How do you recover WordPress website that has already been hacked?

This is what we will talk about now. In the following article we will look into how to spot whether your WordPress website has been compromised and how to recover from a successful hack. When it comes to getting your site hacked, it’s important to keep in mind that this is not a WordPress-specific issue. Basically anything that is connected to the Internet can potentially be hacked.  There are things you can do to prevent it, but it might still happen.

What are the signs of a hacked website? Here are a few:

  • Security plugin sends you a warning — If you are using one of the many security plugins out there, chances are good that you will get an email warning the moment your site gets compromised. As far as hacks go, this is the optimal scenario as it enables you to react immediately.
  • Unable to log into your admin panel — One of the most common security breaches is someone stealing your login information (or obtaining it via brute force). In that case, they might hijack your administrator account so that you can no longer access your own site and you will have to take special measures to get back into it.
  • WordPress site redirects to other website — A common way hackers use hijacked websites is by redirecting visitors to porn sites or other non-desirable web entities. If you notice this or a visitor emails you about it, you can be sure that someone got unauthorized access to your server.
  • Site displays strange links — A more subtle variant of moving visitors to other websites is to place spammy links on the hacked site. For that reason, it makes sense to check your site regularly and see if everything is as you remember it.
  • Google marks site as insecure — Google will sometimes mark hacked sites as insecure in the search results (if it doesn’t remove them from the results page altogether). In addition to that, Google Search Console will also likely alert you under Security Issues.
  • Warning from your browser — Chrome and other browsers warn users when they detect phishing attacks, malware, cross-referencing or other bad stuff on a website they are trying to access. If you or someone else gets a warning for your site, you will have some work to do.
  • Web host takes your site offline — Sometimes web hosts will get messages from users about hacked websites they host or have automatic system in place to detect this. In many cases, this will lead to them take your site offline (or even delete it), something you should notice quite quickly. A good host will also let you know about the problem.
  • Security scan shows problems — Often infections are well hidden an not easily detectable. For that reason, proactive website owners do well to run a malware scan every now and then. Sucuri Site Check is a good option. This way, you will learn about compromises and can address them.
  • Sudden traffic spikes — Hackers sometimes use hacked websites as clean fronts for their own malware-riddled and flagged sites. To avoid spam detection, they will link to your domain and then redirect visitors to another site. If you see some unexplained traffic spikes, consider running a malware scan.

While the list above isn’t an exhaustive one, it does cover a good number of ways to spot whether your site has been hacked or not. If in doubt, run a security check.

So, You Had Your WordPress Website Hacked – What to Do Now?

Make a Backup of What You Have Left

While it seems counterintuitive to make a backup of a hacked site, it’s important to keep in mind that it contains a lot more than just the (corrupted) system files.

As mentioned, some hosting providers will automatically delete websites from their servers that have been compromised. Since images and other media are hard to replace once they are gone, it’s a good idea to keep a copy around in case you need to rebuild the site later.

For that reason, as a first step, try to salvage what you can. There are plenty of backup solutions for WordPress out there and you can also backup WordPress manually. Do this but be sure to mark it clearly as a hacked backup.

Scan Your Local Machine

In many cases, the hack can actually start on your computer. If a hacker has compromised your system, it’s entirely possible for them to extend their reach to the websites you frequently log into (e.g. via a keylogger).

For that reason, install and run a full virus/malware scan on your local machine and make sure your OS is up to date. This way, you can make sure the problem didn’t come from your computer and reduce the risk of being reinfected after cleaning up the mess.

Hire Mindful SEO to secure your site

Website security is a serious matter. If you are not comfortable dealing with code, servers and other technical stuff you might be better of hiring someone else to do it.

Hackers are also a sly bunch and sometimes hide things in several places to be able to reestablish the hack after your clean up. For that reason, paying a professional to take care of your site can be the best option and will often save you time.

Of course, for people who like to do things themselves, we also have plenty of material below. Just keep in mind that having someone else deal with the mess can also be an option.

Talk to Your Hosting Company

The first address in this kind of situation should always be your hosting company. Good quality providers are prepared for these emergencies and can offer assistance. They also have staff at hand who know their way around the hosting environment and might be able to fix things for you.

Also, your host will be interested in hearing about this as a hack can affect more than one site. Especially in shared hosting environments, if a someone got unauthorized access to the server, they might have compromised more websites on the same machine.

At the least, talking to your host might give you additional information on how to fix the situation.

Restore from Backup

If you regularly back up your site (which you know you should), recovering from a hack might be as simple as restoring to an earlier version.

The problem here is, of course, that this might cause you to lose content that you created and published since the back up. In that case, you need to weigh the pros and cons. If you stand to lose a lot, it might be better to try and remove the hack manually. So, let’s talk about this now.

How to Recover a Hacked WordPress Site if You Still Have Access to the Backend

So, your site got hacked but you can still access the WordPress dashboard? In that case, addressing the problem is too complicated.

Change Your Password

If you suspect or know that your site has been hacked, the first thing to do is to change your password. That way, it will keep anyone who has illegally obtained your login information from logging in again.

This isn’t foolproof (in fact, we will ask you to change your password once more further below) but an important first step. So, do it now, I’ll wait.

And while you are at it, force all other users with admin rights to change their passwords as well. The Expire Passwords plugin can do this for you. Alternatively, you can also simply change their passwords manually inside the Users menu and then email the new passwords to them.

