Getting your WordPress site back after a hack is critical to restore security, data integrity, and normal operations. A hacked site can lead to data loss, reputation damage, financial losses, legal issues, and poor user experience.

Here are the 10 key steps to recover your hacked WordPress site:

1. Identify the Hack
   • Look for signs like new admin accounts, traffic spikes, modified content, Google warnings, and unexpected redirects.
   • Use security plugins or manual inspection to confirm the breach.
2. Take Immediate Action
   • Put your site in maintenance mode.
   • Change all passwords.
   • Contact your hosting provider.
3. Back Up and Restore Your Site
   • Create a fresh backup.
   • Restore from a clean backup if available.
   • Verify the backup’s integrity after restoration.
4. Clean Hacked Files
   • Scan for malware.
   • Remove malicious code.
   • Replace core WordPress files with clean copies.
5. Update Plugins and Themes
   • Remove unsafe plugins and themes.
   • Update remaining ones to the latest versions.
   • Check for compatibility issues.
6. Strengthen Security
   • Enforce strong passwords.
   • Enable two-factor authentication.
   • Install a web application firewall.
7. Harden WordPress Site
   • Disable file editing.
   • Restrict admin access.
   • Set proper file permissions.
8. Monitor and Audit
   • Use monitoring tools.
   • Conduct regular security audits.
   • Log activities and set alerts.
9. Educate Users
   • Train users on security best practices.
   • Implement security policies.
   • Review and update procedures regularly.
10. Prepare for Future Security Incidents

-   Maintain regular backups.
-   Create an incident response plan.
-   Stay updated on security news and best practices.

Prioritizing security and following these steps protects your site, users, and business from the consequences of a hack.

Related video from YouTube

Step 1: Identify the Hack

Quickly detecting a hack allows you to take prompt action and limit damage. This step covers common signs that your WordPress site has been compromised and initial steps to confirm the breach.

Signs of a Hacked Site

Be alert for these indicators that your site may have been hacked:

• Unfamiliar Admin Accounts: Check for any new usernames or roles with elevated privileges like "Administrator" that you didn’t create. Hackers often create backdoor accounts to maintain access.
• Sudden Traffic Spikes: Unexplained surges in website traffic, especially from suspicious sources, could signal malicious activities like DDoS attacks or spam distribution.
• Modified Content: If your site displays text, images, or links you didn’t create, it may have been defaced by hackers spreading malicious content.
• Google Warnings: Search engines may flag your site as potentially harmful if it’s been hacked to spread malware or engage in other malicious behaviors.
• Unexpected Redirects: Your visitors being redirected to unfamiliar or suspicious websites is a major red flag of a compromised site.

Using Security Plugins

Deploy reputable security plugins to scan for malware, backdoors, and other suspicious activities:

1. Install Sucuri or Wordfence: These leading plugins offer comprehensive scanning, malware removal, firewall protection, and security hardening features.
2. Run a Full Scan: After activation, initiate a complete scan of your files, database, and other core components to detect any compromised areas.
3. Review Scan Results: Carefully examine the scan report, paying close attention to flagged files, potential malware injections, and any other identified threats.
4. Take Recommended Actions: Based on the scan findings, follow the plugin’s guidance to quarantine infected files, remove malicious code, and address vulnerabilities.

Manual Inspection

For advanced users, manually inspect your WordPress installation for anomalies:

1. Check Server Logs: Review your website’s access and error logs for suspicious IPs, failed login attempts, or other unusual activities that could indicate a breach.
2. Analyze File Structure: Examine core WordPress directories like wp-admin/, wp-includes/, and wp-content/ for any new, modified, or unfamiliar files that shouldn’t be present.
3. Audit Recent Changes: Use version control or file monitoring tools to identify recent changes to your site’s files, database, and configurations that you didn’t authorize.
4. Search for Backdoors: Use tools like grep to search code for signs of backdoors, web shells, or other malicious scripts injected by hackers:

grep -r "base64_decode" /path/to/wordpress/

Thoroughly investigating these areas will help confirm if your WordPress site has been hacked and requires further recovery actions.

Step 2: Take Immediate Action

After confirming the hack, take these steps right away to stop further damage:

Put Your Site in Maintenance Mode

To prevent visitors from accessing your hacked site, put it in maintenance mode. Add this code to your wp-config.php file:

define('WP_MAINTENANCE', true);

Save and upload the modified file. Your site is now offline. Remove the code when you’re done.

