What to Do When Your WordPress Website Is Hacked?

Website Is Hacked

Is there a bigger nightmare for a website owner than to see his online presentation being hacked. When cybercriminals take over someone’s website they use it for various purposes of which each one has terrible consequences to website owners.

In most cases, they deface your website or take it offline, send spam emails, make malicious redirection, phishing, etc. In the worst-case scenario, they will steal all user’s data.

How Do You Know Your Website Is Hacked?

  • You can’t log in even after resetting your password.
  • It has visually changed but you had nothing to do with it.
  • It’s redirecting to another website.
  • Browser warns you when you try to access your website.
  • Google gives you a warning that the website may have been hacked after your search for your website.
  • You were notified by your security plugin of an unexpected change.
  • Your hosting provider warns you about unusual activity on your account.

Why Does Your Website Gets Hacked?

  • Insecure password
  • Software not updated
  • Insecure code

Through Which Paths Hackers Intrude on Your Website?

  • DNS DDoS Attack – Distributed denial of service attack is by far the most dangerous attack. It exploits bugs in the code to overflow the memory of an operating system of a website.
  • Backdoor – Bypasses security encryption via abnormal methods such as wp-admin, SFTP, FTP, etc.
  • Brute Force Attack – Repetitive efforts of cracking weak username and password through automated software.
  • XSS – Cross-site scripting is when a malicious script is inserted into a website or app from a trusted source.
  • Malicious Redirection – It inserts redirection codes into the website and combines its activity with the backdoor attack.
  • Pharma Hacks – Ads for pharmaceutical products, often those including sexual dysfunction, pop up through search engine results. This is more spam than malware and affects your website’s SEO.

Prevent Getting Hacked

prevent WordPress Hacking

There are several ways to prevent your website from being hacked. If your website gets infected, the key question you’d have is – how to clean it from malware? The answer is simple and devastating – no way.

But before you think that you’re in a hopeless situation, there’s good news – even though malware is very difficult to clean, there’s another solution. But first, let’s take a look at how cyber criminals infect websites at all. There are two common ways they intrude on a website.

The first way is when you leave your WordPress installation not updated for months or years. WordPress is very complex in its structure, although it may not seem that to those who are unacquainted with web programming, and amateur developers often make a mistake.

These glitches are usually fixed as soon as they are discovered and if you regularly update WordPress and its plugins then you have nothing to worry about. But in case you don’t update your WordPress and plugins, these omissions will continue to exist on your website.

Cybercriminals continuously dig through all the websites and check for any kind of glitches. When they find a glitch, they insert their script into your website, and then your misery begins.

Also, never use cheap hosting if you want to avoid your website being taken down. Yet, there’s an option that’s highly acceptable in this case and still has the characteristics of being affordable – MySQL hosting.

Some MySQL hosts aren’t budget-friendly if you want them to include advanced security measures but the best ones provide a balance between features and prices. Just like any other open-source database solution, MySQL server faces numerous security challenges. Given that MySQL databases, who are behind every WordPress site, hold sensitive personal information, they’re often targeted by hackers.

But, as we mentioned, if you choose the right hosting service, it will successfully protect your website from hacking attacks despite being cheap compared to some other hosting solutions.

The other way cybercriminals intrude on the website is through null plugins and themes. These themes and plugins are commercial and you have to pay to have them but, whoever made your website may have downloaded them for free on a warez website (websites of software resellers), i.e. you didn’t purchase them.

All these paid themes and plugins that you download for free aren’t really that free – you’ll get the “bill” a little bit later from cybercriminals. Soon, cybercriminals add malicious software to almost all of these null plugins and themes that allow them to intrude on a website that has a null theme or plugin installed.

Globally, the most common ways to hack your WordPress website are through plugins, brute force attacks, poor hosting, file permissions, etc.

Why Is It so Difficult to Clean up Malware?

cyber seciruty

Why is it so difficult to clean up malware? First of all, it’s generally well hidden. It’s often located in the middle of a PHP file and looks like a legitimate piece of code, as an integral part of a plugin or theme.

In order for cybercriminals to create a backdoor to enter your website, they usually only need one line of PHP code so it’s more difficult to spot something like that. Secondly, once they enter the website, they make sure to put the backdoor in several other places on the website.

