Cleaning WordPress after it has been compromised
So your WordPress installation has been compromised and it continues to be attacked on an ongoing basis, and now you are starting to get frustrated. What steps can you do to protect yourself from these attacks ? We’ll take a look at how you can protect your website going forward, and to avoid getting having to take your website offline for maintenance. Remember, if you fail to clean your WordPress website properly, it’s likely that the hackers have left a backdoor so they can reinfect your website when every they want. For this reason you need to identify any files that are present that shouldn’t.
Through BloggingSupport.com we offer services to maintain WordPress sites. Often customers come to us when their website has been compromised, due to failing to upgrade for a long time, or having insecure WordPress plugins.
Knowing you are hacked
Often customers don’t know they are hacked until something more serious happens, like they start to loose web traffic or their domain gets banned from sending email. We recommend that you do a domain search on google with site:yourdomain.com to see if any additional pages have been added to your website.
In the case that the hacker is using your site to send SPAM, make sure that bounce messages are sent to some address that you monitor on a regular basis. These hackers can send thousands of emails an hour via your compromised website and will get you on a blocked list. You can check the status of your server IP address or domain name on these two websites SpamHaus Lookup & MXToolBox Blacklists.
Update your WordPress plugins
As a general rule we recommend that you only use the minimum amount of plugins, and make sure that the plugins you or your web-developer has chosen are actively updated. It’s often the case that vulnerabilities are discovered in these plugins and hackers blindly test your website to see if you have the certain plugin installed.
Update your WordPress site
It goers without saying that you should also keep up to take with WordPress updates. Updating is straight forward (or you can hire us to update it for you), but you do need to check if everything is still working once you update. We do a run through of a website’s main features, like checking the contact form, search functions, commenting , etc.
WordPress powers over 20% of the internet, and for this reason it’s an interesting attack vector for hackers.
If your website has been hacked, the first step is to change your password, and to check to see if any extra users have been added to your site. Dashboard > Users > All Users.
Check to see if there are any new plugins that you don’t recognise. Plugins > Installed Plugins
Often these hacks will add some extra files to your WordPress installation. The easiest thing to do is to re-upload a safe version of WordPress. We recommend that you delete the contents of /wp-admin/ & /wp-includes/ (often there are rough files named ‘admin.php‘ , ‘options.php‘ that might be here. Delete all the PHP files in your main directory except for wp-config.php.
Check file edit dates
If you know your way around an FTP client, it’s worth checking folders. Keep an eye out for files that have an unusual update date. Generally your WordPress files should all have a similar update date, where as rogue files will probably have been added at a different time.
Check your /wp-content/ folder for any extra files. It should only contact 1 file, index.php & subfolders /plugins/, /themes/, /upgrade/ & /upload/ check these for files that have been edited or added at strange times.
In /wp-content/themes/ you should remove any themes that you no longer need. You should also check the contents of these files for PHP code the has hidden what it does search for functions like ‘base64_decode’ or ‘eval’.
Use WordPress Exploit Scanner plugin
WordPress Exploit Scanner is a useful plugin that will perform many of the steps we’ve highlighted above. It will also check the database that runs your site. We recommend that you run this on a regular basis.
WordPress is a great platform to use for websites, but like any software it needs to be maintained. Failing to keep the software up-to-date means that your website is more likely to be compromised which may result in you having to take your website offline for a bit of time to fix.