Limited time offer Get 30% OFF, Discount code: SAVE30
818-966-0495 Order Now
24 Jan

My WordPress Blog Hacked now what to do?

March 31, 2014

WordPress is the most open-source Content Management System till yet. From its inception in February 2003 to February 2011, it has been downloaded more than 32.5 million times. WordPress powers 14.7% of the top-notch one million Websites on Internet. Almost 22 out of every new 100 active domains run on WordPress. In nutshell, whether one is highly technical or newbie in technical field still they prefer to use the easiest CMS – WordPress. Now a horrible problem often comes to our doorsteps, i.e. our WordPress Website often got hacked. In this write up, we will discuss why WordPress Websites got hacked and what we do to recover it back.

Why only WordPress Sites got hacked?

It is not so that only WordPress sites got hacked. The problem is not with the WordPress rather the mess is with its open-source nature. Being open-source, its source code is available to all. Anyone can download it and use it for their genuine or hacking modifications. The same problem is with other popular open-source CMSs like Drupal and Joomla.

Why only my Website?

There is a set of default options while installing WordPress and setting up cPanel, which are known to the WordPress hackers and experienced developers. These settings include default username for WordPress Login – admin and default table prefix – wp_.

In addition, most of the times we generate the passwords through automatic tools like we generate Authentication (Security) Keys for wp-config.php in WordPress Multisite through http://api.wordpress.org/secret-key/1.1/. This situation rose again when you generate the password through Password Generator in cPanel while creating a database, database user, email account or any other thing.

If you are using default settings as-it-is and/or using Password Generator Tools then your WordPress Website is more prone to be hacked. Also, declaring or showing that your Website is powered with WordPress also makes your site insecure. In any case, you should not disclose that your Website is using any open-source CMS like WordPress.

Sometimes hacker target one specific Website rising above in the market and enters into its system as an intruder. Hackers also create the malware, viruses, SQL Injections and other malicious items. When you visit an unsecure URL then associated injections or malware, on it, downloads automatically to your computer. Afterwards, these malware spreads into your computer and get transferred to the Website through FTP client when you’re using it to access the Website File System.

NOTE: As a scope of this article, we may not discuss how to prevent your WordPress Website from hack and what precautionary steps to take after recovering the Website. We’ll discuss these things in a separate article.

How to know that your Website is hacked?

Following are the few symptoms to know that your Website has been hacked:

  1. When you open your Website then it shows a horrible image saying ‘Your Website has been hacked’ or ‘Welcome to XXX Hacking Group’. You may or may not be able to see your Website entirely or partly.
  2. The search engines likes Google and Bing may consider your Website as hacked and mail to you regarding the same. When someone visits your Website in Google Chrome or the browsers with McAfee Site Advisor, it gives warning, “This site may harm your computer”. Google sends the malware phishing and hacking detection emails at following email addresses of your Website:
    • abuse@
    • admin@
    • administrator@
    • contact@
    • info@
    • postmaster@
    • support@
    • webmaster@
  3. When you or other visitors visit the Websites they’ll be redirected to other unknown URLs.
  4. Visitors or you get viruses/malware in computers while browsing a hacked Website.
  5. The Websites’ traffic either decreases or increases instantly.
  6. Suddenly, Website and its pages will have the unidentified code, which you’ve not inserted into it.
  7. You’ll detect few files like new index.html or any other file in your WordPress installation. Most of the people got modified index.html uploaded at their file system mostly in public_html.

What to do now when my WordPress-Website got hacked?

It is not the time to become restless or hyper active. Yes, I know your Website have a higher PageRank and getting high amount of visitors’ traffic. Still you should relax a minute and create a plan how you can recover your Website back. If you are a non-technical person and could not understand the geeky WordPress then straightaway contact your Website host. If you are technical, know WordPress and its working then you can perform following steps:

