What to do if Your Wordpress Website Got Hacked (Step-by-Step)
Being hacked is no fun. However, if you have a Wordpress website or blog, you should be prepared for it. As a very popular open-source content management system, Wordpress very often becomes a target of hackers, especially the ones who enjoy injecting malicious code into Wordpress core files.
One of our client’s accounts with multiple Wordpress blogs and website was recently hacked (full disclosure: we were not managing the account at the moment nor did we do any work for them lately). Their cheap shared hosting company pretty much told them to take a hike when they asked to for a full database restore. Instead of their usual website content, visitors were presented with the following error message on the otherwise blank page: Syntax error, unexpected T_ENCAPSED_AND_WHITESPACE. A few sites displayed the following error message: Parse error: syntax error, unexpected ’,’ in /home/
In addition, the websites that got hacked first had a suspicious user with “ “ for its username. This is actually one of the strongest indications that your Wordpress website has been hacked and some malicious code was injected by a rogue user with admin permissions.
We also noticed that functions.php and rss-feed.php files were injected with some malicious code, which also managed to delete a large part of the “good” code. Therefore, simply getting rid of the injected code wouldn’t have helped. We had to go for a database restore and fresh Wordpress core install.
Luckily, our team managed to restore every single website and the whole ordeal prompted me to write this blog post hoping this can help other hacking victims.
How do hackers gain access to your Wordpress website?
Cheap shared hosting tends to exacerbate the problem, opening even more doors to small-time hackers. Especially at risk are add-on domains on a shared hosting account, such as offered by hosting companies like InMotion Hosting. Yes, you’re saving money by having one main website and then 10-20 websites hosted as add-ons, but if one of your add-on domains gets hacked, the rest of them become almost guaranteed victims as well.
Without getting too technical, let’s just say that hackers usually gain control of your Wordpress website in one of the following ways:
1) by exploiting vulnerabilities in outdated Wordpress versions;
2) by exploiting vulnerabilities in outdated themes;
3) by exploiting vulnerabilities in outdated plugins;
4) by gaining access to the core files of multiple websites at once hosted under one account as add-on domains;
5) by exploiting vulnerabilities of your shared server.
Steps you can take to prevent your Wordpress website from being hacked
1) Regularly update your Wordpress and your plugins.
It goes without saying that keeping your Wordpress version up to date is very important, as well as regularly updating your plugins. If you notice that the creators of a plugin have not made a single update in the past 6 months or more, consider finding an alternative plugin and then deactivating and deleting the original one.
2) Delete abandoned plugins immediately.
If you get an explicit notice that the plugin is no longer being updated and its creators have abandoned it, find an alternative and delete the original plugin immediately. An abandoned plugin is a disaster waiting to happen!
3) Install a plugin that firewalls your Wordpress website, locks .htaccess file, and provides security monitoring, such as Bulletproof Security (it’s free). However, keep in mind that these tools are helpful, but not necessarily “bulletproof.” I personally had a website destroyed even though it had BulletProof plugin installed (the website was on a shared server). When it comes to recovery, it also became clear that the plugin did attempt making copies of databases, but they turned out to be empty…
4) Install plugins that scan your website and let you know if it’s infected, such as Wordfence. Once again, it’s a great plugin, but it’s not always 100% effective. In addition, Wordfence is the most useful when your website is already infected, not necessarily as a preventive tool. Finally, I do not recommend Wordfence if you use Optimize Press or other CMS that provides deep PayPal integration as similar plugins usually block IPN (Instant Payment Notification) calls and tend to interfere with PayPal in other ways.
5) Backup your websites often. There are numerous plugins that provide easy and reliable backup service. My favorite one is Duplicator because it also allows cloning of your website and makes porting it to a different domain/hosting account a quick an easy process (provided the website is not infected/hacked already).
6) Use managed Wordpress hosting or Virtual Private Server (VPS) as opposed to shared hosting. Personally, I love Hostek’s VPS and have recently migrated all my Wordpress websites there. Yes, it takes some technical knowledge to set up and maintain a VPS, but you get a lot of features to play with, you get nightly backups, tons of documentation and a friendly customer service.
Choose your hosting company wisely
Shared hosting is not the best option, period, but some shared hosting companies are better than others. Avoid companies that don’t offer daily backups and be very careful when it comes to small print and limitations. More and more hosting companies have limits on account sizes. For instance, if your account (all your websites together) grows past 10GB, many hosting companies stop providing daily backups or any backups whatsoever without further notice. So you may not even know that backups are not being performed.
