In modern day, WordPress is the most popular Content Management System. Millions of websites are built quickly and reliably using this great piece of software. The sheer installation base of WordPress makes websites that use it a juicy target for malicious hackers. If someone can find one vulnerability in a WordPress installation they can potentially infect millions of websites in one shot.
Is Your Hacked WordPress Website Really Hacked?
Before you start the analysis and WordPress clean-up process, surely confirm that your WordPress have been hacked. If you follow these few tips, and check your website frequently you will immediately identify your website falls a victim of a malicious hack attack.
- If you have an old blog post or page that never ranked well and suddenly it becomes very popular for no apparent reason, it might be infected.
- You can also check if Google identified malware or any other type of malicious code on your website by accessing the below URL from your browser.
How Does a WordPress Installation Get Hacked
A WordPress installation can get infected due to a lots of reasons:
- Unsafe plugins– External pieces of code can allow for a website to get hacked because of vulnerabilities that might exist in the plugin code itself.
- Outdated patches: Several website owners do not update their WordPress version when a security threat is identified and an upgrade is recommended.
- Unsafe themes- Website administrators install themes in WordPress without verifying the integrity of the themes. As a result it can contain malicious code.
- Weak passwords– Lots of website owners use very weak administrator and FTP passwords. So hackers can be guessed easily and hence leads to compromise.
- Stolen FTP credentials– Trojans and other nasty viruses that are present on computers used to upload material to a WordPress. It can gather login credentials used by website admins and those details transfer them off to automated bots that can infect websites.
What motivation do hackers have for hacking into a website?
- Drive-by-downloads – Hackers can use your site to infect your visitors’ computers with lots of harmful malware like back doors, key trackers, ransomware, viruses and more. The main purpose of this malware to capture information they can use for their own gain.
- Redirections – When your websites infected this malware then visitors redirects automatically from other websites that generate affiliate income for them.
- System resources – It can take over your server and use the hardware for sending out spam emails, performing denial of service or brute force attacks and more. Of course, this will easily get your server and your site put on a blacklist or jack up your hosting cost if it is based on usage.
Why do hackers target WordPress specifically?
Because WordPress is very popular in now days. For example- If you want to take over a lot of websites for your own purposes. Then you spend all of your time trying to find vulnerabilities on a platform used by 500 websites. Reason, WordPress is so widely used, it’s an incredibly popular target for hackers. WordPress is also a modular platform. It can be extended in any number of ways with themes and plugins. Because of its popularity, WordPress is an incredibly popular platform for hackers and security researchers alike.
Where Can I Find the Malware
Malware can be located inside
- HTML files,
- PHP files,
- Inside your database,
- Inside directories that store system information,
- Configuration files and in many other places.
How to Remove the Malware
Here are some steps that may help you clean up your WordPress installation after a hack attack that resulted in malware being injected into your installation.
- Change all your passwords such as FTP, cpanel/plesk access passwords immediately. You should also overwrite the secret inside the wp-config.php file.
- Always make a Backup your website. Most hosting companies will keep daily backups so you may not have to do anything. Just make sure that there is a backup copy available. For sites hosted on services like Rackspace, you can create instand snapshots of your VPS.
- Check .htaccess file for compromise.
- You should you-table-name to whatever the names of the tables are in your database and the columns appropriately and then you can see if any injections are there in the database or not. You can then drop the entry you want.
- Download the latest version of WordPress and update your install.
- Make sure the third party plugins you use have good reputation.
- Extract the files from the zip or tar.gz that you have just downloaded onto your computer. Leave those files there for now. We will come back to them later.
- If you removed your theme you should also re-upload your clean backup theme files.
- Removing The Malware Infection
Login to your FTP or Control Panel > File Manager.
Your WordPress installation files on your web host should look like this:
Delete everything, you see there for the wp-content folder, and the wp-config.php file.
Now your installation should look like:
In your cPanel > File Manager, click on and edit the wp-config.php file. Make sure there are no strange codes or anything unusual. If there is malware in this file, it will generally look like a long string of random text. You can compare it to the wp-config-sample.php file to be sure.
Now go into the wp-content folder. It should look like:
Make a list of the plugins which is currently using, then remove the plugins folder and index.php file. After that, you will need to re-install your plugins after the cleaning process.
Go into the themes folder and remove any theme which you are not using. You will then need to individually check each file in your current theme to make sure there is no malware or strange codes in them. If you have a clean backup of your theme somwhere, then to be safe you should just delete the entire themes folder.
Check every inside your uploads folder to make sure there are no php files or anything that you may not have uploaded.