Change All Passwords

Update these passwords with new, complex ones:

• WordPress admin account
• Database
• Hosting account
• FTP

Consider using two-factor authentication for an extra security layer.

Tip: If multiple users have access, force a password reset for all of them.

Contact Your Hosting Provider

Let your hosting provider know about the hack. They may have security protocols and can offer help to recover your site.

Step 3: Back Up and Restore Your Site

Before cleaning up your hacked site, it’s crucial to create a backup. This preserves any unaffected data and gives you a safe point to restore from if needed.

Create a Fresh Backup

Use a WordPress backup plugin like UpdraftPlus or your hosting provider’s backup feature to create a complete backup of your site’s files and database. Store the backup securely, like on an external drive or cloud storage.

Restore from a Clean Backup

If you have a backup from before the hack, you can restore your site using that backup. This will overwrite all infected files and database entries, removing the malware.

To restore from a clean backup:

1. Download the backup file
2. Deactivate all plugins temporarily
3. Use your backup plugin or hosting provider to upload and restore the backup
4. Reactivate plugins one by one

Verify the Backup’s Integrity

After restoring from a clean backup, scan your site’s files and database using a security plugin like Wordfence to ensure all infected files and entries have been removed.

Step	Description
1. Create Fresh Backup	Use a backup plugin or hosting provider’s feature to create a complete site backup. Store it securely.
2. Restore from Clean Backup	If you have a pre-hack backup, restore your site using that backup to overwrite infected files and database entries.
3. Verify Backup Integrity	Scan your site’s files and database after restoration to ensure all malicious content has been removed.

Step 4: Clean Hacked Files

Scan for Malware Again

Before removing any malicious files or code, run another full scan of your site using trusted security plugins like Wordfence, Sucuri, or MalCare. These tools can detect infected files, plugins, and themes, ensuring you don’t miss any hidden malware.

Remove Malicious Code

To manually remove hacked code from your WordPress files:

1. Identify infected files: Use security plugins or manual inspection to find files containing malicious code.
2. Access files: Use an FTP client or file manager to access the infected files.
3. Remove malicious code: Carefully remove the malicious code from the files, noting any changes made to the file structure or content.
4. Verify file integrity: Scan the files again with a security plugin to ensure the malicious code has been removed.

Replace Core Files

To ensure no malicious code remains, replace your WordPress core files with clean copies:

1. Download clean core files: Visit the official WordPress website and download the latest version of WordPress.
2. Upload clean core files: Use an FTP client or file manager to upload the clean core files, overwriting the infected files.
3. Verify core file integrity: Scan the core files again with a security plugin to ensure they are clean.

Step	Description
1. Scan for Malware	Run a full scan of your site using security plugins to detect infected files, plugins, and themes.
2. Remove Malicious Code	Identify and remove any malicious code found in your WordPress files.
3. Replace Core Files	Download and upload clean WordPress core files to replace any infected core files.
4. Verify File Integrity	Scan your files again to ensure all malicious code has been removed.

Step 5: Update Plugins and Themes

Remove Unsafe Plugins/Themes

After cleaning your site from malware, remove any plugins or themes that could be the source of the infection or pose a security risk. Carefully inspect all installed plugins and themes, and remove any that:

• Come from untrusted or unknown sources
• Are no longer actively maintained or updated
• Have known security vulnerabilities or issues
• You did not intentionally install

Removing unsafe plugins and themes reduces potential entry points for future attacks and ensures your site only runs code from trusted developers.

Update Remaining Plugins/Themes

Outdated plugins and themes often contain unpatched vulnerabilities that hackers can exploit. To secure your site, update all remaining plugins and themes to their latest versions:

1. Log into your WordPress admin dashboard
2. Go to the Updates section
3. Select all available plugin and theme updates
4. Click "Update Plugins" and "Update Themes"

This ensures you have the latest security patches and bug fixes installed. Consider enabling automatic updates for easier maintenance.

Check Compatibility

Before updating plugins and themes, check that the new versions are compatible with your WordPress version and other installed components. Incompatibilities can lead to conflicts, errors, or new vulnerabilities.

1. Review the plugin/theme developer’s notes on compatibility
2. Check the WordPress.org plugin directory for compatibility information
3. Test updates on a staging site before deploying to your live site

If you encounter any compatibility issues, consider alternative plugins/themes or temporarily disable certain components until compatible updates are available.

