Learn Marketing Techniques & Strategies From The Experts That Will Leave Your Competition In The Dust

By Zee Ahmed | December 10, 2019

Did you know that 34% of all websites on the web are WordPress sites? Because of this, WP accounts for the majority of hacked websites.

 

WordPress related hacking incidents have been increasing with each passing year, mostly because hackers have easy access to faster, cheaper and better technological facilities.

 

What’s worse? The damage from hacking is costing businesses around $400 billion per year.

 

However, WP also possesses the technological prowess to prevent nearly all of these hacks. That’s why it’s crucial to invest in cyber security to save your business from a breach. At the end of the day, a successful hack has the potential to cost millions of dollars.

 

In this guide, we will talk about:

  • How to detect if your WordPress website has been hacked.
  • Step by step guide to re-establishing your website after a hack (jump to this section if you know your site has already been hacked).
  • Security tips on how to safeguard your WordPress website from future hacks.

 

Signs That Show Your WordPress Instance Has Been Hacked

 

It’s crucial to discover quickly if your WordPress website has been hacked. Knowing what to look for will be essential to detection. Most common indicators are:

 

Sudden Drop in Website Traffic

 

The biggest indicator that your site may be hacked is if your traffic drops suddenly. This is because in many cases hackers often use the htaccess file to redirect your site to another one.

 

Keep an eye on your Google Analytics and Google Console. Of the two, Google Search Console shows more accurate results as compared to Google Analytics during attempts of hacking. Mainly because Google Analytics can be manipulated using different tools.

 

Traffic Drop in Google Analytics Due to Hacking

 

Unusual Activities in Server Logs

 

Server logs maintain the history of activities a server performs. It is often helpful during an investigation.

 

If you’re using cPanel, you can find the server logs in the Visitors section of your cPanel.

 

Server Logs in cPanel to Check Hacking Attempt

 

Different operating systems store access logs at different locations, for example:

  • Red Hat / CentOS Linux: /var/log/httpd/access_log
  • Debian / Ubuntu Linux: /var/log/apache2/access.log
  • FreeBSD Apache: /var/log/httpd-access.log

 

Security Alerts

 

Browser security alerts are often a result of three reasons:

 

  • Expiring SSL.

 

Expiring SSL

  • A website promoting malware injected by hacking.

 

Deceptive Website Ahead Chrome Warning If Site Gets Hacked

 

  • Google notifying you through Google Search Console when it detects your website has been hacked.

 

Website Hacked Google Result Warning

 

If you get any of these alerts, you may lose your traffic from Google, and hurt your brand reputation.

 

Google Search Console’s Alert

 

Google Search Console immediately notifies you if your website gets hacked. It shows which pages have been affected.

 

 

Google Console Website Hacked Alert

 

 

Cloud-Based Malware Scanners

 

Potential vulnerabilities can be found using a variety of tools that thoroughly scan your website, helping you to identify malware. For a quick scan, use Sucuri (as seen below):

 

Online Tool to Scan Your Website for Hacking Purpose

 

That being said, committing to deeper automated scans of your website is critical to early detection of a hack.

 

Many plugins and tools can be used for this purpose.

 

For example:

 

Quttera Web Malware Scanner

 

Quttera Web Malware Scanner

 

After activating this plugin, scan your website internally as well as externally. Here, I scanned my client’s website with an External Scanner, and it showed one suspicious file. We were able to go in there and remove that file without issue.

 

Quttera Web Malware Scanner Report for Malicious Files

 

I did an internal scan as well which yielded no issues or malicious files.

 

WP CMS showing the use of a specific plugin.

 

Anti-Malware Security and Brute-Force Firewall

 

Quttera Web Malware Scanner

 

This one is different from Quttera in that it shows you detailed reports like these:

 

Anti-Malware Security and Brute-Force Firewall WordPress Plugin

 

Wordfence

 

Wordfence Plugin

 

Wordfence goes through and scans each component of your website systematically.

 

Wordfence Plugin Report for Hack

 

Sucuri Plugin

 

Sucuri Security WordPress Plugin

 

The Sucuri plugin is the next level scanner. It checks your site in many famous blacklisted databases and highlights infected files as well.

 

Sucuri Security Report

 

Apart from these, there are many online tools if you want to run a quick check on your website.

 

Virustotal

 

Virus Total Report

 

It scans your website using more than a hundred antivirus programs.

 

Sitecheck by Sucuri

 

Online Tool to Scan Your Website for Hacking Purpose

 

Cloaked Link Checker by WebConf

 

Cloaked Link Checker

 

WebConfs’ scanner is a very useful tool that looks for cloaking on your website. Hackers often show one webpage to real users and another to search engine crawlers (this is called cloaking).