  1. First of all, try to access your Website through every mean such as FTP and cPanel. Check whether you are able to upload the files or not. If you’re not able to access FTP or cPanel then contact your Web Hosting Provider to get change their passwords and access your Website.
  2. Contact your Website Hosting Provider and raise a support ticket with them to check & remove all the infected/hacked code from your Website.
  3. After accessing your cPanel, you should change the password of cPanel and FTP on the very first instance. Make sure to have a combination of lower case alphabets, upper case alphabets, numbers, punctuations and special characters. You should avoid the automatic Password Generator of cPanel or any other mean. Make a strong it yourself and save it a safe place.
  4. Logout from cPanel and then login again.
  5. Access your all email accounts and change their passwords as suggested above.
  6. Visit MySQL Databases and change the database username and apply a strong password to it.
  7. Assign the newly assigned user to the database and grant it full permission.
  8. Now, it is the time to secure and reset your computer. Scan your computer with a trusted Antivirus and an AntiSpyware.
    1. You can rely upon McAfee, Symantec, Norton, Avira, FSecure, Panda, KasperSky, AVG and other popular brands. I advise you to also use Microsoft Security Essentials, if you are using Windows.
    2. Now, download an Antispyware like Windows Defender, Malwarebytes, SuperAntiSpyware and scan your computer with it.
    3. Run the OS Updates to have latest security patches. You can run Windows Updates to update Microsoft Windows.
    4. Clear the temporary files of your operating system.
    5. Clear the Browsing History, Downloading History, Auto-form cache etc. from your browser.
    6. Delete the saved profile from your FTP Client.
  9. Configure the Website in the FTP Client but do not save the password. In Core FTP, you’ve to check the option ‘Do not save my password’. Connect with your Website.
  10. Download the wp-config.php from public_html folder to safe location. Open it and perform below steps,
    1. Check whether it has all the default settings which you’ve created at the time of installation.
    2. Replace the fields of Database username and password with the new values, you’ve created.
    3. Note down the database name, username and password at safe place.
  11. Check the files carefully and trace the newly modified or unidentified files. You can look for such files in the root folders of your Website File System such as public_ftp, public_html, temp and other folders. If you’re not using the modified HTML file for your WordPress then check whether public_html folder have index.html or not. Detect these unidentified files and remove them instantly.
  12. Now, it is the time to browse your WordPress Theme files and check them for suspicious code. You can download the current theme from public_html/wp-content/themes folder and open the PHP files in a PHP editor like notepad or notepad++. If you do not know how to identify the culprit code then follow below steps.
    1. Download the default theme from the theme providers’ Website.
    2. Download WinMerge from http://winmerge.org/ and install it. WinMerge helps us to compare the PHP, HTML and other files. Read the documentation at http://manual.winmerge.org/ in order to know how to use WinMerge to compare files.
    3. Open the folder where you’ve downloaded the files from hacked Website.
    4. Right click a file, let us say, header.php and then compare it with the similar file (header.php in our case) stored in the folder where you’ve downloaded the default theme.
    5. Check for each line and compare both of the codes. If you detect any unidentified code lines then remove it immediately. Please do not delete the code which you’ve added to integrate any social plugin or search engine verification or for any other purpose.
    6. Save the corrected theme at a safe place named ‘SAFE THEME’.
  13. After Steps 7 and 8, check your Website is opening up or showing some problem. You must check whether all the pages & posts of your Website are opening up correctly or not.
  14. Check whether you’re able to login at http://yourwebsite.com/wp-login.php for single WordPress Website Setup or http://yourwebsite.com/wp-admin/network for WordPress Multisite.
  15. Login to the cpanel at http://yourWebsite.com/cPanel, visit phpMyAdmin and browse wp_users table in the used database. If you’re using any other table prefix like tb_ then check tb_users table. Note down the usernames, passwords, and email addresses provided in this table. If these fields do not have your provided entries then click on Edit and change the values as per requirement. Try to change the password as well.
  16. After this, check whether you’re able WordPress Login page or not. If not then click on Forgot Password and you’ll get an email at the provided email address in wp_users.
  17. Now, login at the WordPress Dashboard and check which version of WordPress you have. If you do not have the latest version of WordPress then it is the right time to upgrade the WordPress Installation right now. Make sure to follow the WordPress Upgrade guidelines at http://codex.wordpress.org/Updating_WordPress. At the time of writing this post, the latest WordPress version is 3.2.1 and if you’re at WordPress 3.2 then you can update it from the WordPress Dashboard straightaway.
  18. Now, check each section of your WordPress Dashboard like Posts, Pages, Widgets, Profile, Settings, Appearance, Plugins etc. Try to add new plugin, theme, post, page, widget, and user. Check whether you are getting any problem or not.
  19. If you’ve a backup of your Website then restore it immediately after removing the infected code at Website File System. If you do not have a backup then continue with below-mentioned steps.
  20. If you face any problem in the Dashboard or at the Website, then it is the time to replace the default WordPress files. You can download the latest version of WordPress from http://www.wordpress.org at your computer.
  21. Use FTP to upload the WordPress installation files to the location where you’ve installed WordPress. Make sure not to delete following files/folders else you’ll lose content of your Website:
    1. Folders, which were at your Website file system in the first place like (stats, etc.)
    2. wp-content
    3. favicon.ico
    4. wp-config.php
    5. any html file for Search Engine Verification like Google Webmaster, Yahoo Search Verification, Norton SafeWeb file or McAfee Site Advisor HTML file.

NOTE: Make sure not to erase above files and delete other files.

  1. Activate a WordPress default theme like Twenty Eleven or Twenty Ten.
  2. Now, browser the Website and its all pages in the browser. Check whether they work file or still have any problem.
  3. Upload the fresh copy of your selected theme, activate it and then check whether it works fine or not.
  4. Now, remove the old theme present at the time of hacking and upload the corrected theme from ‘SAFE THEME’ location of Step 11.
  5. Activate the corrected theme and check its working.
  6. If corrected theme does not work then either switch to WordPress default theme (TwentyEleven/Twenty Ten) or fresh copy of your selected theme. You can also consider using any other theme from WordPress Theme repository.
  7. Disable all the plugins from Dashboard and then install them again.
  8. Check the plugins not in use and remove them out.
  9. Check the working of your Website. If you still face any problem then you can consider the fresh installation of WordPress at your server. Make sure to backup the posts, pages, database, and images used in your Website.
  10. If you still have any problem then it is the time to take help of experts to recover your Website.

Conclusion

We invite our readers to improve this article with their valuable comments, suggestions and feedback. You can also tell other readers about any hacking experience at your Website or doorstep.