Step	Description
1. Remove Unsafe Plugins/Themes	Remove any plugins or themes from untrusted sources, no longer maintained, with known vulnerabilities, or that you did not install.
2. Update Remaining Plugins/Themes	Update all remaining plugins and themes to their latest versions to get the latest security patches and bug fixes.
3. Check Compatibility	Ensure the new plugin/theme versions are compatible with your WordPress version and other installed components.

sbb-itb-77ae9a4

Step 6: Strengthen Security

Preventing future hacks is crucial after recovering your WordPress site. Here are three essential security measures to implement:

Enforce Strong Passwords

Weak passwords make it easy for hackers to gain access. To strengthen password security:

• Set a minimum password length of 12 characters
• Require a mix of uppercase, lowercase, numbers, and special characters
• Implement a password expiration policy (e.g., every 90 days)
• Use a password manager to generate and store unique, complex passwords

Enable Two-Factor Authentication (2FA)

2FA adds an extra layer of security by requiring a second form of verification, like a code sent to your phone or a biometric scan, in addition to your password. This makes it much harder for hackers to access your site.

You can enable 2FA using plugins like:

• miniOrange Google Authenticator
• WP 2FA
• Wordfence

These plugins offer various authentication methods, including SMS, phone calls, and QR codes.

Install Web Application Firewall (WAF)

A WAF monitors and filters incoming traffic to your site, blocking malicious requests and preventing attacks. Popular WAF solutions for WordPress include:

WAF Solution	Description
Wordfence	Offers real-time threat detection, customizable rules, and performance optimization.
MalCare	Provides comprehensive security scanning, malware removal, and firewall protection.
Sucuri	Offers advanced security features, including DDoS mitigation and virtual patching.

When choosing a WAF, consider compatibility with your WordPress version and plugins, customizable filtering options, real-time threat detection, and performance impact.

Step 7: Harden WordPress Site

Hardening your WordPress site helps prevent future hacks. This step involves adjusting settings and permissions to make your site more secure.

Disable File Editing

To prevent unauthorized changes from the WordPress dashboard, you can disable file editing. This will stop Administrators from editing theme and plugin files directly.

To disable file editing, add this line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

This will remove the file editor from the WordPress dashboard.

Restrict Admin Access

Limiting admin access can help prevent unauthorized access. You can restrict admin access by IP address or use plugins to control access times.

For example, the WP IP Ban plugin restricts access to specific IP addresses. This prevents hackers from accessing your site from unknown locations.

Set File Permissions

Properly configuring file permissions prevents unauthorized access to your site. You can set file permissions using an FTP client or a file manager.

For example, set the permissions for your wp-config.php file to 644 to prevent unauthorized access. You can also set permissions for your theme and plugin files to prevent unauthorized changes.

Setting	Description
Disable File Editing	Prevents Administrators from editing theme and plugin files directly from the WordPress dashboard.
Restrict Admin Access	Limits admin access by IP address or access times using plugins like WP IP Ban.
Set File Permissions	Configures file permissions using an FTP client or file manager to prevent unauthorized access and changes.

Step 8: Monitor and Audit

Keeping an eye on your WordPress site and regularly checking for security issues is crucial to prevent future hacks. By monitoring your site and conducting audits, you can spot potential threats, find vulnerabilities, and take action before an attack happens.

Use Monitoring Tools

Use a monitoring tool to track various security aspects of your site, such as:

• User activity (logins, logouts, etc.)
• File changes (new files added, existing files modified)
• Potentially malicious activities like unauthorized file uploads or database changes

Some popular monitoring tools for WordPress include:

Tool	Description
WP Security Audit Log	Logs user activities and sends notifications for suspicious events.
Activity Monitor for WordPress	Monitors user activities and file changes.
Wordfence Security	Provides detailed logs and notifications for security events.

Conduct Regular Audits

In addition to monitoring, regularly review your site’s security by conducting audits. During an audit, check for:

• Vulnerabilities or misconfigurations
• User accounts and permissions
• Security of plugins, themes, and third-party components
• Effectiveness of existing security measures
• Signs of potential compromise (unauthorized accounts, unusual activities, performance issues)

Log Activities and Set Alerts

Log various activities on your site, such as user logins, content changes, and plugin/theme updates. Set up alerts to notify you of potential security issues. Many monitoring tools and plugins offer logging and alert features.

