steps-taken for fixing a hacked wordpress site

How to fix/restore a hacked WordPress site step by step?

Review this post.
  • Put your ratings for this post.
5
Sending
User Review
5 (1 vote)

How to repair hacked CMS sites like wordpress, Joomla, Drupal easily.

Hi friends, many of us are familiar with the wordpress site hack. Every day many CMS site is being hacked due to various reasons. How to restore a hacked wordpress site? How to fix hacked broken wordpress site? Fixing hacked wordpress site step by step. In my previous post, I mentioned some possible reasons for the wordpress site hack. You may read that post from here. So here today I will mention the repair or restore process of the wordpress site hack. That means step by step process of restoring a hacked wordpress site. I will also mention identifying the hacking reason. What and which files are infected and how to remove those infected files. Generally, a hacker may have some general intention of hacking your site.

Hackers intention of hacking websites.

#1. Hack your site and deface the site and submit the URL in zone-h for ranking.

#2. Just hack your site for mental satisfaction.

#3. By hacking your site he/she may get or redirect traffic from your site to another site and get more revenue.

#4. Inject malware in your site but no defacement, and then steal online transactions.

#5. Get or hijack your good SEO rank and make his site popular in various search engine searches.

#6. Redirect search engine URLs into his own site by showing your site’s meta tag and description.

#7. Inject Japanese or Chinese keywords in your site URL and get traffic.

#8. There many other reasons that depend on hackers’ mentality.

How will you understand your website is hacked or not?

There are various symptoms of identifying a hacked site. I will write down some points of identifying a hacked site.

#1. If the hacker changes the index page I mean deface your site then you can easily understand that your site is hacked by the hackers.

#2. If you search on google and see the text like “This site may be hacked”, and also if you get the message from Google security (only possible when the google search console integrated).

#3. If you see any redirection on the search result and also unwanted popups on your site.

#4. When search result shows unwanted keyword on title and meta description.

#5. Use google search techniques like “site:booleandreams.com” and see the results on google.

#6. If you find any unwanted users on your google search console account.

#7. If your wordpress site’s core files are modified or any unwanted file folder added on your site or uploaded.

#8. If there any tempered texts or modified texts or links with your site that not added by you.

#9. Any suspicious code on your .htaccess file.

#10. Unwanted and many or unrecognized FTP account in cpanel.

#11. Clone site in your hosting, but not cloned by you.

This site may be hacked

This site may be hacked image

Hacking deface page

Hacking deface page

website hacking ppup

website hacking ppup

Japaneese keyword hack

Japanese keyword hack.

Here is some other example of hacking symptoms I found during my works with my clients.

I found injected code on .htaccess.

[php]
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*hacker-site.com
RewriteRule ^(.*)$

http://hereisthehackers.com/lead

[R=301,L]
[/php]

Also found unwanted random generated text folder on the directory after hacking like the image below.

 

Unwanted Random Folder on the directory after hack

Unwanted Random Folder on the directory after hack

Here i also found some unwanted randomly generated and also readable PHP file on the directory after hacking the site. The screenshot is given below.

Random generated php file after hack.

Random generated PHP file after the hack.

I am uncovering a file from there is a code snippet below. Have a look there.
[php]

******************************************************************
This file is used by the Wordfence Web Application Firewall. Read
more at https://docs.wordfence.com/en/Web_Application_Firewall_FAQ
******************************************************************
a:34:{s:9:"wafStatus";s:13:"learning-mode";s:30:"learningModeGracePeriodEnabled";i:1;s:7:"authKey";s:64:"1E)30MDdGN*wP*be!CDR6TrLYy_3h9<O{RCX,ti^]+mliy_KE=c>,`<N9fw}J#Bb";s:4:"cron";a:3:{i:0;O:24:"wfWAFCronFetchRulesEvent":1:{s:11:"
[/php]

The above code is encrypted. You have to de-code to see the full readable code. Also, this may happen in the plugin or upload directory. Everything depends on hacker mentality.

 

Here is the process of cleaning hacked wordpress site step by step.

So the cleaning up process is not so difficult and also not so easy. It depends on the hacking type. Before starting the process let’s make one thing clear. WordPress is a CMS and comes with a lot of files. There are mainly three folders in its root directory, Wp-admin, Wp-includes, and Wp-content. And some PHP files in its root directory like the image given below.

Fresh wordpress directory list

Fresh wordpress directory list.

So, three folders with some PHP files called index.php, wp-active.php, wp-blog-header.php, wp-comments-post.php, wp-config.php, wp-corn.php, wp-links-opml.php, wp-load.php, wp-login.php, wp-mail.php, wp-settings.php, wp-signup.php, wp-trackback.php, xmlrpc.php.

We never need to touch any files or folder except the wp-content folder and wp-config.php file. All the other files and folders are wordpress core files. So except the wp-content folder, all others are known as wordpress core files.