Scan for Malware

Next up we want to find out where exactly the compromised files are on our site. A good first step to eliminate hiding places is to delete any inactive themes and plugins. This is often where hackers hide their backdoors (programs that allow them to access your site or server without normal authentication).

After that, it’s time to scan the entire site. You can use the Sucuri Malware Scanner plugin for that. Once installed, it will scan all your WordPress core files for integrity and can also tell whether your site has been blacklisted for sending spam or some other reason.

If you don’t want to use a plugin, below we also have a list of external scanners to use for this purpose. Also, as mentioned, Google Search Console might have some input on where to find the compromised files.

Replace Compromised Files with Originals

If malicious code is found in any of the files on your site, a simple fix is to delete and replace them with their original (unhacked) versions.

For example, you can replace WordPress core files with a fresh install without breaking your site. As long as the wp-content folder stays intact, everything should be able to go back to normal. In fact, the simplest way to do that is to just go and re-install WordPress from inside the dashboard.

The same goes for theme and plugin files (though you might lose theme customizations if you have made any and are not using a child theme). Of course, if there are files that have simply been added, you need to delete those.

Check User Permissions

WordPress user roles exist to control anyone can do on your site after login. Administrator rights should only be given to your own user and people you explicitly trust.

For that reason, after a hack, it’s a good idea to have a look around the Users menu to see if there is anything suspicious, like an administrator user you don’t recognize.

Change SALTs (Secret Keys)

WordPress salt generator for securityWe already mentioned SALTs in our article on how WordPress websites get hacked. These are secret keys which help encrypt important information inside cookies.

If someone accessed your website after having stolen your password, they might still be logged into it. You can change this by generating new SALTs and replacing the ones present in your wp-config.php file.

Note that this happens on your server, so you will need FTP access or some other way to get into it.

Change Your Password Once More

Yes, we know you already changed your password in the beginning. However, now it’s time to do it allover again including everything else that is important:

  • Hosting admin backend credentials
  • FTP login
  • MySQL database password
  • Admin email address

Only then can you be sure that you have plugged the security leak for the future.

Harden Your Security

The final step for dealing with a hacked WordPress website is to make sure it doesn’t happen again. That means upping your security measures. Here are a few good places to get started:

  • How WordPress Websites Get Hacked (And What to Do About It)
  • Hardening WordPress
  • WordPress Security: The Ultimate Guide

Seriously, do it now. It’s the only way to keep stuff like this from happening again. While there is no absolute guarantee, it does make the worst case scenario a lot less likely.

Rebuild Your Site

After you have taken care of the hack and secured your site for the future, you might still have to roll back some things that got lost during recovery. We are talking about blog posts, theme customizations and other things that might have vanished due to the hack.

If you have them saved somewhere (such as on a local WordPress installation), you are golden. In that case, all you need to do is re-implement them. If not, it might take you a while to get your site back to what it was in before the hack.

A hint for lost blog posts: check if you can find them in your RSS reader. If you have subscribed your own feed, the posts might still be there so you can at least get those back quickly.

Site Recovery With No Access to the WordPress Dashboard

Things change a little if you discover you have been hacked but can no longer get into the WordPress backend.

Reset the Administrator Password via phpMyAdmin

The same goes for theme and plugin files (though you might lose theme customizations if you have made any and are not using a child theme). Of course, if there are files that have simply been added, you need to delete those.

Check User Permissions

WordPress user roles exist to control anyone can do on your site after login. Administrator rights should only be given to your own user and people you explicitly trust.

For that reason, after a hack, it’s a good idea to have a look around the Users menu to see if there is anything suspicious, like an administrator user you don’t recognize.

Change SALTs (Secret Keys)

WordPress salt generator for securityWe already mentioned SALTs in our article on how WordPress websites get hacked. These are secret keys which help encrypt important information inside cookies.

If someone accessed your website after having stolen your password, they might still be logged into it. You can change this by generating new SALTs and replacing the ones present in your wp-config.php file.

Note that this happens on your server, so you will need FTP access or some other way to get into it.

Change Your Password Once More

Yes, we know you already changed your password in the beginning. However, now it’s time to do it allover again including everything else that is important:

  • Hosting admin backend credentials
  • FTP login
  • MySQL database password
  • Admin email address

Only then can you be sure that you have plugged the security leak for the future.

Harden Your Security

The final step for dealing with a hacked WordPress website is to make sure it doesn’t happen again. That means upping your security measures. Here are a few good places to get started:

  • Hardening WordPress
  • WordPress Security: The Ultimate Guide

Seriously, do it now. It’s the only way to keep stuff like this from happening again. While there is no absolute guarantee, it does make the worst case scenario a lot less likely.

Rebuild Your Site

After you have taken care of the hack and secured your site for the future, you might still have to roll back some things that got lost during recovery. We are talking about blog posts, theme customizations and other things that might have vanished due to the hack.

If you have them saved somewhere (such as on a local WordPress installation), you are golden. In that case, all you need to do is re-implement them. If not, it might take you a while to get your site back to what it was, before the hack.

A hint for lost blog posts: check if you can find them in your RSS reader. If you have subscribed your own feed, the posts might still be there so you can at least get those back quickly.

Site Recovery With No Access to the WordPress Dashboard

Things change a little if you discover you have been hacked but can no longer get into the WordPress backend.

Reset the Administrator Password via phpMyAdmin