They infect several randomly selected PHP files in any folder and set a few more upload scripts in completely legitimate WordPress folders.

This is where the main problem emerges – if your website is infected, be sure that it isn’t only infected in one place but at least in several more. Cybercriminals do this deliberately to secure control of the website because if you detect their malware in one place and remove it, they can enter through a dozen more holes.

You will spend hours finding malware, you’ll find it in one place, you’ll clean it, but they have inserted so many malicious lines so they can re-enter the website again in a few hours. It won’t even help you to override the entire WordPress installation with the most recent WordPress files since malware is often inserted as a separate file. WordPress itself doesn’t contain that file and, logically, there will be nothing to override that file.

Also, there’s no way for antivirus software to detect malicious software with certainty. That’s because hackers can write their own malicious PHP code and use legitimate PHP functions that won’t be suspicious of antivirus software at all.

Not even the effort of the server administrator to sort all the files by the modification date, that would locate the modified or newly uploaded files, wouldn’t help if the hole is made in the plugin or theme.

Steps to Perform in Case of a Hacked Website

WordPress Website Is Hacked

Maintenance Mode

Take advantage of the first moment when you’re able to log in and put your website into maintenance mode – don’t let your visitors be aware that you are hacked.

  • Backup

Restoring a website can be the solution, but again there is a problem – you have no idea when the website was actually infected. Cybercriminals could’ve infected it months ago, or a year ago, without performing any activities during that time so you had no idea that the website was infected. Their attack starts suddenly. To you, it looks like the website was hacked yesterday and you restore files from a backup from a month ago… Sorry to tell you but that backup contains malware, too.

  • FTP Cleanup

The only right decision is a radical cut, and its essence is to delete all PHP files from your website via FTP and leave only uploaded images and a configuration file to connect to the database (wp-config.php in WordPress). Follow these particular steps:

  • Via FTP, delete all files from the website except the wp-config.php file and the /wp-content/uploads/ folder. Don’t delete uploaded images.
  • ●      Using FTP, open a wp-config.php file in an editor such as Notepad ++ and make sure there isn’t any code that looks like a bunch of letters or PHP code that you’re sure is not part of WordPress and that’s malware. If you see malware, delete the whole part that contains it. Turn on Word Wrap in the editor so that you don’t skip the malware if it’s placed behind some faraway character in the line, behind the visible field (in Notepad ++ it is in the menu View -> Word wrap). If you aren’t sure what’s what in that file and how the normal wp-config.php file looks like, you can re-generate a brand new wp-config.php file for your website by entering MySQL login information.
  • Via FTP, enter the /wp-content/uploads/ folder and then look into each of its subfolders, as well as subfolders of subfolders. Sort the files by file type, that is, by extension and make sure that there’s no .php file in any of the subfolders. If you notice some, delete it immediately because it’s, undoubtedly, malware.
  • Download a fresh WordPress installation from https://wordpress.org/download/ and upload it using FTP.
  • Log in to your website in /wp-admin/, install the same theme, previously download the latest version of the theme (never use the old one) and install the same plugins you had before deleting.
  • Change the WordPress admin password in /wp-admin/.
  • Delete all other admin users in /wp-admin/.
  • Change the FTP password. This is, generally, also the password of the hosting account so in most cases, you can do so in the hosting cPanel.
  • Change the MySQL password. This can also be done in the cPanel. Then, via FTP, enter the new MySQL password in the wp-config.php file.
  • Inform Google

In case of a hacking attack, your website will be red-flagged by search engines. That’s because, during a hacking attack, sitemap.xml file is compromised. Regenerate your sitemap using SEO plugin that came with the WordPress and then inform Google, by adding your website to Google Search Console and submitting a sitemaps report, that you cleaned your website.

Essential must-do when owning WordPress website: Update WordPress and plugins on a regular basis because, as we said, it often happens that omissions in plugins are detected and sometimes in WordPress itself. If you don’t update them, the hackers will surely take advantage of these gaps and intrude on your website.

Advertisement

LEAVE A REPLY

Please enter your comment!
Please enter your name here