Removing a WordPress Website Hack

I’ve dealt with quite a few WordPress website hacks and infections, especially lately. While there is a virtually unlimited number of ways your site can be compromised, I am going to focus on some likely ones and the methods I’ve used to fix 95% of the sites I’ve seen hacked.

These methods all assume that you still have WordPress admin dashboard access. If not, you may want to consider restoring the site from a backup. This may require speaking with your host depending on your situation. If you don’t make many changes on your site, this also may be a good solution, as you can just restore your site to before it was hacked.

Once I’ve identified that there is a hack (or even just if I suspect), here are the steps I take.

Use the Wordfence Plugin

  1. From the backend, go to plugins -> add new and search for “Wordfence”. Click “Install Now” next to “Wordfence Security.” Activate it when done. If you can’t do it from the backend, you could always download the plugin, extract the files locally, and upload to the wp-content/plugins directory using FTP.
  2. We need to configure something quick. Go to Wordfence -> Options and scroll down to “Scans to Include”.  Ensure that “Scan theme files against repository versions for changes”, “Scan plugin files against repository versions for changes”, and “Scan core files against repository versions for changes” are all checked. Save changes. Optionally, you can check to scan files outside of WordPress if you want to be really thorough, but this often takes much longer.
  3. Go to Wordfence -> Scan and start a Wordfence scan. Depending on your setup, this will usually take anywhere from 20 seconds to 10 or 15 minutes.
  4. Analyze the results and take the recommended action in most cases.

Basically what you are looking for is malicious code. If the results find files and it says, “this file contains malicious code”, odds are you want to follow the recommended action and delete it. If WordPress core files have been modified, repair those. If there are files that aren’t part of the plugin or core but are in those folders, delete them.

You don’t really need to worry about notices with “Warning” severity (the yellow exclamation point), especially if it’s just a .txt file, as they can’t run scripts. Plugin developers frequently change this file without releasing a new version, so it triggers this notice. Sometimes they make minor changes to PHP files as well, let Wordfence decide whether it’s a critical issue and go from there. You can also view how the file has changed. If some variables were renamed or minor code changed slightly, it’s probably not a big deal. If there are large strings of nonsensical text, especially combined with base64 decodes or eval functions, it’s probably malicious.

Oftentimes, this is all that’s needed. Update all your plugins and themes, and continue scanning to see if you need to do more.

Restore WordPress Core Files

This isn’t always needed, but it’s often a good idea to restore all of the core WordPress files. This basically includes deleting the wp-includes and wp-admin folders as well as all the files in the root directory that aren’t needed or part of WordPress, except wp-config.php. You may also want to restore that one, but you’ll want to back it up and take note of the usernames, passwords and other info so that you can set up a new one.

  1. Download the latest version of WordPress.
  2. Unzip it to your local machine.
  3. Zip up everything into a new file, except the wp-content folder. Most operating systems can do this natively, otherwise 7-Zip is the best freeware in the business.
  4. Upload this file to your website’s root folder using FTP or the online file manager through your hosting cPanel or similar.
  5. Backup your entire website. The “BackUpWordpress” plugin does a great job, but you could also zip everything up using SSH or your online file manager.
  6. Delete the wp-includes and wp-admin folders, as well as all of the WordPress related files in the root.
  7. Unzip the file you uploaded with all the core files.
  8. Test your site! If you deleted wp-config.php, you’ll be prompted to set up your new site. Enter in your database info, etc, and you will be good to go.

Search for Malicious Code Using SSH

For basics on connecting with SSH, check out my blog post on that topic.

  1. Connect to your server using SSH.
  2. Find out what your root directory is. The command “pwd” will give you the full path to your current directory. “ls” will list all files and folders where you are. If you see an httpdocs or public_html folder, you’ll probably want to navigate to that by using “cd httpdocs”. Change “httpdocs” to the name of the folder you want to navigate to. Once you use “ls” and see your WordPress install (wp-admin, wp-content, wp-includes etc), use “pwd” and it will give you the full path to your site root. Copy this down.
  3. Run the following scripts, one at a time, replacing the path with your site’s path.
    egrep -Rl 'function.*for.*strlen.*isset' /path/to/your/website
    egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset' /path/to/your/website
    egrep -Rl 'isset.*eval' /path/to/your/website
    
  4. View the contents of any files that it turns up. If they contain eval or base64 scripts that are basically just long strings of characters, such as:
    eval('KD819DNIKEULSDF8983NHKWED7BN3HJ1RHJK1R12JKSDLQUBYU3')

    Then it’s more than likely malicious code. If that’s all that’s in the file, the whole thing should probably be deleted. If there is a regular file that’s not suspicious for the rest of it, you may just want to remove the suspicious part, likely located right at the top, but maybe obscured by hiding it a few hundred lines to the right.

    Note that some legitimate plugins do use eval and base64 legitimately, especially plugins dealing with credit card transactions and passwords. If one plugin has multiple files that do this, and Wordfence didn’t pick up on it, I’m sure it’s fine. You can always download a fresh copy of the plugin and compare files to be sure.

Searching the Rest of the Server

If you have other websites on your hosting server, you are going to want to run these same actions on them. Infections can and do spread easily. If one of your sites was infected, I’m betting others are too.

You can do all these same processes for the other sites. Using the SSH searches, you could also just search the root of all your websites at once to get an idea of how much it has spread.

Preventing Hacks from Happening Again

  1. Update.
  2. Update.
  3. Stay updated.

That’s basically all there is to it. Update WordPress, update your plugins, and update your themes. Vulnerabilities are constantly being exposed, and automated hacks can easily take advantage of them to compromise your site.

It’s also critical to check your premium plugins to ensure they are up to date. They don’t always warn you, and are typically the biggest targets. In my experience, the following plugins are most likely to be compromised and most critical to update:

Revolution Slider
Gravity Forms
Visual Composer

So go ahead and Google what the most recent version of these plugins is, and compare it to what’s on your site.

Also make sure that you update ALL of the sites on your server. You are only as safe as your weakest link!

There are lots of other things you can do to harden your install and server to prevent hacks. And they can be a great choice, but in my experience, 95% of hacks are prevented by simply keeping updated. You should update everything, at a minimum, on a monthly basis to prevent issues. I offer a service that is very reasonable where I go through and update your site for you on a monthly basis and also deal with any upgrade issues that may arise. So for those of you that don’t want to do it yourself, I can make sure it’s done and that it gets done right.

About Brian Johnson

Brian Johnson is a website developer and designer living in Lakeville, Minnesota with a passion for code and WordPress. He spends his days building WordPress websites for small businesses, developing new code with the online community, and living life.

Leave a Reply

Your email address will not be published. Required fields are marked *