You are currently viewing How to recover and get a hacked WordPress website back online

How to recover and get a hacked WordPress website back online

A hacked website is every webmaster’s nightmare. Whether you’re running a popular blog, a large e-commerce portal or a business website, a website hack is the worst possible thing that can happen to your website. Hackers can deface your website, use it to hack other websites, add malicious code, create backdoors or even run it as a spam server.

Website hacking—an everyday menace

You’re not alone—website hacking is a growing global menace that keeps hosting providers, web admins and IT teams on their toes. To put this into perspective, more than 30,000 websites are targeted by hackers every day. 64% of companies globally have experienced at least one hacking attempt in their lifetime. Hacked websites lead to lost revenue, tarnished brand reputations and even loss of ownership of websites and domains.

Protecting your website from hackers

It is vital to ensure that you every possible step to protect your website from hackers. Our security team has written an excellent blog on how you can secure your WordPress-driven website from hackers and other malicious entities. Using simple techniques such as SSL certificates, keeping your website software updated, securing and changing usernames and passwords frequently and using a web firewall can go a long way in keeping hackers at bay.

Why are websites hacked? How easy is it to detect a hack?

Website security breaches and hacks are often very hard to detect. A 2020 report by IBM stated that it took nearly a year (280 days) on average to identify that a breach had occurred. Additionally, a report from Accenture noted that the frequency of attacks has gone up by nearly 67% in the last five years. Factor in data from industry experts such as Sucuri, which states that 56% of all CMS applications were outdated when hacked.

Websites hacks happen due to many reasons. The first is that while companies and individuals protect their networks, machines and operating systems with anti-virus software and firewalls, they leave their websites vulnerable to attacks. These attacks occur because poorly maintained websites are easy targets for hackers. Couple this with the 65 million-strong userbase of WordPress, and you have millions of unpatched websites ready to be exploited by hackers through old and outdated themes, plugins and WordPress versions.

Hackers do not target your website but the software that runs it. The main motive behind this is fame and money. As hackers gain control of a more significant number of websites, they can steal data from them and sell them on the dark web or show off their prowess to other hackers. Most hackers use compromised websites to distribute malware, ransomware, SEO spam, email spam servers, and phishing websites.

What can you do if your website is hacked?

The first thing you must do is stay calm. The damage is already done. It is now time to repair that damage. Here’s how you can get your hacked website back up and running.

Find out if you have been hacked

A lot of users believe that their site has been hacked when it acts up. Often, the reason for this unexplained behaviour is a plugin or a piece of code that has gone awry. Ensure that your website has been hacked before you move to the next step.

How to find out if my website has been hacked?

Unless your website is down unexpectedly or there is a significant breach, here is how you can find out if your website has been compromised:

  • You see spam advertising on your header and footer. Advertising for porn, drugs and illegal services is an excellent tell-tale sign. Although hackers inject invisible spam (text with the same colour as your website background), search engines can see this.
  • A google search for your website (ensure that you replace with your domain) shows pages or content that you do not recognize.
  • Your hosting provider reports that your website is spamming others or using unexpectedly high amounts of bandwidth to send calls to other websites or is used as a spam redirect.
  • Your users report malicious page redirects on your website.
  • Google marks your website as insecure
  • Your website redirects elsewhere

Getting your website back online

Once you are sure that your website has been hacked, it is time to fix the problem. Here’s what you can do:

  1. Stay calm – This is extremely important. A calm mind can help you get your website back online faster.
  2. Document what you think has gone wrong – Writing down all the problems you see at the outset can help your provider assist you in the best possible way. You can also start to sort out these problems yourself.
  3. Check if you can log in to the control panel or the WordPress Dashboard – If you can log in, not all is lost.
  4. Use a tool such as the Sucuri site checker to identify a possible hack or blacklisting
  5. Download activity, web server and FTP logs – This will help you find newly created users’ events, password changes, modification of WordPress core files, plugins, and themes.
  6. Remove all unknown users – Ensure that you remove all users except the one you are aware of.
  7. Change all your passwords – This includes your hosting password, WordPress password, SALT keys and all other passwords you have used on the website.
  8. Take a backup of your website immediately – Backing up your website is vital as many hosting providers might remove your website in its entirety if you report a hack or if they detect malicious activity. This is standard hosting safety procedure, so ensure that you take a complete back of your website, the database and all files.
  9. Restore your website from an existing backup – If you have an earlier backup, restore your site using that backup. Note that the hack may have been made many days before you found it, and your backup could also be infected. If you believe that your backups have also been compromised, read on.
  10. Secure your website – If you have not done so yet, secure your website using this article written by our support team.

