If you’re lucky and you still have access to your File Transfer Protocol or FTP and your phpMyAdmin do a backup of your website files and immediately download your database.
Make sure to put the files you are downloading on a safe folder in your hard drive, not on delicate folders that needs admin permissions. Since your blog is already hacked, there is a danger that you will also be downloading infected files, that is files that contains viruses, trojans or malwares and you don’t want to risk your computer getting exposed to it. As always make sure your favorite anti-virus software is running.
If your blog also serves a few download for users then backup those too, you don’t want your blog serving broken or unavailable downloads once you recover it.
The same goes for self hosted images. There should be a separate folder for these two, usually in the folder /uploads/ of your WP blog. Copy that folder and place it someplace else, outside of your download main backup from FTP.
Export your blog database into all possible formats: zip, sql, csv etc. This is part of our prevention is better than cure idea. This should only take a few seconds or minutes more depending on your ISP.
Get the latest version of WordPress from the official website: http://wordpress.org/download/
The same goes for all of your plugins. I recommend you to download a clean template, and its best if you’ll use WP’s default template for the meantime. Why? Because there are a few times when the theme you use for that hacked blog is the already compromised or worse is the culprit why you were hacked. You can read more about how to protect your WP theme from malicious codes and a little on how can your WP theme get your blog hacked on this post:
Delete all of the files and folders contain in your WP directory installation. You can do this through FTP or through your File Manager in cPanel. You can also do this through SSH if that is your sort of thing (on second thought I doubt you’ll be reading this tutorial if that indeed is your thing).
Make sure that the entire directory or folder structure of your old WP installation has been deleted and cleared. This will ensure you that you have removed all possibly infected files.
Remember step 2. Upload all the files necessary including your hosted images and files. Just make sure you have checked them with your local antivirus software to be sure that they are clean. You don’t want to upload infected files unless you enjoy cleaning your blog again.
Make sure you edit your wp-config.php file correctly. Also make sure that you take advantage of the secret key values that you can change. This can be found on the config file.
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
Go to https://api.wordpress.org/secret-key/1.1/salt/ and grab some keys. This can help you protect your blog from unauthorized access i.e. hackers.
Go to /wp-admin/upgrade.php to be sure that your database has been upgraded.
Now you might remember that you made a backup of your database earlier, just pray that you won’t have to use it and that this simple reinstallation fixes things.
Since you’ve been hacked you can assume that the hacker knows your password, so common sense dictates that you will have to change it ASAP.
I recommend you to change your admin username to anything but the default username which is admin. A more detailed explanation on this merits another blog post.
If your blog has more than one admin, meaning got other users that have the same privileges like editing files, installing plugins etc then downgrade their privileges first so you can also change their passwords.
Check your blog posts manually. See if your posts now got iframes, noscripts and redirects. Check if you now link to malicious and bad neighborhood sites, something that these blog hackers love or even paid to do.
Of course links can sometimes be not obvious, thanks to the power of CSS and HTML coding so here’s a good tool that you can use if you have FireFox: FireFox Addon LinkChecker. That will help you identify the links on a page, so you won’t to reply solely on your naked eye.
You can also run this query on your MySQL database to identify your posts that you may want to focus on:
SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%' UNION SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%' UNION SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
This query is for WordPress tables with wp_ prefix, that’s the default format. It will pull the posts that could have been altered by the hacker so you can verify its validity. To run the query just go to phpMyAdmin MySQL databases from your hosting’s cPanel.
If you’re having problems cleaning up your hacked WordPress blog just leave a comment below or contact me. Image is from RizwanAshraf.