 

Blacklists

 

Whenever a website gets hacked, various platform security algorithms blacklist the site in an attempt to quarantine it to save innocent users.

 

Check your site using Google’s Transparency Report. If your site makes it to that list it’s surefire proof that your site has been hacked (and you will stop receiving traffic from Google almost immediately).

 

 Google's Transparency Report

 

 

Another platform (called SiteGuarding) checks your site on more than a hundred blacklists.

 

SiteGuarding Report

 

Searching Google’s Index

 

Search your site on Google using the “site” search engine operator. It looks something like this:

 

Search Google's Index for Potential Hacked Pages

 

If you see any titles in a language other than your website’s native language it means your site has been hacked.

 

Google Hacked Pages

 

Scanning PHP Functions

 

Viruses typically attack scripts using the following PHP functions:

  • Base64_decode
  • Rot13
  • Eval
  • Strrev
  • Gzinflate

 

The functions may look similar to the code:

 

$O_O0O_O0_0=urldecode(“%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70 %78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A”); $OO0_0OO0__=$O_O0O_O0_0{26}.$O_O0O_O0_0{6}.$O_O0O_O0_0{10}.$O_O0O_O0_0{30}

 

To find the infected PHP functions, you need PHP knowledge. If you don’t have that, you can always find the infected PHP functions by searching your website’s sitemap for unknown URLs. Hackers typically optimize the sitemap in order to have hacked pages get indexed faster (so that it can infect more users through search engines). So if you find unknown URLs, you can be sure your site has been hacked.

 

Spider Your Website

 

Now you need to crawl your website using a software that crawls like Google Bots, to detect any harmful pages that the hacker might have created.

 

Such tools will scrutinize your sitemap, and any additional pages that your site has generated. You can delete the infected pages immediately.

 

I’d recommend you use Deepcrawl and Screaming Frog.

 

DeepCrawl Report

 

Deepcrawl provides a 14-day free trial without having to put in credit card details, enough time to look for potential threats on your site.

 

Once the crawl is completed, go to HTTP & HTTPS section and click pages. It’ll show all the pages.

 

You need to look for the title and URL. If you see anything that’s off, you can be sure it’s a hack.

 

Steps to Fix a Hacked WordPress Blog

 

If your WP website has been hacked Do Not Panic! You may end up making hasty decisions which could put your site in an even worse position than before.

 

Activate Maintenance Mode

 

Take a deep breath, and put your site in active maintenance mode. This will save your brand reputation and prevent the deindexing of your site from Google.

 

It’ll show your visitors a friendly message instead of a hacked page. Moreover, your search engine ranking will not be affected.

 

Use a plugin to show your visitors maintenance mode, I recommend Maintenance Mode by SeedProd; it is trusted by a million users.

 

Simply install the plugin and go to Settings. Upload your logo, write headlines and the message you want your visitors to see.

 

 Maintenance Mode by SeedProd

 

It will show a message similar to the one below.

 

Xoobo Coming Soon Page

 

If you’re unable to log into WordPress simply create the maintenance message using cPanel. Go to File Manager, find htaccess file. If you have only one domain in your hosting account, then it’s probably in the public_html folder.

 

htaccess cPanel Location

 

Click the file, and edit it.

 

Edit htaccess file in cPanel

 

Copy the whole text written inside of htaccess, and save it somewhere safe. Once that is done, delete the text written there, and replace it with this:

 

RewriteEngine On

RewriteBase /

RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.123

RewriteCond %{REQUEST_URI} !^/maintenance\.html$

RewriteRule ^(.*)$ https://example.com/maintenance.html [R=307,L]

 

Note: Make sure you replace example.com with your domain name. This htaccess will redirect all your blog’s pages to maintenance.html.

 

But wait, you don’t have the maintenance.html file, right?

 

You can search different maintenance HTML templates online. Just make sure the file name is maintenance.html, otherwise it won’t work.

 

Once downloaded, upload the file to the root directory of your website using the cPanel File Manager.

 

maintenance.html file location

 

Once that is done it will automatically redirect your website to the maintenance.html page just like this:

 

maintenance screenshot

 

Want to edit the template? Go to W3 schools to edit this template. Don’t forget to click Run.

 

W3 schools editor

 

After you’ve edited it, save it in the maintenance.html file.

 

Note: Most hackers also infect htaccess file to redirect your site to another page.

 

Regular Backups

 

This is more of a preventative measure, but regularly backing up your website can save you all the headache that comes with a hack as you can simply roll the site back to an earlier date before the hack occurred. Additionally, backups can save your site in case something else goes wrong, like rogue plugins or any other misconfiguration or overload.