All in all, many shared servers can be compared to an overcrowded, filthy hostel. You may come in with just a common cold, but you may leave with a full-blown pneumonia and a venereal disease.
Imagine that your hosting account with 10 websites hosted as add-on domains got hacked. You contact your hosting company and they are able to find a backup from 5 days ago. It’s not ideal, but they restore the website from the backup, you spend a day or so patching things up on your end, and everything is back to normal.
Unfortunately, you missed a piece of malicious code in one of the websites and in 3 days it came back with the vengeance. All your websites are down again. You contact your hosting company and request your accounts to be restored from the latest backup again. It turns out that your account just surpassed 10GB and you no longer get free backups. Your latest backup from when your account was still eligible for backups is no longer there because they only keep backups for 5 days.
There are other possible variations of a potential disaster. For instance, your account size is fine, but your hosting company only provides one data restoration per year; or your hosting company keeps all the backups on the same server (rare and very bad practice, but still happens, especially with companies that offer suspiciously cheap hosting) and, therefore, the backups have also been hacked and damaged.
My Wordpress website was hacked. Now what?
If you have recent backups, there are plenty of services and tips on how to go about restoring your website. Being hacked is no fun, but you can breathe easier if you have backups securely stored and ready to be deployed. Here’s a good post that covers a lot of different aspects of Wordpress hacking and recovery.
However, if you got hacked and you have no backups, usually there’s a way get access to your databases, download the content, do a fresh Wordpress install and fully restore your website.
Below I will provide a step-by-step action plan. It does require some technical knowledge, concentration, and diligence. If you don’t feel like doing all of this yourself, you can email me at vladas[at]inclout.com, provide a link to your website and a brief description of what you think had happened. I will assess your situation and get back to you with my recommendations. Again, this is not a guaranteed service, but we do like helping out fellow internet marketers and bloggers. Usually we charge anywhere from $100 to $300 per restoration. In most cases, we are able to bring your precious web asset completely unscathed.
Step-by-step guide to recover your hacked Wordpress website
Anyway, here are the step-by-step solution to a blank screen or error messages similar to these: “Syntax error, unexpected T_ENCAPSED_AND_WHITESPACE” or “Parse error: syntax error, unexpected ’,’ in /home/”
- Backup the website, uploads and the database.Yes, your website got hacked, but it still has valuable information, including posts, pages and pictures. Download it all to your local machine or—even better— an external hard drive.
- Order a new hosting account with a different hosting company.If your website is currently on a shared hosting account, make a wise decision and go for a managed WP hosting or a VPS. Do not go through all the troubles restoring your website only to have it hacked again.
- Download a fresh copy of Wordpress and install it in your new hosting account.If you have multiple domains, you will need to install a fresh copy for each website. Before ordering your new hosting account, make sure your cPanel has Softaculous or a similar commercial script library that automates the installation of commercial and open source web applications to a website. This will make your life easier, as you can install a fresh Wordpress copy with just one click.
- Install your theme (again, for each website).
- Install your plugins.If your website was hacked and you can’t login into your WP admin, connect to the old website via FTP, go to your old theme>content>plugins, but DO NOT copy plugins from there. Do this only to look up what kind of plugins you used to have if you can’t remember. Write the names down, then go back to the new hosting and install the plugins.
- Connect your old database to the new install and copy all your content files from the old hosting to the new one by following these steps:
- a) Create a new database and database user.
b) Restore/Import the exported database sSQL file to the newly created database.
c) Copy (not move) over the files from your live site to your new hosting.
d) Edit thewp-config.php, replaceDB_NAME, DB_USER, DB_PASSWORD (maybe also your Authentication Unique Keys). Then save the file.
- Change your admin password.If your old user name was “admin”, create a new user with a less vulnerable username, a different password, and then log in as the new user and delete the old one. Look for any suspicious users, especially the ones with “ “ as a username and delete them.
- Run Wordfence or a similar scanning plugin to see if it can pick up any infected files or malicious code.
- Check every single page and post and repair any damage (broken links, missing pictures, missing plugins).
- Backup your site or sites and store the copies on your local machine and/or Dropbox/Google Drive.Even if your new hosting company provides daily backups, at this point, you MUST make copies of restored websites, just in case.
Hopefully, this will make your unfortunate situation less miserable. And, remember, as much as I recommend Wordpress for smaller projects, testing new ideas or to clients who have a very limited budget, you cannot beat custom developed websites when it comes to stability and security. Custom web design and development is our specialty. Feel free to contact us and let’s see if you’re ready for a custom website or check out this amazing resource (updated for 2018!) if you’re ready to dive deeper into the world of Wordpress security.