Step 9: Educate Users

Train Users on Security

1. Recognize Phishing Attempts

Teach users how to identify suspicious emails, messages, or links that could be used to gain unauthorized access. Provide examples of common phishing tactics and red flags to watch for.

2. Secure Login Practices

Train users on creating strong passwords and enabling two-factor authentication. Explain the importance of these measures in preventing unauthorized access.

Implement Security Policies

1. Password Management

Establish clear guidelines for creating strong passwords, such as minimum length, character requirements, and regular password changes.

2. Software Updates

Outline procedures for keeping software up-to-date, including plugins, themes, and WordPress core files. Explain the importance of updates in addressing security vulnerabilities.

3. Data Handling

Provide policies on handling sensitive data, such as customer information or financial records. Specify proper storage, access, and disposal methods.

Review and Update Practices

Action	Description
Review Existing Practices	Periodically evaluate current security protocols for effectiveness.
Address New Threats	Update procedures to address emerging security threats or vulnerabilities.
Train Users	Inform users of any changes to security protocols and provide training on new procedures.

Step 10: Prepare for Future Security Incidents

Maintain Regular Backups

Backing up your site regularly is crucial to quickly restore it if another hack occurs. Set up automated backups to run daily or weekly, ensuring your site’s data is always up-to-date. Test your backups periodically to ensure they are complete and can be successfully restored.

Why Backups Matter

• Prevent data loss from hacks or site crashes
• Ensure business continuity and minimize downtime
• Provide a safety net in case of a security breach

Create an Incident Response Plan

Having a detailed plan can help you respond quickly and effectively to another hack. This plan should include:

• Key contacts and their roles
• Steps to take in case of a breach (containment, eradication, recovery, post-incident activities)
• Communication strategy for informing users and stakeholders
• Procedures for reporting incidents to authorities

Stay Updated on Security

Follow reputable sources, such as the WordPress security team and security experts, to stay informed on the latest security news and best practices.

Why Staying Updated Matters

• Stay ahead of potential threats and vulnerabilities
• Learn from others’ experiences and adapt to new security challenges
• Improve your site’s security and reduce the risk of hacks

Action	Description
Regular Backups	Set up automated daily or weekly backups to ensure up-to-date data. Test backups periodically.
Incident Response Plan	Create a plan with key contacts, breach response steps, communication strategy, and reporting procedures.
Stay Updated	Follow reputable sources for the latest security news and best practices to stay ahead of threats.

Conclusion

Summary of Recovery Steps

This article covered the 10 key steps to recover your WordPress site after a hack:

1. Identify the hack by looking for signs like new admin accounts, traffic spikes, modified content, Google warnings, and unexpected redirects. Use security plugins or manual inspection to confirm the breach.
2. Take immediate action by putting your site in maintenance mode, changing all passwords, and contacting your hosting provider.
3. Back up your site and restore from a clean backup if available. Verify the backup’s integrity after restoration.
4. Clean hacked files by scanning for malware, removing malicious code, and replacing core WordPress files with clean copies.
5. Remove unsafe plugins and themes, update remaining ones to the latest versions, and check for compatibility issues.
6. Strengthen security by enforcing strong passwords, enabling two-factor authentication, and installing a web application firewall.
7. Harden your WordPress site by disabling file editing, restricting admin access, and setting proper file permissions.
8. Monitor your site and conduct regular security audits to detect potential threats.
9. Educate users on security best practices, implement security policies, and review procedures regularly.
10. Prepare for future incidents by maintaining regular backups, creating an incident response plan, and staying updated on security news.

Importance of Ongoing Security

WordPress security requires constant vigilance. Hackers continually evolve their tactics, so it’s crucial to keep your site’s software, themes, and plugins updated, use strong passwords, and monitor activity regularly. Prioritizing security protects your site, users, and business from the consequences of a hack.

Additional Resources

For further WordPress security guidance, check out these resources:

• WordPress Security Team: https://wordpress.org/about/security/
• Wordfence: https://www.wordfence.com/
• Sucuri: https://sucuri.net/

Related posts

• WordPress Development Best Practices for Secure Sites
• How to Improve WordPress Website Security with Simple Steps
• What to do when WordPress website is hacked
• WordPress Malware Removal: 9-Step Guide [2024]