Removing malware and other hacks

Now that you have restored your website (if you have a backup), it is time to remove the malware and malicious code from the site. Here’s how you can do that:

  1. Contact your hosting provider – If you use a third-party hosting provider such as Pack Web Hosting, this step is crucial. Your hosting provider can help you to restore your website from a clean backup. Most providers like Pack Web Hosting can help you recover a hacked website quickly. Contacting your hosting provider can also help you reduce the damage hackers can do to the site. They can take your site offline temporarily while they work on a fix. If you are hosting your site on your own, read on.
  2. Scan your PC for infections – Often, infections occur when an infected PC gets administrative access to a website through an unsuspecting website owner. Scan your PC using a suitable tool such as McAfee and Windows Security to detect any infections that began “at home”.
  3. Scan your website using a WAF tool – Tools such as WordFence, Quettera and Sucuri can help you scan your website and report what may have gone wrong. Note that if you have multiple websites on the same server, you may want to scan them all.

Note: Before proceeding further, understand that these changes can permanently damage your website if you do not know what you’re doing. Ensure that you have an expert developer deal with this, or contact your service provider.

  1. Remove old WordPress installations and irrelevant backups – Developers often rename old themes, WordPress Installations and other files as .old or create a new directory for them where these files might be located. Delete all old versions of WordPress. You may also want to remove old backups that are no longer relevant.
  2. Delete everything from wp-content/plugins, including files and directories – This will not break your website. Just remove all the plugins and reinstall them if needed.
  3. Remove all inactive themes – Removing all old and inactive themes can help you narrow down issues to one active theme.
  4. Check file integrity through SSH in WordPress
  • Login to your website via FTPS/SFTP/SSH
  • Check all your WordPress core files for modification dates in the last 15 days using the terminal. You can use the find command for this. Here’s an example:
$ find ./ -type f -mtime -15

Now review the last modified date of the files and see what has been recently modified.

  1. Look for hacker boasts – Most hackers love to boast about their exploits. They do so by adding the “hacked by” phrase to files they modify. Search for these files by navigating to the root directory of your website in the terminal and typing
grep –Ril "hacked by"

This will show a list of files that contain hacked by. Just replace these files or remove the hack as you see fit. Other common boasts and strings include:

  • base64_decode
  • is_admin
  • eval
  • gzuncompress
  • passthru
  • exec
  • shell_exec
  • assert
  • str_rot13
  • system
  • phpinfo
  • chmod
  • mkdir
  • fopen
  • fclose
  • readfile

You can run a regular expression (RegEx) inside the GREP command to find these files recursively. Note that legitimate files might have these terms too, so proceed with caution. Here’s the command:

grep -RPn "(base64_decode|is_admin|eval|gzuncompress|passthru|exec|shell_exec|assert|str_rot13|system|phpinfo|chmod|mkdir|fopen|fclose|readfile)*("
  1. Use the “Diff” method – An Old School way to find hacks is to use the diff method. Diff compares two files to see what changes have been made. To do this, download your website entirely and create a local WordPress installation with freshly downloaded themes, files and plugins. Compare these two installation directories using Beyond Compare, Diff Merge or any other free alternative. These tools can compare entire directories by showing you changed files, and you can then check the difference in each file.
  2. Remove and clean the hack after verifying the changes in the diff tool.
  3. Update WordPress core, plugins, themes and all other software, including the database.
  4. Take a backup of your cleaned website and remove all older backups after verifying it.

Keeping your website safe and final thoughts

Once done, here’s what you can do to stay safe:

  • Install activity log plugins
  • Get a backup service
  • Get a WordPress security scanning service
  • Install a Web Application Firewall
  • Keep all software updated
  • Follow our security guide to ensure your website is secure.

Website hacks are stressful. A good hosting provider such as Pack Web Hosting in most cases can help you get your website back online. Pack Web Hosting’s VPS hosting service helps you give the safety, security and peace of mind. Happy Hosting!