Have you really been hacked?
If you suspect you have been hacked, first make sure that you HAVE actually been hacked. We sometimes get panicked site administrators contacting us thinking they’ve been hacked when their site is just misbehaving or they are seeing spammy comments and can’t tell the difference between that and a hack.
Your site has been hacked if:
- You are seeing spam appearing in your site header or footer that contains adverts for things like pornography, drugs, illegal services etc. Often it will be injected into your page content without any thought for presentation, so it might appear as dark text on a dark background and not be very visible to human eyes (but the search engines can see it)
- You do a site:example.com (replace example.com with your site) search on Google and you see pages or content that you don’t recognize and that looks malicious.
- You receive reports from your users that they are being redirected to a malicious or spammy website. Pay special attention to these because many hacks will detect that you are the site administrator and not show you anything spammy but will only show spam to your visitors or to the search engine crawlers.
- You receive a report from your hosting provider that your website is doing something malicious or spammy. For example, if your host tells you that they are getting reports of spam email that contains a link to your website, this may mean you have been hacked. What the hackers are doing in this case is sending spam from somewhere and using your website as a link to redirect people to a website they own. They do this because including a link to your website will avoid spam filters while including a link to their own website will get caught in spam filters.
- Wordfence detects many of these problems and a lot that I haven’t mentioned here, so pay attention to our alerts and respond accordingly.
Back up your site right now. Here’s why:
Once you’ve ascertained that you’ve been hacked, back up your site immediately. Use FTP, your hosting provider’s backup system or a backup plugin to download a copy of your entire website. The reason you need to do this is because many hosting providers will immediately delete your entire site if you report that it has been hacked or if they detect this. Sounds crazy, but this is standard procedure in some cases to prevent other systems on their network from getting infected.
Make sure you also back up your website database. Backing up your files and database should be your first priority. Get this done, then you can safely move on to the next step of cleaning your site comfortable with the knowledge that at least you have a copy of your hacked site and you won’t lose everything.
Things you should know before cleaning a WordPress site that has been hacked:
Here are the rules of the road when cleaning your site:
- You can usually delete anything in the wp-content/plugins/ directory and you won’t lose data or break your site. The reason is because these are plugin files that you can reinstall and WordPress will automatically detect if you’ve deleted a plugin and will disable it. Just make sure to delete entire directories in wp-content/plugins and not just individual files.
- You usually only have one theme directory that is used for your site in the wp-content/themes directory. If you know which one this is you can delete all other theme directories. Beware if you have a “child theme” you may be using two directories in wp-content/themes – although this is rare.
- The wp-admin and wp-includes directories very rarely have new files added to them. So if you find anything new in those directories it has a high probability of being malicious.
- Watch out for old WordPress installations and backups. We often see sites infected where someone says “But I kept my site up-to-date and had a security plugin installed so why did I get hacked”. What sometimes happens is you or a developer will back-up a copy of all your site files into a subdirectory like ‘old/’ that is accessible from the web. This backup is not maintained and even though your main site is secure, a hacker can get in there, infect it and access your main site from the backdoor they planted. So never leave old WordPress installations lying around and if you do get hacked, check those first because it’s likely they are full of malware.