 

Backups can be created in two ways, via the cPanel or plugins.

 

Here’s how you can do it using cPanel.

 

Go to cPanel. Find WordPress under 1 Click App Installer. It may be located in a different location depending on your hosting.

 

1 Click App Installer

 

Click the Backup Icon; it will create a backup of your entire site.

 

Wordpress Backup Icon in cPanel

 

Want to retrieve it? Click the Download icon, and then press the Upload icon.

 

Restore the WordPress Backup from cPanel

 

Additionally, you can use different plugins to create, update and store backups regularly, such as the All in One Migration and Updraft.

 

Backup

 

Here is how Updraft’s plugin works.

 

Install the plugin and select the Backup Now option.

 

It will then ask which files should be included in the backup.

 

Backup Options

 

When you’re done, you can Restore it easily.

 

Restore Backup in WordPress

 

Reset Your Passwords

 

It seems quite obvious, but so many people rarely change their passwords. In the case of a hack event you must change the passwords for the following accounts:

 

  • Hosting.
  • Domain registry.
  • All WordPress users.
  • All associated email accounts.

 

If the same password is being used for any other service, don’t forget to change it there too.

 

Use the Owned Passwords tool to see if your password has been compromised. For example, if you enter “123456”, it shows this password has been used more than 23 million times.

 

Password Pwned

 

I recommend using Lastpass, or any other password manager that can create a strong password. I’ve been using this tool for 4 years, and have saved passwords of more than 900 sites.

 

You can use Lastpass to generate powerful passwords that a supercomputer would take years to decode through a brute-force attack.

 

Lasspass Strong Password

 

Remove Suspicious Users

 

Hackers create users to make changes on your website. Look at your user section to see any suspicious user.

 

Remove Suspicious Users

 

Remove Unknown Files

 

This is one of the least talked about hacks on the web. Hackers change the scripts on your site and no antivirus has the feature to compare the modified files with the original ones.

 

Scooter Software’s Beyond Compare program can identify those changes that hackers have made to your files. This is done by comparing the modified versions of the files with the versions that existed when your website was working.

 

It shows all the changes applied to scripts (line by line), and in a folder.

 

Beyond Compare to See Hacked Modified Files

 

But first you need to download the original plugins, themes, and core files of WordPress in order to do the compare.

 

Download the latest WordPress, and unzip it.

 

Wordpress Download

 

Then download the WordPress folder of your website from cPanel or FTP.

 

After that, you can compare the files. They might show up color-coded. Red means it has been modified.

 

Line by Line Hacked File Comparison

 

In addition to that, you can compare your files in a folder.

 

Folder by Hacked Comparison

 

Files shown in purple are the new files. Have your dev delete the purple files.

 

Remove Unknown Code

 

Hackers usually infect the scripts of files with the functions listed below:

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

 

PHP knowledge is a prerequisite to being able to locate a detrimental string.

 

If you want to find those functions you have to install a plugin called String Locator.

 

String Locator

 

Write the functions I just in the bulleted list above.

 

String Locator Searching

 

When you click on the file, it takes you to the exact line.

 

String Locator Code Editor

 

Once identified, you can have your dev remove that line of code.

 

Reinstall WordPress Core

 

If the damage is widespread and deep, you may need to reinstall the WordPress core files. The important part is doing this without affecting:

  • Themes.
  • Plugins.
  • Content.

 

Be sure to have your dev do this for you as a reinstall can sometimes “break” your site if some plugins don’t play nice with the new core. This typically requires a quick patch (which is minor work for a dev).

 

Go to Dashboard>Updates. Click Reinstall Now.

 

Reinstall WordPress Core

 

Reinstall htaccess File

 

One possible hack is that your htaccess file has been manipulated. In this scenario you need to delete the htaccess file and replace it with the default htaccess that you can download from here.

 

It looks like this:

 

Once you’ve done that reinstall the core files of WordPress as well as your themes and plugins.

Reinstall htaccess File

Delete Unknown URLs

 

Remember when we talked about using your website’s sitemap (and crawling your site with a spider) to identify unknown URLs?

 

Copy the unknown URLs that hackers have created and remove them from your website (leave them as 404’d since any sort of redirection will carry associated negativity back to your main pages).

 

Resubmit Your Sitemap to Google

 

Once you’ve completed the above mentioned steps (as well as removed the infected files and pages) you need to remove the sitemap from Google Search Console.

 

Resubmit Your Sitemap to Google

 

After that, you must resubmit it again.

 

Resubmit Sitemap

 

Remove Other Language Pages from Google Results

 

You need to make a list of the pages shown in Google results that you want to remove.

 

Go to https://www.google.com/webmasters/tools/url-removal to remove suspicious URLs.

