Have you really been hacked?
If you suspect your website has been compromised, confirm whether a hack has genuinely occurred. We often hear from panicked site administrators who mistake glitches, update failures, or other issues for hacking. Sometimes, site owners misinterpret spammy comments as evidence of a hack.
Here are signs your site may be hacked:
– Spam in your header or footer promoting illegal services, often hidden as dark text on a dark background, which may evade human notice but is detectable by search engines.
– A Google search using site:example.com (replace with your domain) reveals unrecognized and malicious content.
– User reports of redirection to harmful websites; be cautious, as many hacks conceal spam from administrators but display it to visitors. Use an Incognito window or access your site via search results for an accurate view.
– Notifications from your hosting provider about suspicious activity linked to your site, such as spam emails that redirect to malicious sites, indicating a potential breach.
Wordfence can help identify these issues, so pay attention to our alerts and respond quickly.
Back up your site immediately if you discover it’s been hacked.
Use FTP, your host’s backup system, or a plugin(All in one migration, prime mover etc) to download a full copy of your website. Many hosting providers will delete your site upon reporting a hack or detecting malicious content, so this step is crucial.
Don’t forget to back up your website database as well. Your priority should be securing both files and database first. Once backed up, you can focus on cleaning your site, knowing you have a copy of the hacked version.
When cleaning a hacked WordPress site:
1. You can safely delete everything in the wp-content/plugins/ directory; these can be reinstalled without data loss. WordPress will disable removed plugins to prevent crashes. Ensure you delete entire directories, like wp-content/plugins/wordfence.
2. Typically, you have one active theme in wp-content/themes. Remove any other theme directories, but be cautious if using a child theme.
3. New files in wp-admin or wp-includes are likely malicious, so investigate any recent additions.
4. Watch out for old WordPress installations. They can be accessible and contain malware, which attackers may exploit to access your main site.
To clean your hacked site using Wordfence:
1. Upgrade to the latest version of WordPress. Older versions may have unpatched vulnerabilities.
2. Update all themes and plugins. Developers regularly address security issues, so ensure you’re using the latest versions.
3. Change all passwords, particularly administrative ones. Weak or reused passwords could have allowed the attacker access.
4. Create a new backup and store it separately from the previous one. This new backup will safeguard your updated site while you clean it with Wordfence.
5. Ensure Wordfence is installed. The free version suffices, but Premium provides the latest malware signatures.
6. Navigate to the Wordfence “Scan” menu and click “Start Scan.” Review the results and resolve the identified issues.
7. After addressing the initial findings, perform a deeper scan. Go to “All Options,” find “Basic Scan Type Options,” and enable “High Sensitivity” for a thorough scan, which will detect more stubborn malware.
8. You can run as many scans as necessary. There are no limits, even for free users.
9. Carefully review the list of infected files and work through them methodically. Edit or delete suspicious files, keeping in mind that deletions are permanent, but you can restore from backup if needed.
10. Check for changes in core, theme, and plugin files. Use Wordfence to compare and repair any malicious alterations.
11. Continue until you have resolved all issues.
12. Finally, run another scan to confirm your site is clean.
By following these steps, you can effectively clean your hacked WordPress website and safeguard against future attacks.