This article will cover steps on what to do if your WordPress site has been hacked and how to recover your site. This is a general outline of what to do. If you’ve tried these steps and still need further help, reach out to a local WordPress developer or get in touch with us for assistance .
Signs your site is at risk
- You or one of your site administrators cannot login all of a sudden.
- Your site has changed without warning.
- Your website is opening or redirecting to an unknown external URL.
- The search results for your site is returning a warning.
What To Do (Step-By-Step Guide)
Here’s a couple of steps we recommend to take, to bring your site back into working order.
1. Stay Calm
I know this is difficult, but when you’re frantic it can often lead to mistakes. I know very well that any downtime is money. Keep a level head and work on the task at hand to help restore your site as quickly as possible.
2. Put Your Site In Maintenance Mode
Putting your site in maintenance mode will help reduce user’s frustration and any more possible issues with new data coming into your site. There are a couple of ways to put your site into maintenance mode, for WordPress sites we recommend the Maintenance plugin. Once your site is under maintenance mode, you may continue to restore your site without interrupting users that may be on your site.
Remove the maintenance mode once you are confident the malware has been removed.
3. Reset Your Passwords
Resetting your password may help prevent any further damage. Often a password of an administrator will be changed, but not leaked. Giving the person access to administrative rights of your site. You may reset your password by requesting the Lost Password option on the login page of your site, and follow the steps.
4. Remove Unkown/Suspicious Users
Once you’re able to login, we normally first check the user base. If you notice any admin accounts that have ‘weird’ emails or usernames you’re not familiar with – delete these immediately. While you’re cleaning up admin accounts, you can have a look at subscribers with strange emails or usernames. If you’re familiar with website management or development you learn to notice these rather quickly.
5. Run a Malware Scan
WordPress has great security plugins to help prevent these attacks from the future. We highly recommend using WordFence to run a malware scan. WordFence scans check for malware files and may help you track down the malicious code quicker than treading through your site files to find it.
WordFence has an option to remove the malware, however if this doesn’t work you can login to your site’s cPanel or FTP to delete the malware files. (Sometimes your hosting provider may help you with removing this from your site files).
6. Update Plugins and Themes
Once the site has been stabilised, you should update your plugins and themes that are installed on your WordPress site. Often updates include security enhancements, new features and bug fixes. You may prevent this from happening in the future to keeping your site up to date.
7. Check Your Website’s PHP Version
Be sure you’re running a ‘new-ish’ version of PHP on your hosting plan. PHP updates, like plugins and themes, often include security updates/enhancements. We recommend running the newest possible PHP version that you can without interrupting functionality. At the time of this writing, we recommend PHP 7.x (version 8.0 is available, but not all plugins or themes may support this version yet. Once it is, be sure to upgrade!)
8. Last Resort, Restore From a Backup
If the above fails, reach out to your hosting provider to restore to an earlier backup before it was infected. Be sure to repeat step 6 that all your code running (plugins and themes) to ensure you’re running on the latest version.
All of our WordPress Maintenance Plans include secure automated cloud backups, to ensure that there is always a backup available. If you have any questions do not hesitate to contact us, or leave a comment below.
If you’re interested in knowing more, here is an article to improve security for your WordPress site.