 

Google Console Remove URL from Google Results

 

It’ll remove the search results from Google’s index immediately.

 

 Request a Review in Google’s Search Console

 

You’ve submitted the sitemap? Now you have to request a review from Google via the Search Console. Once submitted, you’ll have to wait for a response from Google.

 

Google Console Website Hacked Alert

 

If Google tells you that your site is still hacked, you need to investigate the issue more deeply. If not, it’s all clear. Congratulations!

 

Security Tips to Protect Your Website from being Hacked

 

There’s a lot you can do to protect your website, and make it less vulnerable to attacks.

 

Secure Hosting

 

People rush in to buy cheap hosting which often ends up being hacked sooner or later. Cheap hosting is one of the top reasons WP sites get hacked.

 

At the end of the day, most hacking attempts are directed at websites that are typically poorly constructed or use cheap hosting services.

 

Such websites can be easily tracked with reverse engineering. There are softwares like Hacked Target that can trace back every website that uses the same type of hosting to hack similar websites.

 

Reverse IP Lookup Tool

 

Having reliable and secure hosting will eliminate half the potential for your site to get hacked. I personally recommend AWS. Not only do they have the most secure and up to date environments, but they utilize a CDN which helps with page load speed (a key element to on-page SEO).

 

Updated Plugins and Themes

 

According to another research study, vulnerable plugins are the number one reason for hacks. It seems obvious, yet people often neglect updating their plugins and themes, which results in their blogs getting hacked.

 

Plugins are the main cause of WordPress hacks

 

Having the most up to date plugins help avoid vulnerabilities and bugs which makes it harder for a hacker to attack or penetrate your site.

 

Worried an update will mess up your site? Always create a backup before updating, and always have your dev do the update.

 

Additionally, nulled themes (i.e. bootleg themes) and plugins allow hacking. Beware when you take help from a freelancer. He may get a nulled theme that might put your site at risk in the future.

 

Regular Backups

 

As I mentioned earlier in the article, create frequent backups of your website (preferably every day). If it gets hacked it will only takes a few minutes to recover your site.

 

Use Two-Factor Authentication (2FA)

 

When you use 2FA, even the hacker that steals your credentials can’t sign in until you provide a specific code.

 

Install Google Authenticator by MiniOrange.

Google Authenticator by MiniOrange

 

You need to configure Google Authenticator by installing the app on your smartphone first and connecting it with your blog.

 

Google Authenticator

 

Activity Logs

 

As mentioned earlier, activity logs are a helpful way to investigate potential issues as every activity is recorded.

 

Install WP Security Audit Log to view all activities that take place on your blog.

 

WP Security Audit Log

 

Once activated, click Audit Log. It’ll show every activity, even the smallest one that took place on your WordPress blog.

 

Audit Log WordPress

 

 

Final Words

 

As WordPress websites continue to take dominant market share on the web, hackers will always be inclined to target them. However, one can easily prevent hacks, as well as fix their sites after a hacking event.

 

Here is a summary of steps you should take to remove malware from your hacked WordPress:

  • Activate maintenance mode.
  • Create a backup.
  • Reset all passwords.
  • Remove suspicious users.
  • Remove unknown files.
  • Remove unknown code.
  • Reinstall WP core.
  • Reinstall htaccess file.
  • Delete unknown URLs.
  • Resubmit sitemap to Google.
  • Remove other language pages from Google results.
  • Request a manual review of your website by Google.

 

Do you have an interesting WordPress hacking story? Tell us about it in the comments section below!

Zee Ahmed

Zee Ahmed

Zee is Chief Executive Officer at Xoobo, a digital marketing agency that is on the bleeding edge of the industry. Ratcheting up what it means to be a marketing agency in today’s age, Xoobo’s goal is to bring clarity to the digital marketing space, empower businesses with the expertise and world-class services they need to grow, and foster long-lasting relationships with its client partners.

4
Leave a Reply

avatar
2 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Zee AhmedRajesh Sawantalex smoulders Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
alex smoulders
Guest
alex smoulders

Hey Zee, thanks for sharing this very informative and detailed post regarding hack attacks on wordpress websites. I am totally implementing this tips you have said right away.

Rajesh Sawant
Guest
Rajesh Sawant

You have covered so much about website designing and I have very happy to come across this post of yours I really liked and also enjoyed reading your article. It’s a great guide for me as being a fresher I cannot learn so much from somewhere else because the information you have shared I am sure following these guidelines will help bring a beautiful output thank you so much for sharing this article.

Related Posts

Subscribe to our blog
to get the latest content

Generate More Traffic, Leads, Sales and Revenue with Xoobo’s Professional Marketing Services