#1. Copy all the files of your present website and make a backup.

#2. Identify the hack by file analysis, this is not a mandatory task.

#3. Now remove all files from your server.

#4. Download latest wordpress files from the wordpress.org

#5. Unzip the downloaded wordpress files and remove the Wp-content folder from there and upload all files into the hosting. This is also called upload all wordpress core files on the hosting.

#6. Now create a directory on the hosting server same as wp-content and then create three subfolders inside the wp-content folder. Called themes, uploads, and plugins.

#7. Now just upload the developed clean theme of the site from the previous backup or if it is a premium theme like DIVI then download the latest DIVI theme and upload it to the wp-content->themes directory. Do not upload the theme from a recent backup. If you do not have a previous clean backup then go inside the theme directory ( if it is a custom-developed theme ) and look for unwanted random folders or files. And then open each file one by one and search for vulnerable codes. You must have some knowledge of programming for this purpose. If you are not sure I will make it clear about it later.

#8. Now have a look on the wp-content directory of the latest backup and see what else files and folders are there except themes, uploads, and plugins. If there any other folders and files there just have a look inside those files and folders for malicious codes and remove if found and then upload those files and folders inside the wp-content directory.

#9. Now have a look inside the downloaded folder called uploads under the wp-content from the recent backup. Keep in mind that there should only one blank PHP file called index.php under the uploads directory. And only pdf, txt, jpg, jpeg, mp4 like audio, video and many contents should inside this directory no executable code. If found then remove those carefully. This way you have to clean the uploads directory.

#10. Now uploads all files to the hosting server under the uploads directory of the backup files (the recent one ).

#11. Now you have to install the plugins from the dashboard or you can download all the listed plugins of recent backup inside the plugins directory, manually download those plugins and unzip all the plugins and then upload all the plugins into the plugins directory of the hosting server. Keep in mind that this plugin is the main culprit of the wordpress site hack. If you have premium plugins ask your client to provide or download them from a trusted source. Never upload plugins from the recent backup folders.

#12. Or you can see the list of plugins list and install it from the dashboard.

#13. Now have a look at your cpanel for FTP accounts and Mysql databases users. Change the password of cpanel, MySQL user, FTP users and delete any unwanted subdomains and FTP accounts.

#14. Now configure the wp-config.php file of the root directory. Change the password of the database user. Now you should see your site if you visit and all plugins are installed. If the site is not good then you may need to configure some of your plugins or the theme you installed is not appropriate with the version of the latest WordPress or some of your updated plugins may not supporting the theme. So you have to take care of those. I just mentioned the possibility of problems.

#15. Then download the wordpress database from the phpmyadmin feature of your cpanel. And then open it in sublime.txt. Download the database in .sql format. After that open it using the SublimeText code editor. It has nice graphics to understand the SQL statements. Then click anywhere of the code and go to the View menu of the SublimeText editor and click on Word Wrap. After that, you will be able to see the codes within the window without vertical scrolling.

#16. From step 16, this is an advanced-level task. You must be familiar with the SQL statements. Otherwise, the site may break. Keep in mind that a single comma (,) is also very important here. If you do any mistakes then the site may down permanently. So please please be careful in this step.

#17. Now press Ctrl+F, if you MAC user then command+F and try to find the below keyword and analyze. Keywords are base64, base64_decode, eval, script, <script>, </script>, input, input type = hidden, hidden, submit, @, search any unwanted email, password, type=submit, system, POST, GET, sitemap, shutdown_action_hook, Register_shutdown_action_hook, eval(base64_decode. If any of those keywords found then please have a look there carefully and if found unnecessary remove that. After that save ( as normal save ) the database and replace the current one on the server from the phpmyadmin panel.

#18. Now please generate a new sitemap and submit it to google search console or any other search engines if you have.

#19. You have to look up the app permission of your email account associated with the search console. For doing that got to https://myaccount.google.com/permissions URL and see the apps. Remove any unwanted app from there. After that change the password of your Gmail account.

#20. Change the password of your wordpress dashboard.

#21. Empty the .htaccess file and keep wordpress needed lines in .htaccess. Search in google for wordpress .htaccess codes.

#22. Install security plugins. I showed in my previous post how to secure. You may have a look here.

Now come to the point of Chinese or Japanese Keyword hack.

If you see any unwanted keywords are appearing on your site google search like Chinese or Japanese keyword hack. Then follow the steps below.

#23. After doing all the tasks above go to your google search URL removal tool here and then request to remove the unwanted URL you are seeing in your search result.

#24. Go to your search console and submit the newly generated sitemap.xml.

#25. Then go to search Console https://www.google.com/webmasters/tools/home?hl=en

#26. Click on Search Traffic and then Links To Your Site. See the backlinks and analyze. Which are useful and which are bad. After that make a list of bad URLs and submit for disavowing those links to Google.